Many IT organizations empower end users with self-service tools that enable them to create reports, analytics dashboards and even software applications. Whether users utilize or circumvent those tools depends on relationships between lines of business and IT and whether end users think they can find a better solution elsewhere.
SaaS vendors have discovered veritable gold mines selling directly to departments. Their marketing materials lure targets with promises of easy onboarding, ease of use and no IT required. However, IT often inherits the burdens of making things work and reducing risks to the enterprise.
While it's probably not possible to eliminate shadow IT completely, some organizations are attempting to minimize its effects by empowering lines of business (LOB) with self-service tools.
What fuels shadow IT
Shadow IT has always been driven by two factors, which are impatience and a desire to be freed from the shackles of IT-sanctioned technology. Organizations have been trying to strike a balance between business unit effectiveness and enterprise risk management, which is reflected in several trends, including department-specific IT budgets and the partial decentralization of IT. Large organizations with formidable IT staffs may have a hub-and-spoke IT model in which a smaller central IT function or a center of excellence is complemented by department-specific IT resources. Smaller organizations have fewer IT resources, so it's difficult for them to achieve the same model.
“We run into businesses all the time [where] marketing departments have hired a consulting firm or a design agency to deploy a mobile app that's running in the cloud, which is attached to somebody's credit card,” said Justin Rodenbostel, VP of delivery at digital transformation agency SPR. “That that might work if you're a small business or your team has the knowledge to support that, but what happens when you grow out of it or the person whose credit card is paying the bill leaves the company, or the team changes, or the company you work for gets acquired and assets like this are left out of the due diligence?”
Lines of business (and particularly business users) are not inclined to ponder the what-if scenarios that come naturally to seasoned IT professionals. Shadow IT tends to be driven by an immediate need and chances are a solution is available as a cloud service right now. Gartner Senior Director Analyst Brian Lowens underscored the associated risks in a Gartner blogpost:
“Most organizations grossly underestimate the number of shadow IT applications already in use. A data breach resulting from any individual BUIT [business unit] purchase will result in financial liabilities affecting the organization’s bottom line. Liabilities can be very large due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment, and cyberinsurance.”
How to minimize the risks of shadow IT
In 2017 Gartner estimated that shadow IT would account for 38% of all technology purchases. The reality is the IT group can’t stop shadow IT, but it can minimize its negative effects by collaborating with the business (including providing self-service tools) and using shadow IT discovery tools.
The 2019 Oracle/KPMG Cloud Report shows much higher levels of shadow IT. In that study, 93% of respondent organizations said they were dealing with the issue. Half cited a lack of security controls and misconfigurations as common reasons for fraud and data exposures. Twenty-six percent said the unauthorized use of cloud services is the biggest cybersecurity challenge they face.
SPR’s Rodenbostel said regulated companies can run into “big problems” with low-code/no-code citizen development when requirements exceed the capabilities of the tool. Though many of such tools provide access to a command line, they don’t provide mechanisms for side-stepping complex IT-related issues such as external dependencies.
It’s important to point out there's an entire spectrum of low-code/no-code tools aimed at different audiences. Some are targeted at professional developers while others are targeted to web developers or citizen developers. The latter group tends to use “no-code” tools because the mechanics of writing code have been abstracted into visual drag-and-drop tools.
Fintech company NES Financial standardized on Outsystems, which is an enterprise-class low-code platform because NES Financial voluntarily complies with Systems and Organizational Controls reporting (SOC 1), the Bank Secrecy Act (BSA), United States Citizenship and Immigration Service (USCIS) and Securities Exchange Commission (SEC) regulations.
"Building systems and controlling data is an art in itself. You have to be aware of new regulations, requirements, and constraints, which is a full-time job," said Izak Joubert, CTO at NES Financial. "I think the ability for a marketing organization to implement something as a shadow IT organization is great conceptually, but it has massive risks for an organization if you look at it from a bigger perspective."
Joubert is quick to make a distinction about what he considers shadow IT: When lines of businesses are procuring their own IT without IT's involvement, that is shadow IT; when departments have a dedicated IT staff that helps implement solutions, that is not shadow IT.
To balance departmental desires with an enterprise's need for controls, NES Financial's core engineering team maintains control of enterprise data and provides an API layer that departmental applications can call.
"The typical way a business user thinks [is] corporate security and enforcement of policy is not my problem so I should be free to do whatever I want. But very few understand the consequences of their actions. That's the conundrum," said Joubert. "If they deviate off the path, it's our responsibility from a core IT perspective to at least try to limit how far they can deviate from the path because at some point, somebody is going to do something stupid that causes harm to the organization."
While there’s no sure-fire way to eliminate shadow IT, there are better and worse ways to approach self-service. The best way is to figure out what the business wants in the first place and find a way to facilitate that while protecting core enterprise assets.
"I think the biggest contributor [to shadow IT] is the attitude of senior executives," said Joubert. "Are they control freaks? Are they island builders? Are there a lot of politics in the organization? The more collaboration, the less need there is for shadow IT."
For more about shadow IT and low-code/no-code check out these articles: