At this point, we have talked about the occurrences and risks of shadow IT. A key conclusion was that shadow IT needs to be managed. Important prerequisite for this is to know the shadow IT. The necessary collection of shadow IT can take place in different ways: Tools automatically record shadow IT, employees report their shadow IT or shadow IT is recorded through interviews.
Automatically capture shadow IT
The promise of automated Shadow IT capture is being delivered by multiple software vendors: cloud service monitoring tools, inventory management systems, and other technical monitoring systems are designed to capture employee activity and thus identify shadow IT. These approaches have in common that they hardly reveal the purpose of shadow IT and therefore only allow limited statements about the operational relevance. On the other hand, these systems sometimes even complicate the collaboration between the business and the IT unit. The technical inspection is perceived as a supervision by business employees and thus the IT unit is not considered as a partner; a change in behavior to reduce shadow IT is not encouraged in any way. After all, no existing software concept covers the full range of shadow IT; So, there is no purely technical tool with which the entire phenomenon can be controlled.
Business units fill out queries
The second possibility, which is used in some companies, to collect Shadow IT is to ask business units to query which applications they are running and what relevance should be assigned to them. This approach is easy to implement, but it has some significant weaknesses: the resulting lists are incomplete, the risks from shadow IT are systematically underestimated and behavioral change is not generated here either. In many companies, lists are often incomplete because departments find it difficult to create a list of applications without reference to their daily work. Partly due to a lack of communication in such projects, the business units also fear that these lists serve to subsequently "gather and abolish" the applications and thus make the work of the employees more difficult. The risks are systematically underestimated as users are often not easily able to assign a specific risk class ("low", "medium" or "high"). From the point of view of the faculties, all systems are not very risky because they usually assume that they are mastered. Finally, these queries also do not reduce the distance between the business unit and the IT, as communication between the areas continues to be based on written documents only.
Shadow IT is collected in interviews
As a third approach, subject-specific interviews are recommended to identify shadow IT. Here, interviews are conducted with the users about the actual IT support of the processes. These interviews produce a largely complete picture. However, companies sometimes have a reserved attitude towards such process surveys, as several process models have already been created in the past, without these having generated added value from the perspective of the business departments. It should also be noted that this approach generates by far the highest expenditure.
What is the conclusion?
From our project experiences we can report that a combination of the method interview and inquiry promises the best success. In a selected business department, shadow IT is identified through interviews. These findings then serve to make a suitable query to the other departments, which, however, must be supported by a corresponding communication campaign. In addition, when designing the query, it must be ensured that the departments can carry out a proper evaluation of the systems.
For a self-assessment of shadow IT by business departments you will learn more at this point soon.