IPTD-488
Dealing with growing "shadow IT" options
Description
"Shadow IT" refers to any information technology system, software, hardware, or service used by employees within an organization without the knowledge or approval of the IT department, essentially meaning they are utilizing tools not officially sanctioned by the company, often leading to potential security risks and compliance issues. This project seeks ways to clarify the existence of and risks from shadow IT, and to conceive of possible actions to exploit the benefits of free or otherwise accessible software while eliminating or reducing risks to understood and acceptable levels.
Project Justification
Creating clarity about what might be usable or usable with acceptance of certain risks could greatly help the organization deal with its steady and growing backlog of current needs. In fact, DOIT has an active strategy of developing IT self-help pathways (known as "citizen development") for exactly this reason, and so values legitimate expansion in compliant, sensible and secure ways.
Activity
Show:
Its not clear we will have a good picture of the scale of the problems or potential in delivering on this project without more exploration and conversation. One possible route is to open a conversation in the IT Core Team meeting to invite others to weigh in. A downside could be to become aware of lots of technically non-compliant use, prior to having a framework or any resources for undertaking steps to try and clear or approve such use- thereby taking away utility where no actual harm may have happened. However, failing to inquire or discuss while the potential only grows seems like putting our heads in the sand.
Arguably the appropriate lead for a project like this will be with NJOIT, but the pressure on them to meeting compliance first might just lead to more value-erasing shutdowns where no harm has truly occurred.
A more promising approach might be through the Office of Innovation who would face less pressure to meet compliance and is more aligned with unlocking the potential benefits from development of some analysis of risk/reward or a framework for clarifying acceptable uses and risks.
See a good summary of the issues and concerns here, as well as some basic recommendations, even if those may be beyond DEP capacities https://chatgpt.com/share/e/674f8634-c39c-800d-b6ad-46d4dc2f3ae0