Shadow IT & How To Manage It Today

In the business world, shadow IT is a controversial topic. Gartner defines Shadow IT as any IT devices, software and services that are used outside or beyond the ownership or control of IT departments/ organizations. This includes:

• Hardware, especially personal computing devices like smartphones and laptops
• Cloud services such as online tools and AI
• Alternative applications

In a standard work environment, the IT department would be responsible for providing whatever IT solutions and work tools were needed across all business functions. But as workplace technology and culture have evolved, the desire for alternatives beyond what IT provides in order to do things better or differently has continued to rise.

This invariably has led to corporate users seeking solutions outside IT’s realm, which…can be a problem: though this may provide an immediate answer to a user’s needs, it goes against governance, which can lead to security and cost risks.

This difference in perspective between user preferences and governance of IT has persisted over time:

• Is IT a gatekeeper, not wanting people to use what they deem the best tools out there for a specific work challenge?
• Are people too naive about the security threats or penalties for license violations when they acquire solutions outside IT’s guardrails?

Both sides consider their opinions valid, and maintain a sort of hardline stance on agreeing to the other’s perspectives on shadow IT. So who’s right or wrong? And is there a middle ground?

In this article we will identify drivers of shadow IT, and solutions for organizations to deal with Shadow IT from both pro- and anti- perspectives.

Drivers of Shadow IT

When looking at Shadow IT from the business user’s perspective, it is evident that their need for alternate IT devices and systems is driven by the need for effectiveness, efficiency or just preference. For purposes of contextualization, let’s consider three examples:

• Dakota built his own custom gaming rig and has the option to work remotely. His personal machine can handle his coding work much better than the company-issued laptop.
• Jay has worked with Macs all her life. But her current employer issues Windows devices, which she struggles with as they disrupt her natural rhythm.
• Shola, an adherent of open source LLMs, wonders why the cybersecurity team makes such a big deal out of her actions to feed them company data to do a quick analysis on CRM data.

While each may see their rationale as valid, IT may oppose this position through the enterprise-wide governance posture that favors security, stability and standardization. For example, IT may be constrained by issues such as license costs, compatibility issues in integration with enterprise systems, or lack of visibility on data access by third parties.

Shadow IT increases risks for organizations by further expanding the network’s attack surface.

Respondents from a 2023 survey from Capterra identified the following causes of shadow IT:

• Lack of understanding/awareness of the correct process for getting new software or hardware.
• A perception that going through the IT department is too slow and/or cumbersome.
• An incubator team is created with a senior manager’s approval — but outside of IT’s awareness.
• IT doesn’t respond quickly enough to the request for new software or hardware.

Where innovation and agility are part of a team’s prevailing culture, then researching, testing and changing multiple different IT systems to solve a challenge is a regular occurrence. But this flies in the face of IT providers who must comply with governance frameworks that inform the management of potential risks that arise from unregulated hardware, software or cloud solutions that may result in cyberattacks, loss of intellectual property or breach of customer privacy.

The case of the IT department being perceived as a stumbling block could be attributed to bureaucratic service request management process that is entrenched with multiple layers of approvals, fixed budgets and unyielding security controls.

Managing Shadow IT: A governance perspective

Addressing the shadow IT conundrum has to start from the enterprise governance position. According to ITIL^® 4, governance doesn’t exist in a vacuum — it must be informed by the mission and strategy. It must also consider external factors such as:

• Regulations
• Industry standards
• Legislation

Policies and guidelines are a common type of direction mechanisms that governance wields for managing shadow IT. Depending on the position held, the policies will inform a position that leads to desirable results or limits undesirable ones.

Another mechanism for governance is controls related to risk management. Informed by standards such as ISO 31000, the key objective is to identify and manage risks that could result in negative effects related to shadow IT through appropriate safeguards. Governance from a leadership angle can also influence culture, by determining and championing the right behaviors expected from staff and contractors who use the organization’s IT systems.

(Understand GRC: governance, risk & compliance.)

The anti-shadow IT position

For an organization that takes an anti-shadow IT position, a defined policy on acceptable IT usage or shadow IT will:

• Spell out in no uncertain terms that alternative IT solutions are not permitted unless approved by the relevant business and IT leadership.
• Tell how IT can institute necessary technology controls to limit access to enterprise information and systems via shadow IT.
• Define the consequences of using shadow-IT including disciplinary processes and financial penalties.

The negative effects of potential risks arising from Shadow-IT would be regularly communicated as part of cybersecurity awareness such as GDPR penalties from private data breaches. Also, the organization’s leadership would be at the forefront of demonstrating behaviors that are compliant to anti-shadow IT policies such as turning down any requests for consideration or using their own preferred personal devices.

The pro-shadow IT position

On the other hand, organizations that take a pro-shadow IT posture would define guidelines that inform how alternative IT solutions can be introduced into the organization.

A BYOD (Bring Your Own Device) policy would provide directives for how employees can use their preferred digital devices for corporate use, including security measures and compliance requirements. For instance, an employee can freely communicate their desired alternate solutions without fear of punitive measures. They would need to avail access to their preferred personal device so that IT can configure the relevant controls required to secure the enterprise’s data. Team or functional budgets may receive an allocation for shadow IT that is acquired as part of innovation or project needs.

A streamlined process for fast-tracking shadow IT into the mainstream IT service catalogue would also be spelled out, which includes a rapid risk assessment for any suggested IT solution that is not part of the existing portfolio.

Finally, executives would champion the right culture by encouraging and rewarding teams that research, test and implement alternate solutions that lead to significant business value in terms of:

• Revenue growth
• Cost savings
• Customer satisfaction
• Operational excellence

Managing Shadow IT: A technology perspective

Whether an organization is pro- or anti-shadow IT, managing alternate solutions requires the right technology that will facilitate effective onboarding of such solutions or put barriers to limit their entry into the IT environment.

Such technology interventions must be informed by policy — otherwise, they would lack merit in as far as compliance is concerned. In addition, they must be directly linked to the associated risks that have been identified and analyzed, so that their effectiveness as a control mechanism can be evaluated and improved.

Examples of anti-shadow IT technology solutions

• IT configuration management software that automatically discovers and flags any installed software or hardware that isn’t allowlisted. The solution may also discover jailbroken versions of enterprise software that have been installed in organizational devices, or personal devices running jailbroken operating systems or apps.
• Cloud access security broker (CASB) solutions that monitor the lifecycle of SaaS solutions within the organization including purchases, licensing and usage. These tools come with built-in capabilities for policy enforcement limiting improper or unauthorized activity, as well as data loss prevention.
• Endpoint detection and response solutions that use machine learning capability to detect suspicious activity from shadow IT and coordinate appropriate response including locking access to unauthorized devices.
• User access management tools that limit end-user local admin access rights or restrict privilege account access only to specified numbers and users.
• Zero-trust network access solutions that limit access to enterprise data and systems to only approved devices and applications.

Examples of pro-shadow IT solutions

• BYOD MDM (Mobile Device Management) solutions that would provision a work container within the employee’s own device that segregates workplace apps and data, and that can be remotely wiped when the employee exits the organization.
• Enterprise sandbox environments that allow users and IT to test out shadow-IT in a manner that limits exposure to negative impacts such as intrusions or data loss.
• Virtual desktop environments that are independent of the user device, and do not transfer any data to the user’s device.

Final thoughts: Shadow IT will continue lurking

As generations move through the workplace, it’s obvious that shadow IT will persist as a contentious issue. Users like Dakota, Jay and Shola will insist that their motivation to deliver their work with excellence has to be supported with the latest and greatest in technology solutions. In contrast, threats from cyberattacks and penalties from illegal software or privacy breaches will continue to prevail.

To keep pace with the accelerating changes brought about by the digital world, organizations and IT functions must increase the velocity and efficiency of their business processes. This means that IT must take a collaborative approach when working with business users to ensure they are:

• Better facilitated to get the tools and solutions that address business challenges.
• Being informed about risks and vulnerabilities associated with alternative IT solutions outside the current domain.

Governance must appreciate and support agility and innovation in providing direction that facilitates access to the latest and greatest in technology, but tempered with the right levels of controls to protect the organizations from the harmful effects associated with shadow IT.