Bringing Shadow IT Into the Light

Shadow IT is the unauthorized use of software, hardware, and cloud services. Typically, users skirt official IT channels in order to complete their work faster and easier. If they secretly use these things for other purposes, then that’s a far more serious security concern for the business. But by and large, there’s fruit to be harvested on both sides of this forbidden tree.

“In this era of hybrid and remote work, having some tolerance for shadow IT and enabling employees or their departments to choose their own tools can have great benefits,” says Eric Christopher, CEO of Zylo, a SaaS management provider.

But it’s not just the changing nature of work that’s causing businesses to do a double take on Shadow IT. Plain exhaustion and too few hours in the workday are driving its adoption, too.

A Economic Intelligence Unit report underscores the unsustainability of current IT processes, finding that “IT backlogs are significant and IT's control over the digital infrastructure is slipping.”

But that’s understandable. IT teams are understaffed and overwhelmed after the sharp increase in support demands caused by the pandemic, says Rich Waldron, CEO, and co-founder of Tray.io, a low-code automation company.

“Research suggests the average IT team has a project backlog of 3-12 months, a significant challenge as IT also faces renewed demands for strategic projects such as digital transformation and improved information security,” Waldron says.

There’s also the matter of employee retention during the Great Resignation hinging in part on the quality of the tech on the job.

“Data shows that 42% of millennials are more likely to quit their jobs if the technology is sub-par,” says Uri Haramati, co-founder and CEO at Torii, a SaaS management provider.

“Shadow IT also removes some burden from the IT department. Since employees often know what tools are best for their particular jobs, IT doesn’t have to devote as much time searching for and evaluating apps, or even purchasing them,” Haramati adds.

In an age when speed, innovation and agility are essential, locking everything down instead just isn’t going to cut it. For better or worse shadow IT is here to stay.

“Putting the decision-making power into the hands of teams, not just IT, empowers employees to procure the tools they need to do their jobs when they need them -- making shadow IT a source of innovation and agility. And this ultimately leads to two things: better adoption rates and a stronger employee experience,” says Zylo.

Besides, it’s not like companies really have any choice.

“Good luck trying to stop shadow IT as that ship has sailed,” says Ahmed Datoo, CMO at Alkira, a cloud network as a service provider.

Downsides to Shadow IT

There are clear downsides to Shadow IT as well and being too quick to embrace it can lead to certain disaster, and not only due to the predictable and significant rise in security vulnerabilities.

“When employees who control the root accounts associated with these shadow IT assets leave the company, confirming that access to these assets has been revoked, or gaining any access to the orphaned accounts at all, can pose a significant challenge. In severe cases, this might lead to a disruption of key business processes,” warns Dan Trauner, senior director of security at Axonius.

That makes managing shadow IT assets and data stores absolutely essential. The first order of the day is to take an inventory of shadow IT assets, often using a SaaS management platform (SMP) and other asset management tools.

“An entire category of security tools -- SaaS management platform -- exists to help connect to and parse these data sources to discover shadow IT. As most organizations today rely on SaaS products, this should be a strong consideration whether achieved in-house or via a vendor,” Trauner adds.

Once you find the assets hidden in shadow IT, resist the urge to shut the whole thing down.

“One thing IT should not do is simply lock it all down. This has two impacts typically. The first is to stifle innovation and creativity. The second is to drive shadow IT even further into the shadows,” says Andy Miears, director, enterprise agility, with global technology research and advisory firm ISG.

Tapping Into Shadow IT for a Company Win

Once shadow IT assets are brought to light, it’s time to look for ways to leverage their use for the good of the company as a whole.

Experts say these are good places to start:

1. Check for licensing waste and app redundancies.

Don’t be surprised to find many redundant apps used by different employees who now can’t easily exchange information or collaborate in the digital workplace, warns Haramati. “This also means IT ends up having to support redundant apps. Also, many shadow IT licenses are unused and not right sized for their usage levels, and subscriptions often renew without the app owner’s or IT’s knowledge,” he says.

2. Double check for apps that may still lurk in the shadows.

Fortunately, there are tools to help with this task. “By looking at data in an identity provider like Google Workspace, you can identify OAuth grants used for sign-in to third-party applications. There are other sources as well like DNS logs or accounting software such as corporate credit cards,” says Trauner.

3. Establish ongoing governance.

Steer clear of trouble by being proactive and diligent. “You can establish an ongoing governance process to ensure all apps go through a security review and apps above a certain spend threshold are evaluated against what else is already in your SaaS estate,” says Christopher.

4. Encourage security to be more developer friendly.

Security protocols and attitudes are the most often cited causes as the things developers and users try to avoid by using Shadow IT. That will continue if it doesn’t become starkly easier to conform to security’s directions. “Taking the tacit of “you wrote bad code” isn’t going to win over any hearts or minds,” says Vikram Kunchala, principal and cyber cloud leader at Deloitte Risk & Financial Advisory.

“Encouraging early and often engagement with security during the development process can help. But, security teams also need to make it easy for developers to do so,” he adds.

This is not just a touchy-feely soft skill advice. True cooperation between developers (citizen or formal) is a practical matter as well. “Further, IT and developer teams typically outsize security teams in most organizations—and often well-meaning people may rush things at the risk of others,” warns Kunchala

5. Take the company’s information security function organization wide.

Security can’t be pigeon-holed in IT and a security department if the organization is to truly be secure. Shadow IT’s very existence proves the folly in that thinking.

“A security function empowered by the CEO or similar executive to both enable other team’s business requirements and to have its own requirements regarded as equally important can help bring shadow IT projects into fuller visibility and mitigate some of the risks,” says Jacob Ansari, Security Advocate and Emerging Cyber Trends Analyst for Schellman, a global cybersecurity assessor.

On the flipside, “sufficiently knowledgeable security teams with a big enough perspective can also spot where a shadow project is duplicating the work of something already existing and maybe even obviate the need for such a project in the first place,” Ansari adds.

Whatever additional steps you choose to take, keep one central understanding in mind.

“The old notions of centralized, strict rules around enterprise architecture, and IT governance, risk and compliance need to evolve. It should be the role of IT to provide the guardrails, services and building blocks needed to adapt to the business quickly and effectively,” Miears says.

What to Read Next:

Enabling Citizen Data Scientists to Reach Their Full Potential

The Benefits of Adopting a Low-Code/No-Code Development Platform

How to Keep IT Team Members From Quitting in a Tight Employment Market