Forum Discussion
Shadow IT – Productivity Benefit or Massive Security Risk?
Shadow IT, or any unauthorized technology application or system used within a company’s network, is prevalent across companies. But just how prevalent?
- A recent Gartner study found that more than 40% of IT spend is shadow IT.
- More than 80% of employees admit to using non-approved SaaS applications in their jobs.
These data points beg the question: why does shadow IT exist? Is there an unmet technology need? Understanding why shadow IT applications are in use may help in controlling their usage.
In some ways, shadow IT can be innovative—employees deploying solutions to help the business. Shadow IT highlights areas where the IT department could provide additional services or applications. If employees are already using them, this may signal productivity gains.
In contrast, shadow IT can put an organization’s security at risk. Unauthorized technology means the IT department lacks visibility of the application or system and worse, doesn’t have safeguards in place. These applications can leave a network and the larger enterprise vulnerable to hackers. But is the solution to shut down all shadow IT?
As former Yahoo CIO Yahoo, Mike Kail said, “CIOs need to start viewing themselves, and their teams, as ‘business and productivity enablers’ versus ‘application blockers and usage police’.”
Working with shadow IT (rather than against) provides employees an opportunity to find productive solutions that meet their needs while still allowing for IT to have visibility and put in the necessary safeguards to protect the greater network.
Do you agree? How does your organization handle shadow IT?
1 Reply
I think you raise some great points Shannon O'Donald. I think we have come a long way from the traditional approach of blocking everything in IT departments and being gatekeepers.
I think if done right, shadow IT can be seen as an opportunity, as it shows possible gaps or limits that staff feel they have to go elsewhere. Redirecting this to solutions that the business has invested in and can support is preferred. If there were Slack users, for example, bringing them onboard with Microsoft Teams would be a natural progression.
That's not to say willful disregard especially with data protection, would be acceptable, there have to be some limits. I think there should be some sort of amnesty when an unauthorised service is found to be in use and this can be sanctioned with whatever caveats need to be applied or translated to a service that the business can support. Costs are also a factor, an organisation can purchase services/products at a much better rate than someone who just decides to buy ad-hoc something on their company credit card for example.
I think you also have to look at the commissioning of IT services and everyone being on the same page. Also, in some cases, staff may just not know what facilities and features are available already before looking elsewhere.
