Shadow IT Doesn’t Have to be Your Enemy

Even its name sounds a little frightening. ShadowIT

“Shadow IT”. It sounds like something lurking in the corner, waiting to pounce. And its other names are worse, with some CIOs calling it “rogue” or “feral”.

The truth is, Shadow IT can be pretty scary for IT leadership. It creates more risks for the organization than just information security issues. It can even cause friction – or greater friction – between IT and other internal teams.

But there can also be benefits to Shadow IT if you’re willing to embrace it, prepare for it, and develop inclusive policies and education regarding it.

What is Shadow IT?

Gartner defines Shadow IT as “IT devices, software, and services outside the ownership or control of IT organizations”. But of course, reality is more nuanced than a simple definition.

Basically, Shadow IT starts out, and thrives, in organizations that either enable departments to do what they want or in companies where IT says “no” more often than they say “yes”.

If you have departments that adopt their own software, that’s Shadow IT.

If you have groups that have licensed their own cloud services, that’s Shadow IT.

If you have teams that have siloed themselves by using solutions that haven’t been vetted by IT, that’s Shadow IT.

This is a situation that has been exacerbated by the Bring Your Own Device (BYOD) trend that many enterprises are seeing and even encouraging. When combined with the overall tech savviness of the average person, Shadow IT seems like an obvious outcome.

While IT departments are trying to keep control around what’s used for both support and security reasons, some are seen as strict gatekeepers that are more likely to deny a request than consider it. Or, equally as bad, an IT department may seem willing to evaluate solutions, but not have the resources to do so quickly or efficiently. Other departments are “helping” when they go off book and find their own solutions.

What many of those that are outside of IT don’t realize is the problems they can cause when they seek out their own technologies. Even IT doesn’t always understand all of the risks associated with allowing Shadow IT to run rampant.

Shadow IT can Introduce Risk

The one risk of Shadow IT that its painfully obvious to anyone in traditional IT is security. Without an awareness of the risks associated with random software acquisition and installation, a department making its own software choices could potential open up the entire network to risk.

Support is another concern. While a team within the organization may have chosen, and are even supporting their own solution, it may not play nicely with other apps approved by IT. It might not even work well on the available equipment provided by IT. As a result, IT gets pulled in to troubleshoot systems sporting software and services they have no knowledge of.

Many organizations must deal with various levels of compliance. Whether that is tracking required by IT as part of Sarbanes-Oxley, or stricter requirements like PCI or HIPPA, organizations that allow or encourage non-IT teams to adopt their own IT equipment, software and platforms can put the entire organization at risk of being out of compliance.

Many groups will argue that they are using their own budgets for their Shadow IT initiatives, so it shouldn’t be a concern of IT. But costs are a larger concern than just what fits into an individual department’s budget. For instance, if multiple internal organizations have contracted individually with the same 3rd party, the enterprise may be missing out on savings associated with volume licensing.

Lastly, Shadow IT can create integration nightmares for IT. If two internal teams need their software to talk to one another, but they are using disparate solutions, they may turn to IT to connect their data silos. Without having vetted the vendors, one, or both, solutions may be built on platforms unfamiliar to your IT organization. Or one could have no external interfaces available at all. A problem that could have been cut off during the evaluation process has now become a headache for the central IT organization.

How to Incorporate Shadow IT

As risky as Shadow IT can be, it’s unlikely that you’ll be completely unable to remove it from your enterprise, especially if it’s already got a foothold within the organization. But it might not even be in your best interest to remove all facets of Shadow IT.

Instead, working with the various teams within your organization can allow them some control over their solutions, while relieving IT from dealing with multiple demands with dwindling resources.

First and foremost, you should make sure that anyone considering investigating their own solution gets an understanding and some training on the security risks they need to be aware of during the evaluation process. And if you’re under compliance requirements, you want these organizations to understand what is required to meet the compliance rules.

Next, your policies around individual departments adopting their own software and services should include requirements that IT be aware before a choice is made, during the requirements gathering and definition phase. The intent here is not to tell other teams “no”, but to make them aware of other teams that are using similar software, or teams that may have a similar need.

If these multiple teams can agree on a single solution, they can split the costs across their budgets, and potentially gain the benefits of volume licensing. It also gives the central IT organization the opportunity to guide these departments to solutions that are known to operate well within the existing technology ecosystem.
Shadow IT doesn’t need to be a thorn in the side of your traditional IT department. It’s possible for individual organizations to work with the central IT organization to get what they need, while still meeting the requirements and mitigate the risks to the larger organization. Training, planning, and becoming part of the Shadow IT process gives you insight into the needs of these teams without becoming the department of “no”.