Shadow IT has been the cause of concern for CIOs globally, and while the instinct has been to limit it or outright ban it, that line of thinking may actually cause more harm than good.
A decade ago Shadow IT may have referred to external staff hired to provide IT solutions, outside the purview of an organization’s IT department, but today, in a digital world, that definition has expanded to include external IT infrastructure, software, solutions, and services procured and deployed without explicit permission or knowledge of the IT department. And this phenomenon is on the rise. In an age of digital transformation, as technology grows as a core feature impacting business performance, the IT department’s role in choosing technological solutions and services is receding. Gartner predicts that through 2017, 38% of technology purchases will be managed, defined and controlled by business leaders, to suit their individual business unit’s needs.
The growth of Shadow IT can be attributed to a number of factors. We delve into the key factors below:
- The Digital Age - A Gartner report states that by 2020, 85% of a customer’s relationship with an enterprise will be managed without any human interaction. The consumerization of IT, trend of BYOD, IoT, ease of availability and purchase of SaaS buoyed by cloud computing have revolutionized the way we live and work, thereby accelerating the progress of Shadow IT.
- Demand vs Supply – In a competitive business environment, where organizations have to be agile, proactive, and in tune with customer demands in real-time, legacy IT departments are unable to provide the required support in time. A request usually goes through a tedious process of approvals, budgets, etc., which reduces the organization’s competitiveness. Additionally, if an external solution provides higher speed and efficiency than internal IT, in the interest of getting work done quicker and better, employees choose the former.
- Digital Natives – Millennials making up a significant chunk of the workforce are tech savvy and expect to be served by technology in a way that enhances life and work. Working on the go, and being mobile are factors crucial to their productivity. And as more of them take over the workforce, they will dictate the way organizations function, to suit their comfort and convenience. They are favorable to DIY methods and self-help, and often the corporate structure isn’t flexible enough to accommodate their style of working.
- SMAC – Digital Tech such as Artificial Intelligence and Automation is driving business innovation today and this has drastically changed the way organizations operate. The skill-sets required to succeed can no longer be compartmentalized; a blend of business and technical skills is the need of the hour. Unfortunately, corporate departments are still set-up to function in silos; and haven’t reached the level of flexibility and cross-functionality needed to effectively and quickly respond to market changes.
What are the Risks Posed by Shadow IT?
For all the light emanating from Shadow IT, it does have a dark side, and poses serious threats that need to be taken into consideration. Gartner’s report published in 2016 regarding Top 10 Cloud security concerns stated, “by 2020, one third of successful attacks experienced by enterprises will be on their Shadow IT resources.” Additionally, Gartner predicts that by 2018, 20% of companies will be compelled to develop data security governance programs in order to prevent data breaches from public clouds.
The security risks posed by Shadow IT are not lost on CIOs, in fact it’s their foremost reason for objecting to it. A 2015 Vanson Bourne Survey in the U.K. found that 89% of CIOs believe that the unauthorized use of Shadow IT services threaten business security in the long-term.
Even one unsanctioned app or device, no matter how insignificant, has the potential to cause cracks in the security wall. The security risks could be in the form of data theft, malware attacks, rogue data, and compliance issues.
Security issues aside, unauthorized implementation of IT infrastructure can cause interruptions to official projects, and disturb the flow of work. When employees face issues with unsanctioned applications they request support from the IT team, who being unaware of such programs, are unable to provide the desired solution. Further, when the IT department is expected to provide support on off-the-books issues, their time and resources is diverted from official projects into these unexpected problems.
One department experimenting with readily available SaaS solutions might influence others to do the same, leading to serious issues of IT management and governance. The cost implications of Shadow IT are also a matter of concern. If the IT department is unware of money being spent on Shadow IT, then it becomes difficult to accurately analyze its spend, thereby adversely affecting the decisions made based on the flawed analysis.
However, there are ways to mitigate the risks involved with respect to Shadow IT.
What CIOs can do to deal with Shadow IT?
The first step in dealing with Shadow IT is acknowledging its presence. A 2015 Cloud Security Alliance survey of IT executives found that almost 72 % of them were unaware of the number of Shadow IT applications being used in their organization. Only 8 % were able to confidently say that they knew of the extent of Shadow IT in their organization.
Only when you’ve ascertained the scope of Shadow IT in your company, can you take steps to tackle it, and no, we don’t mean clamping down on it. As companies struggle to remain relevant in a rapidly changing world, Shadow IT provides solutions outside of official channels that allow employees to exercise creativity.
A balance needs to be struck between encouraging innovation and avoiding security breaches. It takes people skills and implementation of appropriate technology to reach a middle-ground.
- For starters, the divide between IT and business needs to be narrowed. Building strong relationships with other departments is essential to understanding their needs and seeing matters from their point of view. Other departments should be able to trust IT to advise them when it comes to external solutions. Instead of being the ‘No’ department, being the ‘How can we help with that?’ department would work wonders for intra-organizational harmony.
- An Intel Security survey found that 23% of respondents sourced their own security, without the help of the IT department. Thus, educating non-IT employees can go a long way in preventing grave security breaches. Training programs, workshops, and newsletters, on the importance on following protocols, data theft and malware attacks, the disastrous consequences of such occurrences and related topics should be done regularly. If employees are aware of the implications of using apps and tools unverified and unauthorized by the IT department, such knowledge would serve as a deterrent.
- Identifying the Shadow IT infrastructure and applications in use, and ranking them in order of security threat will help employees to steer clear of dubious tools and solutions. Additionally, continuous monitoring of Shadow IT is essential to prevent security risks that can cause massive financial losses. A robust system of checks and balances must be put in place through Shadow IT Discovery and Data Protection Tools. This will address the data access risks posed by users and administrators.
Shadow IT needn’t be regarded as something ominous lurking in the dark. Once brought into light, it can be beneficial to organizations in more ways than one.
Benefits of Shadow IT
Given a chance, and managed correctly, Shadow IT can be an asset to organizations. It has its merits, as discussed below:
- Productivity – Shadow IT has the potential to enhance employee productivity, because there are scores of applications made for efficiently carrying out specific tasks. And an internal IT department may not be able to maintain that many tools, it would be an undue burden in terms of time and money.
- Support to IT – Most IT departments are burdened with regular work, be it maintenance, upgradation, or problem-solving. Dealing with requests for new and customized applications is an additional load that will only lead to backlog and delay. Outsourcing to an external service provider who is an expert in the specific field could save time, effort, and even cost, thereby taking some pressure off an overworked IT team.
- Empowering Employees – By giving employees the choice to work with tools and apps that provide the best solution, you give them room to grow, produce innovative ideas, and build better products. When not chained to legacy IT infrastructure and systems that do not support agility, employees can flourish, leading to higher job satisfaction, which ultimately impacts the business positively.
- More Agile – Agility is a sought-after feature by organizations today. The 10th annual State of Agile Report states that even though 95% of organizations have converted to agile in a bid to be more innovative, they have not been able to fully reap the benefits. The report mentions the reasons cited by the respondents: ‘company philosophy or culture is at odds with core Agile values’ (46%), ‘lack of experience with Agile methods’ (41%), and ‘lack of management support, lack of support for culture transition, and external pressure to follow waterfall processes’ (40%). These barriers prove that internal departments are still rigid and averse to flexibility. And until these age-old organizational structures and working styles completely evolve to become truly agile, Shadow IT could be the answer.
The Future of Shadow IT
The future of Shadow IT lies in banishing the term Shadow, because at the end of the day it is IT that helps employees do their jobs faster and better. Instead of treating IT as the monopoly of the IT department, it needs to be treated as a resource available to all, especially in the current era of open source innovation. Collaboration spurs creativity, as diverse skills and talents come together.
Once Shadow IT is considered an extension of the IT department, instead of an external entity, organizations can develop ‘Bimodal IT’ capabilities. As per an idea proposed by Gartner in its report ‘Embracing and Creating Value From Shadow IT’, several organizations are going this way. This marriage of two types of IT departments – the traditional IT that provides stability and manages routine operations, and the Agile IT that is adaptive to uncertainties, quick, and future-oriented, is touted as the way forward.
References:
- http://www.gartner.com/it-glossary/shadow
- https://www.corvelle.com/shadow-it-takes-the-pressure-off-the-cio/
- http://www.gartner.com/smarterwithgartner/make-the-best-of-shadow-it/
- http://www.mavenwave.com/fusion-blog/shadow-it-part-1/
- http://www.mavenwave.com/white-papers/shadow-it-part-2-the-coming-digital-productization-wave/
- http://www.mavenwave.com/white-papers/shadow-it-part-3-making-the-digital-transformation/
- https://blogs.cisco.com/cloud/gartner-report-says-shadow-it-will-result-in-13-of-security-breaches
- https://techcrunch.com/2015/09/25/its-time-to-embrace-not-fear-shadow-it/
- https://gsuite.google.com/learn-more/gartner_embracing_and_creating_value_from_shadow_it.html
- http://www.digitalistmag.com/resource-optimization/2016/02/11/2016-state-of-shadow-it-04005674
- http://theitmediagroup.com/for-cios/leadership/255-help-for-cios-in-coming-out-of-the-it-shadows.html
- http://www.gartner.com/smarterwithgartner/dont-let-shadow-it-put-your-business-at-risk/
- http://www.networkworld.com/article/2885758/security0/6-ways-shadow-it-can-actually-help-it.html
- https://www.smallfootprint.com/insights/how-shadow-it-could-actually-help-your-it-department
- http://www.csoonline.com/article/3083775/security/shadow-it-mitigating-security-risks.html
- http://www.cio.com/article/2875803/cio-role/what-gartner-s-bimodal-it-model-means-to-enterprise-cios.html
- https://newsroom.netapp.com/blogs/gartners-take-on-bimodal-it/