Shadow IT explained
Shadow IT describes the procurement and use of IT hardware or software without the explicit approval of IT departments. This includes hardware, off-the-shelf software, and cloud services. The latter is typically Software as a Service (SaaS) and Infrastructure as a Service (IaaS).
In a growing digital world, employees feel increasingly comfortable with downloading apps and services that help them get their job done. This brings its own risks and challenges, but also has its benefits such as increased productivity, reduced bottlenecks, and immediate problem-solving. It does however create a gap between Business and IT. Business driven IT embraces innovation and productivity, whereas IT has its own practices to ensure proper management that embraces efficiency and security.
Alternative identifiers for Shadow IT
Shadow IT may also be referred to as rogue IT, feral IT, stealth IT, fake IT, embedded IT, or client IT.
Why Shadow IT exists
Gartner research finds that an average of 30-40% of the IT purchases in large enterprise is Shadow IT spending. A research study by Everest Group found this to be at least 50%.
Part of the problem lies with companies:
- Not offering adequate support for technologies that users require.
- The IT governance, approval, and provisioning process is too slow and ineffective.
Another driver is non Line-of-Business applications that do not store sensitive customer data:
- SaaS makes applications immediately available without the business having to invest in, and be part of, continuous agile development and innovation projects.
The Risks with Shadow IT
- System inefficiencies. Storing and using data in multiple infrastructure locations is inefficient. If IT is not aware of the data flows, the department cannot plan for capacity, system architecture, security, and performance across disparate systems.
- Non-compliance. There may be additional audit points where proof of compliance must be expanded. Costly lawsuits or fines for noncompliance may damage brand reputation and business.
- Lost data. Cloud-based data can be lost when the user who owns the information leaves the company. If that user is terminated, there may be problems getting critical information back from a personal account. Shadow IT cloud services can also be quickly disconnected when a terminated user stops paying the bill.
- Cost. Once a shadow IT system becomes critical and users scale the resources, the cost incurred to continue using the service may be unjustified. A typical example of this is cloud storage.
- Data Leaks. An inability to perform disaster recovery measures on Shadow IT systems.
- Isolated cybersecurity landscape. Unmanaged data repositories lie outside internal security boundaries. Weak or default credentials risk exposing unmanaged assets to the Internet.
Why Shadow IT is adopted
One of the primary reasons is the rapid growth of cloud services and SaaS that are easily accessible for employees on all levels. This explains why research highlights that most cloud app purchases are made outside of the IT department. The average employee is increasingly more tech-savvy, needing less involvement from IT teams to approve a solution that enhances efficiency and productivity.
Another key reason is that most businesses experience a shortage of software developers. A business must continue to best operate, which means waiting for busy IT experts to develop an in-house solution is rarely viable. Added to this challenge is that many inhouse applications neglect certain business aspects which lead managers and their teams to look for quick fixes. SaaS applications are continuously being advanced to solve validated customer problems, while the latest technology and security methods are adopted to prevent obsolescence in the market. A SaaS platform is the key source of revenue for a SaaS vendor, which means they keep evolving it to maintain market relevance. As such, there’s no additional R&D costs incurred by customers who benefit from new features and other enhancements.
Other Shadow IT research
A McAfee study found that 80% of employees admit that they have been or are using non-approved SaaS applications to get their job done.
A survey by Entrust Datacard identified that 77% of IT professionals believe that companies could gain a competitive edge by embracing Shadow IT.
NCSC found that 60% of enterprises fail to include shadow IT in their IT threat assessments.
Shadow IT has become a vital topic for many companies. To improve their solution impact and minimize company risk, there are 4 key areas to consider:
- Finance. To best guide budgeting, cost optimization, and planning.
- Licensing. To understand the cost of scaling and look for license consolidation opportunities.
- Productivity. To set a common policy that reviews onboarding and solution administration.
- Security. To review a vendor’s data access and privacy administration, which determines if they conform to company policies.