Shadow IT has been in the news thanks to the recent revelations that Hillary Clinton had set up a private email system while she was Secretary of State. Until now, the debate about shadow IT has focused primarily on the impact on IT and, more specifically, the security of enterprise networks and corporate data. But while “Emailgate” is an atypical example — most employees are simply using individual applications, not installing entire systems — it does raise the question of how shadow IT has potential consequences beyond IT with implications for information governance (IG) and eDiscovery.
What Shadow IT Means for IT
Software-as-a-Service (SaaS) has made it easy for employees, or even departments, to deploy and use applications without requiring assistance from IT. In fact, one of the oft-touted benefits of SaaS is that it reduces the burden on IT. And while there may be questions about the intentions behind Clinton’s email system (did she really go through all of that effort and expense just so she didn’t have to carry two phones?), the vast majority of shadow IT doesn’t result from nefarious motives — users simply want to use the software they need to get their jobs done. And BYOD means they are using these applications on a variety of devices, including personal laptops, smartphones, tablets, and even wearables.
According to a Frost & Sullivan survey, 80 percent of respondents admit to using non-approved SaaS applications (ironically, IT employees are bigger offenders than line-of-business employees) and 35 percent of all SaaS applications in a company are purchased and used without oversight.1 While IT isn’t responsible for the physical infrastructure or maintaining the application, it is still responsible for ensuring the security and compliance of enterprise networks and data. The problem is that it’s sometimes easier to hack into lost or stolen consumer devices or personal cloud services than enterprise systems.
In the event of a security incident resulting from a compromised rogue application, it’s the company, not the individual employee, that suffers the damages. But IT isn’t the only stakeholder here, and network/data security isn’t the only risk.
What Shadow IT Means for IG and eDiscovery
In addition to the security issues, shadow IT can also result in the proliferation of data silos throughout the organization. From a business perspective, it can inhibit the flow of data across the organization, preventing it from reaching those who could use it to make better decisions and, at worst, potentially turning it into dark data. And from a governance perspective, it can fly under the radar of existing IG policies, procedures, and technologies creating additional risk.
This could be a particular challenge for eDiscovery. As more and more data is used and stored in applications that IT isn’t aware of, it becomes increasingly difficult to identify and collect potentially responsive data for a matter. This decentralization of application management — and by extension, data management — creates challenges for the litigation hold process. It’s challenging enough to identify all custodians, locate all data sources, and monitor compliance with a litigation hold even when IT has complete knowledge of and control over enterprise systems. Shadow IT can make this nearly impossible.
Prohibition Isn’t the Answer
For all its risks, however, shadow IT also offers advantages. In a business climate where innovation and agility are critical to building competitive advantage, allowing users to use applications that help them do their jobs better and faster — and to do so on any device — is important. The reality is that just about everyone today is tech-savvy — they simply don’t need IT to install, configure and maintain applications any more. Instead of forbidding shadow IT, a much more effective strategy is needed to ensure that users are using it responsibly.
From Shadow IT to Enabled IT
In order to help organizations preserve agility and innovation while at the same time protecting data and minimizing corporate risk, shadow IT must be supported and allowed to come out of the shadows. This requires a shift in IT’s role from controller to enabler — to help other parts of the business choose the most effective technology for their needs. It also requires the right combination of policy, education, and technology.
Policies for overseeing and monitoring application use must strike the right balance between flexibility and control. You may want to modify or expand acceptable use policies to include the use of non-IT-delivered applications. Make sure your policies are aligned with business objectives. For example, companies with a culture of innovation and market responsiveness will need to give employees the freedom to use the tools they need, and this will require a broader SaaS and BYOD policy.
Users will need to be educated on security and governance issues so they can select and manage tools responsibly. This includes providing them with knowledge and resources to vet applications to ensure that they maintain the appropriate levels of security and compliance. You may even want to implement a process for reporting which applications are being used across the enterprise.
Finally, leverage technology to help track data for the purposes of IG and eDiscovery. A discovery repository can help. By preserving data across matters within a single repository, you can maintain a history of sources that can be useful for future matters.
1Frost & Sullivan; “The Hidden Truth Behind Shadow IT: Six trends impacting your security posture” (November 2013)