Shadow IT - The good, the bad and the ugly
Shadow IT raises a handful of questions: is shadow IT just bad, or does it carry some benefits as well? How does it affect my organization? What can I do today to handle it better? While shadow IT isn’t a new term, organizations have seen an increase in its appearance the past few years:
The number of unauthorized cloud apps used in enterprises is as much as 20 times higher than CIOs initially predicted. 1
When asked why - the CIO’s said that the main drivers for shadow IT are increased efficiency 60%, increased productivity 62% and 58% believe that it frees up time in the IT department. 2
Shadow IT is increasing and should increase in the near future due to several trends:
- SaaS adoption is increasing. There are more options to choose from because more vendors are moving to a SaaS business models.
- It is much easier to signup and start using new tools. SaaS applications are becoming more self-served than before. Anyone can sign up and start using a new product to evaluate its benefits. Many products offer free trials, affordable prices or even free services, all of which reduce the barriers to adopting these tools.
- It is becoming easier to integrate software. Different software is becoming more and more connected, sharing of data and communicating effectively with each other.
- We are changing. The bulk of the current workforce on enterprise was born into the world of software, and some were born into the world of app stores. We are used to choosing software on a weekly, if not daily basis. We are trained to use new tools, switch between tools, and also to do research so that we can choose the right software for the job.
Shadow-IT is mostly perceived as something which is all bad. It is seen as those new tools that rogue employees sign up to because they won't “follow the rules”. We need, however, to acknowledge that shadow-IT has some benefits, which we should not simply dismiss.
- The "rogue" employees may be using the best of breed tools that help make them more productive since they are not limited to a small set of tools that a small group of people has decided is right for the job.
- Motivation - new SaaS tools can empower individuals to achieve more with less. This raises the motivation and the engagement of the employees.
- Employees are open to new technologies and new ideas that may create a competitive advantage. If you don’t open yourself to new SaaS tools, your competition will outrun you.
- Shadow IT can encourage IT to be more effective and efficient. For example, if in the past the only way to transfer files between colleagues was to put those files on the slow samba server, now IT needs to provide tools within the standards of Dropbox, Box and others.
Shadow IT in the SaaS world refers to those unauthorised, and many cases, unknown SaaS applications, adapted by the organization. This leads to higher overhead costs for the IT team in a number of areas:
- Employees start asking for accounts and licenses to unsanctioned software, not knowing that they are unsanctioned. IT must find out who is in charge of the software, approve it and take ownership.
- Money is wasted as some employees find alternatives to software that the organization is already paying for. Several teams may use the same tool, each unaware of the other.
- It hurts collaboration – the beauty of SaaS and the cloud, is that it encourages collaboration. It is used throughout the eco-system, on multi-platforms to connect with our peers in real time. When different tools are used and are not connected to each other, that collaboration is disrupted.
- Security is easily compromised as your company IP and the users are now exposed to several SaaS providers, increasing your attack surface. This makes it very difficult to track the security levels of all those SaaS.
- Sensitive data - your company data is now shared among various vendors. With a click of a button, employees can upload, share or give data access to SaaS providers without realizing the consequences. Is that data being shared or sold? Where is the data stored? Who has access to it?
We need to realize that shadow-IT doesn’t appear on its own. All shadow-IT services are born and raised by employees who signed up for them. When the IT team finds the shadow-IT, it is usually late in the game. The situation can easily be lead to personal discomfort as IT has to take an action against those who have broken the rules. Regardless of whether that action is approving the unsanctioned software, blocking it or going through some discussion cycle, there will be some unhappy people in the organization. Those issues can get even uglier when IT is left out of the loop for several months, just to find out that a service that is currently used by a few dozen of people is strictly against the IT standards and is breaching data sensitivity or security.
When the IT is left out of the picture, it is unlikely that the employees will perform the same assessment as the IT team would. Not because they don’t care about security or data privacy, but because they are not trained for that. They don’t see the same big picture as IT does, they are not informed of the threats and security implications, and they just don’t have the time or skills to perform these assessments.
So what is the bottom line?
While there are many disadvantages associated with Shadow-IT, we must also acknowledge the benefits that it can bring to both IT and the business as a whole, as long as we make sure that we avoid its bad and ugly aspects.
What can you do today to handle shadow-IT better?
The world of IT is changing and the boundaries between IT admin, and the employees as SaaS admin are becoming blurred. Opposing or trying to block employees from adapting new SaaS is not an option any more. It is time for IT to work together with the employees and LoB leaders on getting shadow-IT out of the shadows and adapting its good parts without compromising security, financial control, and compliance.
Shadow IT can be discovered in many ways, reading data from browsers, firewall logs, integrating with product APIs, reading expense reports and more… this is exactly how Torii uncovers shadow IT.
Remember the good, the bad, and the ugly – and base your approach on it.
The drivers for the shadow IT are good, embrace them. Learn about your company’s early adopters. Usually, in every department, there is someone who likes to test and introduce new software and they drive a nice amount of shadow IT. Don’t block their efforts. Empower them instead – let them take part in POCs, learn the latest innovations and products in their field. Learn where software is heading in their domain. Teach them to evaluate security, to be sensitive to data, to ask the right questions. Make them an extension of the IT team.
Teach and educate your company about the hidden costs, and the price the company pays for the shadow IT. Tell them about the risk of picking the wrong SaaS. Make them the owners of the software they use.
Educate people and constantly communicate with the employees in order to avoid the ugly aspects of shadow-IT. Share stories and point to critical parts of your system. Give the employees the tools they need to be more productive, work with them together to make the business more productive and pick together the right tools for the job.
Looking to discover and eliminate Shadow IT in your organization? Torii is a full fledged SaaS management platform that will guide you through it.
1:Cisco study 2015 - https://blogs.cisco.com/datacenter/shadow-it-you-cant-manage-what-you-cant-see
2: NTT Communication survey 2016 - http://www.eu.ntt.com/en/Shadow_IT.html