Department software procurement
Posted by EstablishmentParty47@reddit | sysadmin | View on Reddit | 30 comments
We have a lot of dependents going rogue and getting software and services (think survey monkey) without checking with IT to get the right resources. Our IT policy is aimed at downloading software and is individual rather than department based. How do y’all wrangle this?
gumbrilla@reddit
One technique I've seen tried, but it's under a wider effort, is to work with finance.
Any IT line items - they become IT's budget. Any spending by individuals is not reimbursed.
There's a whole conversation to be had though, if you are unaware of the demand, how well are you meeting their needs, or is it just an awareness thing?
hkusp45css@reddit
I think it's really important to be honest with yourself about this kind of question.
"Shadow IT" and end running policy to get stuff done is often a symptom of broken SLAs, lack of internal collaboration, or a lack of trust that IT is actually trying to work with the org, rather than just saying "no" every time someone needs something.
This may not be a process or policy issue, at all. You might have a large part of the org that simply doesn't trust you to help them. You can't fix that with more policies.
EstablishmentParty47@reddit (OP)
This was super helpful
pdp10@reddit
Absolutely true. But bear in mind that this will also probably be the excuse when "shadow IT" happens, irrespective of how true or not true it is.
We've had good luck getting ahead of needs by just having informal chats with stakeholders about what they have going on, and what's coming up. When there are blockers, they're usually of a political and/or silo nature.
hkusp45css@reddit
It's my philosophy/experience that if you're genuinely meeting the needs of your org, you'll never get shadow IT, in the first place.
EstablishmentParty47@reddit (OP)
That is a helpful framing
Reddit-adm@reddit
Make it so commercial and privacy lawyers need to review the EULAs and data handling, processing.
This is something Procurement should lead, with IT and Security and probably more consulted.
Humpaaa@reddit
1) Establish a procurement department, that handles all ordering stuff, manages contracts, and verifies vendors, to make sure they comply with all regulatory needs and your internal policies
2) Establish a policy framework that regulates vendors and used software, defines a vetting process for new software, and establishes that only verified software can be used, and only IT is allowed to istall software
3) Make sure on a technical level that users and department heaads can't install software
But you need solid management support to establish this.
hkusp45css@reddit
We require all software, platforms and vendors go through security testing, baselining and due diligence. So, each new "thing" has to go through 3 different departments (IT Ops, IT Security, Compliance) before it gets off the ground.
That policy has stopped a BUNCH of new things from getting "thrown in" to the Ops theater without IT approval.
Also, our AP people will alert us if something new pops up on a credit card that looks "computerey." We, in turn, alert the department manager, executive leadership and begin to find out where the process broke down. But, it's a policy breach to do it, so it's only happened like once, in three years.
Really, our corporate culture is one of collaboration. We all work really well together so, most of the time, the managers don't feel the need to go rogue.
dadbodcx@reddit
all of this…and also users don’t have admin rights so they can’t install stuff that isn’t in the catalog, also tools like Zylo to look at billing in a casb sort of way. Start with strong policy and procedures first then tooling.
U8dcN7vx@reddit
But the example was Survey Monkey, entirely online. You'd have to similarly block all web traffic not to approved sites, which can be a very painful thing to chase.
hkusp45css@reddit
This is where the partnership with AP comes in handy. No need to block sites if you are informed about the new subscription or purchase.
U8dcN7vx@reddit
Alas some are "free".
hkusp45css@reddit
We can't solve every problem with processes. Sometimes you just have to make sure that everyone is behaving like a professional.
IamHydrogenMike@reddit
There are also accounting rules around IT procurement and how they should be properly classified when accounting for the expenses at tax time. Having AP heavily involved in these policies is as important as having IT involved as it can result in issues when taxes have be done and accounts reconciled.
hornetmadness79@reddit
This is a very common problem on small startups. Once the software has been adopted and the purchaser can demonstrate some amount of efficiency or profit, that software is never going to go away.
At best IT can manage software updates and authentication. After that, whoever bought the software now is responsible for its day-to-day operation including brake fixes. This also sets you up for a slippery slope when the purchaser leaves the company, it generally becomes ITs problem. So it's best to get in front of these issues before it gets dumped on your lap.
lost_in_life_34@reddit
where I work any unapproved software has to go through security first
otherwise there should be some support agreement with IT
Nova_Nightmare@reddit
Least privilege is a great way to deal with this, a plus to security, but a major culture change if it isn't in place. Still, it's recommended.
If users aren't administrators on their computer, then they will have a reduced ability to go get software without interacting with IT.
Additionally company policy should dictate a process that involves IT on the best solution for the company - which means first that has to come from the C level down to everyone else.
Not even 5 years ago I had a factory manager buy a machine that used a computer to run it's operation (building chips and other things), they requested the computer be added to our network.. so that was a surprise, but then it was found the machine was XP.. and that's when they were simply told no. It will not be allowed to connect. They weren't happy, but they never forget to involve IT ahead of time any longer.
fuckedfinance@reddit
This is a VP level conversation. Prepare a bunch of solutions (not just problems) and fire them off to your boss.
EstablishmentParty47@reddit (OP)
I report up to the C Suite and we discussed a combo of policy and communication … I’m just curious as to how others approach
Lylieth@reddit
Proper policies and procedures already in place usually prevent this sort of thing from occurring.
I used to see this more in smalle\medium businesses that had large amounts of growth. You get these DIY director\managers who think the entire concept of "it's easier to ask forgiveness than permission" is 100% accurate, or worse, they think they know more than anyone else and just don't care. Said individuals are why these policies and procedures are even established in their org.
pdp10@reddit
You want to align incentives by making it easier to ask permission than forgiveness.
However, making that happen in an organization is usually exceptionally difficult. What I've tried are these measures:
EstablishmentParty47@reddit (OP)
Ya and I think this is how we are small growing to medium
IamHydrogenMike@reddit
This is a pretty common issue when you go from small to medium, it’s when you are forced to really tighten up your IT policies and start to get a little heavy handed in their enforcement. If you don’t do it now then it gets so much harder as you get bigger and turns into total chaos.
fuckedfinance@reddit
"We have policies and procedures for a reason. Anyone found violating those policies and procedures will be terminated".
pdp10@reddit
We have categories, and anything computing-adjacent is supposed to be visible to the computing department before a commitment is made. Due to a past history of perceived inaction on requests, computing doesn't have a formal approval role, but is supposed to always have foreknowledge so that questions can be asked and vetoes raised.
The weakness of attaching approvals to purchasing like most of us do, is that freemium products can slip under the radar until it's too late. A weakness of attaching approvals to projects is that typically, nobody really wants their thing to be a project, because that means it gets put at the end of the list under three VPs' high-priority projects, so they try to make it a "request" or "issue" instead of a "project".
fuzzusmaximus@reddit
Our finance department is good about shutting down any vaguely tech purchase if it doesn't have a purchase request signed off by us.
bukkithedd@reddit
We flat out refuse to support software we didn't have anything to do with the procurement of. IT also refuse to bear the cost of installation, licensing, upkeep and maintenance of it. It also will NOT be installed on our servers, full stop.
The department that orders it can handle the fallout.
smalj1990@reddit
Go buy a tool called Nudge it’ll expose all shadow IT across your environment. Build out a vendor/software management capability and make it known across your business than any sort of procurement or sign up to any 3rd party software needs IT to be involved in the conversation
darthfiber@reddit
Things like surveys are a bit more difficult but all machine level access is restricted and regular users are also restricted from downloading executable files so that takes care of that. Zero trust keeps a good job of keeping shadow IT in check with other IT teams.