Shadow IT & How To Manage It Today

In the business world, shadow IT is a controversial topic. Gartner defines Shadow IT as any IT devices, software and services that are used outside or beyond the ownership or control of IT departments/ organizations. This includes:

• Hardware, especially personal computing devices like smartphones and laptops
• Cloud services such as online tools and AI
• Alternative applications

In a standard work environment, the IT department would be responsible for providing whatever IT solutions and work tools were needed across all business functions. But as workplace technology and culture have evolved, the desire for alternatives beyond what IT provides in order to do things better or differently has continued to rise.

This invariably has led to corporate users seeking solutions outside IT’s realm, which…can be a problem: though this may provide an immediate answer to a user’s needs, it goes against governance, which can lead to security and cost risks.

This difference in perspective between user preferences and governance of IT has persisted over time:

• Is IT a gatekeeper, not wanting people to use what they deem the best tools out there for a specific work challenge?
• Are people too naive about the security threats or penalties for license violations when they acquire solutions outside IT’s guardrails?

Both sides consider their opinions valid, and maintain a sort of hardline stance on agreeing to the other’s perspectives on shadow IT. So who’s right or wrong? And is there a middle ground?

In this article we will identify drivers of shadow IT, and solutions for organizations to deal with Shadow IT from both pro- and anti- perspectives.

Drivers of Shadow IT

When looking at Shadow IT from the business user’s perspective, it is evident that their need for alternate IT devices and systems is driven by the need for effectiveness, efficiency or just preference. For purposes of contextualization, let’s consider three examples:

• Dakota built his own custom gaming rig and has the option to work remotely. His personal machine can handle his coding work much better than the company-issued laptop.
• Jay has worked with Macs all her life. But her current employer issues Windows devices, which she struggles with as they disrupt her natural rhythm.
• Shola, an adherent of open source LLMs, wonders why the cybersecurity team makes such a big deal out of her actions to feed them company data to do a quick analysis on CRM data.

While each may see their rationale as valid, IT may oppose this position through the enterprise-wide governance posture that favors security, stability and standardization. For example, IT may be constrained by issues such as license costs, compatibility issues in integration with enterprise systems, or lack of visibility on data access by third parties.

Shadow IT increases risks for organizations by further expanding the network’s attack surface.

Respondents from a 2023 survey from Capterra identified the following causes of shadow IT:

• Lack of understanding/awareness of the correct process for getting new software or hardware.
• A perception that going through the IT department is too slow and/or cumbersome.
• An incubator team is created with a senior manager’s approval — but outside of IT’s awareness.
• IT doesn’t respond quickly enough to the request for new software or hardware.

Where innovation and agility are part of a team’s prevailing culture, then researching, testing and changing multiple different IT systems to solve a challenge is a regular occurrence. But this flies in the face of IT providers who must comply with governance frameworks that inform the management of potential risks that arise from unregulated hardware, software or cloud solutions that may result in cyberattacks, loss of intellectual property or breach of customer privacy.

The case of the IT department being perceived as a stumbling block could be attributed to bureaucratic service request management process that is entrenched with multiple layers of approvals, fixed budgets and unyielding security controls.

Managing Shadow IT: A governance perspective

Addressing the shadow IT conundrum has to start from the enterprise governance position. According to ITIL^® 4, governance doesn’t exist in a vacuum — it must be informed by the mission and strategy. It must also consider external factors such as:

• Regulations
• Industry standards
• Legislation

Policies and guidelines are a common type of direction mechanisms that governance wields for managing shadow IT. Depending on the position held, the policies will inform a position that leads to desirable results or limits undesirable ones.

Another mechanism for governance is controls related to risk management. Informed by standards such as ISO 31000, the key objective is to identify and manage risks that could result in negative effects related to shadow IT through appropriate safeguards. Governance from a leadership angle can also influence culture, by determining and championing the right behaviors expected from staff and contractors who use the organization’s IT systems.

(Understand GRC: governance, risk & compliance.)

The anti-shadow IT position

For an organization that takes an anti-shadow IT position, a defined policy on acceptable IT usage or shadow IT will:

• Spell out in no uncertain terms that alternative IT solutions are not permitted unless approved by the relevant business and IT leadership.
• Tell how IT can institute necessary technology controls to limit access to enterprise information and systems via shadow IT.
• Define the consequences of using shadow-IT including disciplinary processes and financial penalties.

The negative effects of potential risks arising from Shadow-IT would be regularly communicated as part of cybersecurity awareness such as GDPR penalties from private data breaches. Also, the organization’s leadership would be at the forefront of demonstrating behaviors that are compliant to anti-shadow IT policies such as turning down any requests for consideration or using their own preferred personal devices.

The pro-shadow IT position

On the other hand, organizations that take a pro-shadow IT posture would define guidelines that inform how alternative IT solutions can be introduced into the organization.

A BYOD (Bring Your Own Device) policy would provide directives for how employees can use their preferred digital devices for corporate use, including security measures and compliance requirements. For instance, an employee can freely communicate their desired alternate solutions without fear of punitive measures. They would need to avail access to their preferred personal device so that IT can configure the relevant controls required to secure the enterprise’s data. Team or functional budgets may receive an allocation for shadow IT that is acquired as part of innovation or project needs.

A streamlined process for fast-tracking shadow IT into the mainstream IT service catalogue would also be spelled out, which includes a rapid risk assessment for any suggested IT solution that is not part of the existing portfolio.

Finally, executives would champion the right culture by encouraging and rewarding teams that research, test and implement alternate solutions that lead to significant business value in terms of:

• Revenue growth
• Cost savings
• Customer satisfaction
• Operational excellence

Managing Shadow IT: A technology perspective

Whether an organization is pro- or anti-shadow IT, managing alternate solutions requires the right technology that will facilitate effective onboarding of such solutions or put barriers to limit their entry into the IT environment.

Such technology interventions must be informed by policy — otherwise, they would lack merit in as far as compliance is concerned. In addition, they must be directly linked to the associated risks that have been identified and analyzed, so that their effectiveness as a control mechanism can be evaluated and improved.

Examples of anti-shadow IT technology solutions

• IT configuration management software that automatically discovers and flags any installed software or hardware that isn’t allowlisted. The solution may also discover jailbroken versions of enterprise software that have been installed in organizational devices, or personal devices running jailbroken operating systems or apps.
• Cloud access security broker (CASB) solutions that monitor the lifecycle of SaaS solutions within the organization including purchases, licensing and usage. These tools come with built-in capabilities for policy enforcement limiting improper or unauthorized activity, as well as data loss prevention.
• Endpoint detection and response solutions that use machine learning capability to detect suspicious activity from shadow IT and coordinate appropriate response including locking access to unauthorized devices.
• User access management tools that limit end-user local admin access rights or restrict privilege account access only to specified numbers and users.
• Zero-trust network access solutions that limit access to enterprise data and systems to only approved devices and applications.

Examples of pro-shadow IT solutions

• BYOD MDM (Mobile Device Management) solutions that would provision a work container within the employee’s own device that segregates workplace apps and data, and that can be remotely wiped when the employee exits the organization.
• Enterprise sandbox environments that allow users and IT to test out shadow-IT in a manner that limits exposure to negative impacts such as intrusions or data loss.
• Virtual desktop environments that are independent of the user device, and do not transfer any data to the user’s device.

An Expert's Perspective

To better understand the important role and risks of Shadow IT, we spoke with Nate LaFerle, Principal at Remisphere Digital. Nate has nearly two decades of experience tackling complex data management challenges with large organizations including 3M, American Airlines, and Johnson & Johnson.

In this section, we've included Nate's responses to our prompts.

Where does Shadow IT come from?

As companies continue to squeeze overhead spending across the board, the rise of Shadow IT has really become inevitable. A few factors have converged to create the rise in Shadow IT. IT budgets have shrunk, reducing capacity – while resources, now often located in lower-cost geographies, are less tightly connected to the business. Cybersecurity has quickly (and rightfully) become the top priority for CIOs. Initiatives that really drive business value, like better analytics, process optimization, and data governance get pushed to the back burner.

With business teams more able to advocate for resources than their counterparts on overhead and support teams – it’s inevitable that leaders who want more automation, data-driven decision making, and better-performing processes are looking to create the capacity internally.

Are there any benefits to Shadow IT?

In some ways, shadow IT has its benefits – by embedding tech-savvy talent that is attuned to the business and focused on a narrower set of goals, teams can realize increased agility and velocity. Business team leaders can make more progress in less time with focused, internally-managed resources. Often, they can have more success -- and salary budget -- recruiting versatile talent into hybrid business/technology roles.

What are common risks created by Shadow IT

Ultimately the biggest risk is sustainability. What Shadow IT gains in agility, it often does at the expense of documentation, compliance with organization and industry standards, and, in some cases, security. Centralized IT is often perceived as creating limits – for example, preventing the use of multiple expensive software platforms that do the same thing, requiring extensive documentation, or ensuring sensitive data is stored only in certain locations. These limits, while they reduce speed and often frustrate business leaders, are crucial over the long term. Too often, I’ve seen shadow IT solutions fall apart when the resource that built them leaves the company, or when the broader organization changes direction or embarks on a big global project that interferes. Shadow IT keeps CIOs up at night knowing that their biggest risks of data breach, loss or ransomware could come from systems they don’t even know exist.

What is the future of Shadow IT?

Unfortunately, the phenomenon of Shadow IT has shown no signs of slowing, even as cybersecurity risks multiply. Political and practical realities continue to drive business teams to “self-serve” when it comes to technology platforms, and companies are reluctant to scale their support organizations proportionally with their revenue-driving units, continuing to ask IT to do more with less. The reality is that any CIO faces a far greater professional risk from a cyberattack than any recognition she’ll receive from a new analytics capability or data quality initiative. With that frame, it’s easy to see why Shadow IT will continue to grow in the near term.

Final thoughts: Shadow IT will continue lurking

As generations move through the workplace, it’s obvious that shadow IT will persist as a contentious issue. Users like Dakota, Jay and Shola will insist that their motivation to deliver their work with excellence has to be supported with the latest and greatest in technology solutions. In contrast, threats from cyberattacks and penalties from illegal software or privacy breaches will continue to prevail.

To keep pace with the accelerating changes brought about by the digital world, organizations and IT functions must increase the velocity and efficiency of their business processes. This means that IT must take a collaborative approach when working with business users to ensure they are:

• Better facilitated to get the tools and solutions that address business challenges.
• Being informed about risks and vulnerabilities associated with alternative IT solutions outside the current domain.

Governance must appreciate and support agility and innovation in providing direction that facilitates access to the latest and greatest in technology, but tempered with the right levels of controls to protect the organizations from the harmful effects associated with shadow IT.