Shadow IT isn’t new. The concept refers to employees or managers across an organisation making ad-hoc hardware or software purchases without the approval (or even knowledge) of those running IT.
At the turn of the millennium a fifth of overall IT spend was outside the IT department, according to Gartner. But that’s changing.
- More than 80 per cent of employees admitted to using non-approved SaaS applications in their jobs (Intel Security).
- Almost 90 per cent of IT spend will be outside of the corporate IT department by 2020 (Gartner).
- Nearly a quarter (23 per cent) of European office workers have downloaded and paid for cloud services without the IT department’s permission. Italy, Germany and the Netherlands had the highest shadow cloud spenders – 22 per cent of Italian office workers spent more than €5,000, followed by 19 per cent of Dutch workers and 17 per cent of Germans (VMware/Vanson Bourne).
Consumerisation of technology is one of the big factors driving the rise in shadow IT. It’s pretty common for people to now use better technology at home and in their personal life than they do at work. That’s both the hardware – smart phones, tablets and laptops – and the host of mobile apps and cloud-based services we use for almost every task imaginable, from entertainment to fitness and productivity.
That inevitably leads to frustrations. Employees can’t do things as easily at work as they can on their personal devices. In turn this leads to shadow IT – and it’s springing up all around the business.
It could be as simple as someone using Dropbox to enable online file-sharing between a project team. Or it could be a manager in marketing signing up a SaaS-based reporting and analysis tool for a new campaign. And that’s without even mentioning the whole bring your own device phenomenon of employees using their personal smart phones and devices for work.
This all sounds terrible for the IT department, right? Losing control of tech purchasing, opening up potential new risks for the security of company information let loose in the cloud, extra support costs and the rest? When it comes to security, shadow IT apps and services can lead to confidential company information being stored unsecured and unprotected outside corporate IT systems. In turn that could lead to data being inadvertently exposed or, more seriously, compromised by malicious attacks such as data exfiltration.
Those are certainly issues that need to be addressed but IT departments need to get out of any knee-jerk mindset that shadow IT is a bad thing.
Think about what drives employees to ‘go rogue’. They aren’t doing it to spite the IT department. They are doing it because they need to get their jobs done and shadow IT often helps them do that.
This actually provides IT an opportunity to identify where corporate technology isn’t meeting the needs of the business. A shadow IT workaround could provide a better, cheaper and more flexible way of doing things – and something that could be rolled out to other parts of the business – and that should be embraced as long as it doesn’t compromise security and compliance.
Take the CIO of utility company Centrica, speaking at the CIO UK Big Conversation event, who says he’s not bothered about there being tech in the organisation that he’s unaware of. “If I’ve got people who want to go out there and kill their own food, solve their own problems, I won’t stop them,” he said.
Taking too draconian an approach to dealing with shadow IT risks alienating business users and forcing it underground where it’s even harder to detect and manage.
With a more enlightened approach shadow IT can be a source of innovation for an organisation. As Gartner analyst David Cappuccio argues, IT must work together with business partners “but the focus is NOT as a control point but as an enabler of change, with clear understanding on both sides of the aisle of what the potential cascade effects will be on both the business and on IT”.
On a practical level that means striking a balance that enables staff to use the apps and IT they need, with the policies and security controls in place to minimise risk and protect corporate data. With that approach what lies in the shadows becomes less scary and IT is no longer a block to productivity and innovation but a business enabler.