What IT Leaders Can Learn From Shadow IT

Shadow IT, particularly the use of unauthorized business applications, is generally not a good thing. While shadow IT can sometimes lead to productivity gains, it also exposes enterprises to potential security risks, compliance issues, and financial liabilities. 

For years, CIOs have dealt with shadow IT, says Jay Upchurch, executive vice president and CIO at analytics, artificial intelligence, and data management software and services firm SAS, via email. "Once these rogue solutions are in place inside an organization, they typically capture IT's attention for one of two reasons: because they’re successful and might be valuable throughout the organization, or because they pose a security risk to the organization and its customers." 

Shadow IT typically emerges when existing enterprise tools aren't meeting user needs. "Understanding what compels users to seek alternatives offers an insight into possible gaps or development opportunities," says Jeff Orr, director of research, digital technology at ISG’s Ventana Research division, in an email interview. "Some would say that IT has been the department of 'no,' where any request is ignored or denied," he adds. "To conduct their work, enterprise users have been resourceful, finding their own software tools to accomplish tasks." 

Related:No, Shadow IT Isn't Going Anywhere: What CISOs Must Do Now

Despite its shady reputation, shadow IT is frequently more in tune with day-to-day business needs than many existing enterprise-deployed solutions, observes Jason Stockinger, a cyber leader at Royal Caribbean Group, where he's responsible for shoreside and shipboard cyber security. "When shadow IT surfaces, organization technology leaders should work with business leaders to ensure alignment with goals and deadlines," he advises via email. 

Detection Tools 

To successfully address the shadow IT challenge, it's necessary to find and identify its existence. Cloud Access Security Brokers (CASB), Secure Web Gateways (SWG), and Data Loss Prevention (DLP) capabilities are essential tools for organizations looking to detect shadow IT usage. "These technologies provide necessary visibility into the accessed applications and help organizations control the risk of sensitive data being unintentionally shared by employees," says Rodman Ramezanian, global cloud threat lead at cloud security software provider Skyhigh Security. "DLP policies, for example, can block sensitive data from being posted, or prevent the copy and paste of sensitive content," he notes in an email interview. "Additionally, these tools can automatically disable and delete the conversation history within AI applications -- a rising concern for organizations -- so corporate data cannot be used to train the system." 

Related:Inside the 'Secure By Design' Revolution

Addressing the Challenge 

Once a shadow application has been detected, Upchurch recommends working with department leaders to help them understand gravity of the situation. "Show them why it's to their advantage to move their IT responsibilities to you and the IT team." Doing so ensures that CIOs don’t inadvertently stifle the curiosity of well-meaning employees. "It also helps demonstrate a commitment to being a partner, not a barrier, to new ways of doing things to enhance productivity." 

Orr advises creating a process for new tools to be considered and evaluated. "Many of the situations that arise with shadow IT tools can be avoided if the organization has the means to recommend tools that are officially adopted," he explains. Promoting education and awareness about the risks of shadow IT tools, along with creating low-friction processes to introduce new tools into the mix, will show IT's willingness to address the needs of enterprise business teams. 

In some instances, it makes sense to pull a widely used rogue application out of the shadow and into the IT mainstream. "When considering the adoption of useful shadow IT tools, IT will assess compliance with the enterprise’s security and privacy policies," Orr says. As with any application, issues identified during the assessment will need to be addressed. 

Related:How IT leaders Can (Cautiously) Utilize AI to Improve Developer Experience

When assessing a shadow IT tool's potential value, it's crucial to evaluate how it might be successfully integrated into the official enterprise IT ecosystem. "This integration must prioritize the organization's ability to safely adopt and incorporate the tool without exposing itself to various risks, including those related to users, data, business, cyber, and legal compliance," Ramezanian says. "Balancing innovation with risk management is paramount for organizations to harness productivity opportunities while safeguarding their interests." 

IT leaders might also consider turning to their vendors for support. "Current software provider licensing may afford the opportunity to add similar functionality to official tools," Orr says. 

Parting Thoughts 

Rewarding shadow IT developers for their ingenuity in creating useful tools presents a nuanced challenge, Ramezanian says. "While [their] tools may address specific needs and boost efficiency, unchecked proliferation of shadow IT poses significant risks in terms of security, compliance, and integration." 

Stockinger says he generally dislikes the term shadow IT. "The reason traditional IT folks even developed this terminology is based on bias and inflexibility," he explains. "If IT leaders were more focused on delivering value and less focused on organizational structure, perhaps business [users] would not have been forced to find another way to deliver products and services to generate revenue."