To call the IT situation at Penn State decentralized would be an understatement.
“We have over 30 email systems,” says CISO Donald Welch. “Colleges and administrative units run their own servers of all different types. They also run their own networks, firewalls and college-specific applications.”
Known as “shadow IT,” the practice of individuals or entities within an organization outfitting their own technology needs happens in the corporate world, but academia is especially prone to it.
Shadow IT presents security risks. It can be duplicative and drive up the cost of technology. But experts say there are ways to keep it in check.
IT Goes Rogue
At Drury University in Missouri, with its 1,400 day and 2,800 nontraditional students, executive vice president, COO and CIO David Hinson has seen his share of this phenomenon.
“In the past I have had situations where we had one department running an entire accounting system outside of our accounting system,” he says. “I’ve seen people establish their own mailing lists or their own communications load.”
At the University of Texas, departments will set up autonomous IT shops, hiring their own programmers and network administrators.
“But where it really comes into play is in data, where people have their own unique data sets,” says University of Texas CIO Stephen diFilipo. “Because there is so much access to the cloud, they just set up a license for a service and then when someone else comes in to get student data from that system, there is no practical way to do that.”
The cloud is a prime culprit in the spread of shadow IT. The ready availability of digital services often tempts researchers or departments looking to fill a need quickly and inexpensively.
University culture also is to blame. Academia prides itself on an ethos of autonomy.
“A university’s strength has always been in its culture of independence, of freedom and the ability to pursue ideas wherever they might lead. It has not been about protection and constraint,” says Larry Ladd, director of the higher education practice at consulting firm Grant Thornton.
That can make it hard for the IT department to enforce overarching policies and protections. Yet in the absence of those protections, shadow IT can put the entire enterprise at risk.
Hinson worries about rogue data sets, including efforts at the collegiate or professorial level to build and maintain databases outside the university IT infrastructure.
“There are regulations around the use of data, so it puts the institution in legal jeopardy and creates operational challenges if this information doesn’t exist anywhere outside the data set you created,” he says.
Others see a threat to security.
“Maybe this shadow IT is opening another path into the university networks, for example,” Ladd says.
Shadow servers and other off-the-grid technology could unwittingly create a conduit for bad actors to access broader university systems
Cost is an issue, too. Universities can save money by consolidating their IT buys, whether for hardware or services — an opportunity that is lost when departments purchase outside the IT shop. The shadow systems also create a potential support burden.
“Departments think they are independent and they don’t need the university, but then something goes wrong and they call the university IT people, who don’t know how the system works and don’t know how to help them,” says Ladd.
Students, alumni, partner institutions and others may pay a price as well: University systems touch a range of stakeholders, any of whom may be negatively impacted by shadow IT.
“The risk is that as each unit goes off and does its own thing, stakeholders might find themselves getting different messages, perhaps conflicting, from across the enterprise,” says Joy Walton, a managing director in the higher education practice at Huron Consulting Group. “It can make the experience of communicating with the university very confusing.”
Fortunately, a number of potential remedies exist.
Finding the Fix
At Drury University, Hinson says the frontline of defense comes on the policy side.
“Strong governance can prevent a lot of this,” he says. “Policies can say things like: You shall not do this with student data. You can also have committees and advisory councils. Here at Drury we have a technology advisory council with a number of subcommittees, including information security.”
Many in and around academia say committees will likely have a greater impact than strict policies.
“Authority might get you 20 percent of the way, but really you have to lead people because they want to follow. You have to build trust; you have to influence them to understand why this is in their best interest,” Welch says.
One way to do that is for central IT to get stakeholders the technology they need.
“We want to take commodity services and consolidate them in a central organization or in the cloud so we can focus as few resources as possible on those commodities, such as networks, email, servers, file storage and enterprise applications,” says Welch.
Others take the opposite approach. At the University of Texas, diFilipo doesn’t call it shadow IT. He calls it “distributed” IT.
It’s not the job of the CIO to buy technology for everyone: There are procurement people for that. Why not let colleges and research labs go out and get the tools they need? IT’s job, he argues, is to tie it all together.
“The responsibility is to maintain an overall alignment, to ensure the technology programs are aligned with the university’s overarching strategic plan,” he says.
IT leaders need to ensure consistency around issues like security, data management and compliance. But they don’t need to sign off on every server.
diFilipo’s approach may seem a bit laissez faire to some, but it acknowledges a fundamental reality. Academia — whether professors, research labs or whole departments — does not yield easily to central authority.
If university IT leaders cannot stop shadow IT altogether (and they probably can’t), then at least they can position themselves as big-picture thinkers. They can explain why security has to go a certain way; they can show end users how different systems interlink to create potential vulnerabilities. It is in the leadership role, experts contend, that university CIOs have the greatest chance of containing the potential hazards around rogue technology.