Shining a Light on Shadow IT

What is Shadow Information Technology (IT)?

Shadow IT is when employees use an information technology device or an application to accomplish business objectives outside the realm of the company’s IT department. Individuals within business departments may use technology to solve issues or implement innovation in a do-it-yourself mode. Shadow IT is often seen as rogue or stealth IT in that the solution may not have approval from the organization. OneLogin states that 71% of employees are using applications that are not sanctioned by IT.

Why Does Shadow IT Exist?

There may be many reasons that shadow IT exists in a company. Companies with an entrepreneurial culture may actually encourage users to take action on their own behalf. Perhaps processes to get an IT request approved and completed is lengthy or unclear. To obtain approval, IT projects may have high business case expectations. Or, a business user may feel the problem would never get the attention of the IT department due to lengthy backlogs. Legacy applications may be large and costly for a company to address. The solution preferred by the user department may not be allowed due to established IT standards. Moving applications and data to the cloud with quick provisioning and an absence of infrastructure requirements can make it even easier to circumvent IT.

What is Wrong with Shadow IT?

Shadow IT solutions can provide innovative solutions with immediate business benefits. Although shadow IT may be done by resourceful people with good intentions, it can present issues such as:

Security vulnerabilities Reliability issues Performance issues Lack of control Quality and inconsistency issues

Additional hidden costs High risk Compliance issues Lack of documentation Support issues

For example, we often see the case when an employee develops a unique department-specific application, it becomes mission-critical, they leave the company, and no one is able to support the application. Companies must balance innovation against risk.

Developing and supporting shadow IT can become time-consuming for individuals that should be focused on other areas of the business. It can also mask a root problem of legacy applications that may need to be modernized. True IT costs for a company may also be inaccurately reflected. Gartner Research states that 35% of total IT expenditures in 2016 are related to shadow IT.

Security of shadow IT is a growing concern for companies. One of Gartner Research’s top ten security predictions (June 2016) was “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.” Unsanctioned devices and applications can provide a backdoor for hackers, leaving a company’s infrastructure and data vulnerable to security breaches. Security breaches and leaking sensitive data can have a tremendous impact on a company’s finances as well as their reputation, competitive advantage, and viability.

How Can Companies Leverage Shadow IT?

In the past, a CIO would try to shut down shadow IT. Today, that is virtually impossible. With tools readily available and people that may be as adept and innovative with technology as application programmers, just saying no to shadow IT is not realistic nor advisable. IT cannot ignore shadow IT and hope that it goes away. It won’t go away, and will probably increase in the future.

Following is a checklist of five areas to help a company manage and obtain more value from shadow IT.

1.       Fix the Root Cause. Find out why shadow IT crept into the organization; what caused it. Make sure IT can address specialized departmental needs without lengthy processes. Have an agile approval and governance process, with departmental requests having a voice. Ensure IT is not perceived as a bottleneck. Respond to departmental requests in a timely manner with a partnership-style approach.

2.       Embrace it. Update policies and standards to incorporate shadow IT. Provide training for users in the tools they should use and standards they should follow. Change the skillset of IT workers so they can assist with end-user tools. Communicate!

3.       Design for it. Have strong, robust, and up-to-date end-user tools. Re-evaluate and select new tools on a regular basis. Provide strong enterprise tools for common needs such as collaboration, reporting, secure file sharing and file transfers. Establish good data management tools and policies. Make it easy for users to comply with tools that are easy to use, standards and processes that are easy to follow. Have an understandable and up-to-date application architecture. Have strong data security by function and role. Define what data is critical and where it resides. Establish an overall enterprise security architecture & tools, including secure mobile platform, multi-factor authentication, and user provisioning. It’s not a matter of if a breach will happen, but rather when and how. Be ready and have clear plans in place for actions and communication when it occurs, whether in an enterprise system or shadow IT system.

4.       Highlight it. Listen!  Collaborate regularly with power users (business users writing shadow IT applications) to share ideas and tools. Know what shadow IT systems exist, document, and report them. Make shadow IT visible. Monitor and audit shadow IT systems on a regular basis. Consider end-user applications and tools when planning new software, upgrades, and strategic plans. Ensure change management processes and IT standards encompass shadow IT. Review end-user applications regularly for security compliance issues. Ensure users and IT are sufficiently cross-trained on shadow IT systems. Shore up the budgeting loop-hole. Shadow IT may develop because it is easier to get money in a departmental budget than the IT budget. Highlight shadow IT costs and include these budget requests as part of the IT spend.

5.       Change the culture. The IT mindset must change from “I know best how to do technology” to embrace and value the innovators throughout the business. Change the mindset of IT against the business.   Have a strong business and IT relationship to coordinate and work together. Educate users on what they should and should not do, the risks, and their responsibility for security. Some employees may not know there is anything wrong with what they are doing. Embed IT resources in the organization to better know the business, understand business processes, and gain business perspectives. Proactively identify departmental needs. Focus first on the business needs rather than technology.

Tell us what you think of our checklist. Have you found other creative ways to team with shadow IT? We want to hear from you!