What is Shadow IT? [Three Steps to Take in 2023]

💡Key Takeaways:

• Shadow IT is anytime an employee adds technology without IT's knowledge
• Cloud apps have ushered in a wave of Shadow IT that threatens budgets, security, and efficiency
• IT professionals can take measures like adopting a SaaS Management Platform to automatically discover and collate applications 
• Torii uses multiple sources for Shadow IT discovery, including your IdP, SSO, expense data, direct integrations, and a browser extension - learn more

What makes Shadow IT, Shadow IT? Is it really a threat like we fear or is it time to rethink our approach to the nebulous unknown? 

In this article, we'll answer the top questions about Shadow IT like:  

• What is Shadow IT?
• What is Wrong with Shadow IT?
• What’s an Example of Shadow IT?
• Why Do Employees Use Shadow IT?
• How Common is Shadow IT?
• Can We Eliminate Shadow IT?
• How to Rethink Shadow IT

Finally, we’ll offer Three Steps To Take in 2023 for Shadow IT

Featured Video: What is Shadow IT? [Explainer]

What is Shadow IT?

Shadow IT is when someone uses unsanctioned technology or technology resources within the company. For example, someone uses technology services, systems, devices, hardware, applications, or software without the IT department’s knowledge.

Shadow IT has been around as long as computers have been a part of modern organizations. 

What is Wrong with Shadow IT?

It depends on who you ask! For the IT department and security/compliance teams, Shadow IT can represent a threat to the organization's security. More unsanctioned technology means less control and more exposure to risk from accidents, user errors, and bad actors.

However, for many professionals throughout the rest of the company, Shadow IT is simply the way they work. They experiment and innovate by testing out new technology all the time. As a result, they improve innovation and speed, optimize output, and even automate complex tasks.

What is an example of Shadow IT?

No app or device is automatically Shadow IT. Instead, a technology resource becomes Shadow IT when it is used in the company without IT’s knowledge. This is especially relevant with cloud apps!

Some of the most common examples of Shadow IT are apps you probably use all the time! Applications for:

• File sharing (iCloud, Google Drive, and Dropbox),
• Productivity (Todoist, Trello, Asana, and Monday)
• Scheduling (Calendly, and Sprintful)
• Note-taking (Evernote, Notion, and OneNote)
• Automation (IFTTT, Zapier, and Flow)
• Messaging (WhatsApp, Slack, Teams)
• Even the silly things you don’t think about, like an emoji keyboard extension in your browser or a Pomodoro timer

When outside of IT’s purview, even the most innocuous application is Shadow IT.

Why Do Employees Use Shadow IT?

Employees use Shadow IT because they are busy with a million to-dos and limited hours in the day. Typically when an employee adds a shadow application to its software stack, it’s not out of laziness, malice, or anything else. Instead, they are laser-focused on completing a job and looking for the best tools for that outcome.

How Common is Shadow IT?

Shadow IT is incredibly common. We found that 69% of IT leaders see Shadow IT as a top security concern related to SaaS Adoption. We have also found that most organizations have three to six times as many applications in their SaaS Stack as IT estimates. So it’s broadly known and still underestimated.

Can We Eliminate Shadow IT?

Not easily. Your company already has Shadow IT ingrained in the culture. Department heads test and buy new software all the time without ever consulting IT. Even individual employees are encouraged to test out software all the time.

The influx of Shadow IT is just as much a result of company culture as it is of technology. It has become a reflex, a habit, a default.

However, just because we can’t eliminate Shadow IT doesn’t mean we can ignore it. We still have a responsibility to maintain the SaaS Security of the organization.

So, to summarize:

• Shadow IT occurs anytime an employee adds unsanctioned technology to their company
• It’s exciting and helpful for individual employees but…
• Simultaneously, it’s a risk to the security of the organization
• It typically takes the form of familiar apps that are easy to overlook
• It’s incredibly widespread and underestimated
• We can’t eliminate Shadow IT

The next question then is, what do we do?

How to Rethink Shadow IT

Now that we understand what "Shadow IT" is, we can shift the conversation. Instead of asking how to eliminate Shadow IT, let’s ask what makes Shadow IT a threat.

It’s not the apps themselves that pose a threat; it’s the fact that IT can’t see the application.

IT doesn’t need complete control. They need visibility.

They need to Illuminate the Shadows, not eliminate them.  

Remember, Shadow IT can also represent good and exciting things like:

• Innovation
• Experimentation
• Optimization

We want to keep the good while removing the negatives.

So, interested in illuminating what’s hidden? We’ve got three things you can do today to illuminate the shadows.

Three Steps To Take in 2023

1. Talk About Applications Openly

IT is no longer the gatekeeper; anyone with a corporate email and an internet connection can test software. So let’s open the lines of communication and prioritize education to make employees feel like stakeholders in the effort of security.

Ask department heads how they monitor app adoption, find out if they are tracking apps, and whether they have a method to evaluate success. A simple question like that can cause leaders to reconsider their app implementation.

Part of rethinking Shadow IT is changing how we talk about those applications. Instead of ignoring the shadows, let’s openly acknowledge the reality. Remind employees about the importance of thoughtfulness.

2. Create a Single Source of Truth for Your App Data

A Single Source of Truth is simply a location for information about something. A key to a successful SSOT is the confidence others have in the data.

Your SSOT could be something as simple as a spreadsheet or something more practical like a SaaS Management Platform.

Whatever you implement, make sure that everyone knows exactly where to find it!

By creating an expectation of knowledge combined with a policy of open communication, more and more information will become de-siloed and find its way into that single source of truth.

3. Evaluate a SaaS Management System

I know what you might be thinking. “Open communication and SSOTs can only go so far.”

That’s true. For a problem as widespread and ingrained as unaddressed Shadow IT, eventually, we need a tool tailor-made for this problem.

If that sounds familiar, then this year, evaluate a SaaS Management Platform.

In a recent survey, we found that 75% of IT professionals without SaaS Management intended to evaluate or adopt a SaaS Management tool in the near future. The simple reason? Cloud Applications are too numerous to handle manually.

Here are just a few of the advantages of an Automated SaaS Management Platform like Torii.

• Discover all the Shadow IT apps (Torii automatically detects two to three times more apps than leading competitors)
• An SMP becomes a Single Source of Truth
• Automate deprovisioning of unused licenses (create workflows triggered by inactivity)
• Automate offboarding
• Compare usage data for similar applications

Shadow IT won’t disappear, so how will you handle it?

If you're ready to consider SaaS Management to illuminate the shadows, request a personalized demo of the Torii Platform