How to Gain Control Over Shadow Analytics

Are unauthorized analytical tools placing your enterprise at risk? Learn how to detect and remove shadow analytics without disrupting productivity.

John Edwards, Technology Journalist & Author

October 3, 2023

4 Min Read
Shadowy figure depicted behind binary data.
LuckyStep48 via Alamy Stock

At a Glance

  • Shadow analytics is kind of like doing your own home electrical wiring.
  • Shadow analytics, by its very nature, functions as a kind of black-market technology.
  • Risk and compliance teams can DLP tools to keep shadow analytics solutions from being shared outside.

Data analytics is a powerful tool that can help users make informed decisions related to trends, new products, customer preferences, sales, and an almost endless number of other topics. A serious problem arises, however, when enterprise team members begin designing and deploying their own, unauthorized, analytics applications.

Shadow analytics is kind of like doing your own home electrical wiring. “You might make [shadow analytics] work, but you risk burning down the building with ungoverned data handling that runs afoul of privacy and risk regulations that could lead to fines and hits to brand reputation,” says Joseph Williams, global partner, cybersecurity at IT management advisory firm Infosys Consulting.

Unauthorized analytical tools can lead to poor, or even business-fatal, decisions. “If you don’t know where the data came from, or you can’t get consensus with stakeholders, the benefit passes you by,” warns Peter Mottram, a managing director in the technology consulting practice of management advisory firm Protiviti. “You could be making the wrong decision without knowing it.”

Client-facing business units, particularly sales and marketing teams, are most likely to turn to shadow analytics. “Their KPIs -- such as time to market and revenue generation -- require a fast turnaround, and they don’t believe that IT will help them build analytics solutions faster,” says Sush Apshankar, a principal consultant with technology research and advisory firm ISG.

Related:IT Resilience and How to Achieve It

Addressing the Threat

Shadow analytics, by its very nature, functions as a kind of black-market technology, often acquiring data through unofficial channels, says Steven Karan, vice president and head of insights and data at business consulting firm Capgemini Canada. “This presents a danger to the organization in which enterprise standards of master data management and governance are disregarded, resulting in transformations of data sets in inaccurate or incorrect ways,” he explains. “This leads to poor analytics being fed to business leaders for decision making.”

Shadow analytics can also expose enterprises to regulatory risks or reputational damage created by circumventing personally identifiable information (PII) data standards, as well as GDPR, HIPPA, CCPA, and other data regulations. “In an extreme scenario, shadow analytics can reveal customer, employee, or proprietary data to bad actors, resulting in significant damage to the brand and exposing the business to unplanned liability,” Karan warns. In regulated industries, fines and enforcement actions related to shadow analytics can significantly impact both the top and bottom lines.

Related:Preparing for the Worst: Essential IT Crisis Preparation Steps

Another problem posed by shadow IT is the likelihood of unoptimized analytic workloads. “Even if multiple departments gather and transform data for analytics the same way, which is often not the case, labor and human capital costs are wasted,” Mottram explains. “Additionally, the cultural shift to becoming an analytics-driven company is severely impacted or becomes impossible to achieve.”

Shadow Detection

To nip shadow analytics in the bud, enterprises should consider deploying monitoring tools that can effectively detect and identify unauthorized access to centralized data. “It’s much harder to detect shadow analytics on data that isn’t managed by IT,” Williams says. “In those cases, you would have to track it down through a review of expenditures.”

Risk and compliance teams can use data loss prevention (DLP) tools to keep shadow analytics solutions from being shared outside the organization. “Within the organization, robust and automated data governance tools can help highlight data breaches or false positives through internal email exchanges,” Apshankar says.

Tactical Response

Apshankar believes that the best way to tackle shadow analytics is by strengthening trust between IT and business units. “Business units should view IT as an enabler, not a blocker,” he says. “IT should also understand the importance of business requirements and not push tech KPIs over revenue generating KPIs.”

Related:Trusting Data: Finding Truth, Building Transparency

To effectively block shadow analytics, enterprises should address the root cause. “There’s one consistent factor that allows shadow teams to proliferate -- a lack of strong partnership between IT data departments and business functions,” Karan says. He notes that a common message he hears from the business leaders is that IT is frequently unable to provide access to the data they need to run operations or make decisions. There’s also sometimes concern that data isn’t available at the speed or frequency business teams require. “From the IT team, I hear that that business is unclear about their requirements, or that business doesn’t know what it wants.” A strong, friendly partnership is the best way to bring both sides together, Karan says.

Final Tip

Despite its bad reputation, shadow analytics should never be completely stopped, Williams says. “It should be managed by making it comply with governance and security requirements while meeting responsible FinOps,” he advises.

About the Author

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights