Shadow IT is a controversial subject, and any discussion must first define what it actually is before we can talk about its impact. If by Shadow IT we mean the reckless use of employee devices, the blithe by-passing of security systems, the wanton downloading of unapproved cloud applications – in short, the subversion of an organisation’s every effort to protect its data and systems, then certainly, we are against it.
If by Shadow IT we mean the reckless use of employee devices, the by-passing of security systems, the fluctuating downloads of unapproved cloud applications – in short, the subversion of an organisation’s every effort to protect its data and systems, then certainly, we are against it.
But if we take Shadow IT to mean the sensible use of technology to achieve greater efficiency, to access better tools and software, and to give employees access to the systems that help them do their job better, then of course, we are for it.
It is a polarising debate. Some, like David Rosewell, head of strategy at Fujitsu, claim that a ban on Shadow IT is “not only pointless, it’s a ban on innovation”; others, like Gartner’s Brian Lowans, warn that unsanctioned cloud services heighten the risk of data breaches and significant financial liabilities.
Who is right?
A weapon for good or evil?
Business leaders could be forgiven for thinking that Shadow IT is an unmitigated evil. Headlines such as “Business Leaders Must Wake Up to the Risk of Shadow IT” and “Shadow cloud apps pose unseen risks” are unambiguous in their opinion.
No-one doubts that Shadow IT is a powerful weapon; but like a firearm, its danger depends on who wields it, under what circumstances, and under whose supervision. Its power is what brings risk, as well as enormous potential benefits.
No-one can deny that, used incorrectly and without the oversight of the IT department, Shadow IT raises significant security and compliance challenges. When employees download and use a variety of cloud services, it naturally raises concerns over everything from data protection and GDPR compliance to unsecured devices and corporate security policies.
On the other hand, we need to acknowledge why employees feel the urge to escape the strictures of corporate IT policy. The main reason is that they want the freedom to embrace devices, applications and cloud platforms that actually work for them. It is the old “design v. user experience” debate: however much IT departments try to force users to walk along the approved pathway, users will take the shortcuts that make life easier.
Let’s talk about Shadow IT
Whether they like it or not, Shadow IT is here to stay. According to Intel, three quarters of businesses say that they use some form of Shadow IT. In fact, the researchers said that enterprises can expect upwards of 35% of all SaaS apps in your organisation to be purchased without oversight. Unfortunately, the positions on each side of this debate are so often and so deeply entrenched that it seems we’ll never resolve them. What we so badly need is some nuance, some understanding – and above all, communication.
Shadow IT is neither good nor evil: the far more important question is whether an organisation can create a culture that balances employees’ needs with the company’s own security policies. This requires both sides to make concessions – within certain “red lines”, however.
Organisations must approach the challenge by first understanding what their business needs from IT, and then actively aligning their policies so that they embrace – and effectively control – those technologies.
Not “shadow” but “safe”
In discussions of Shadow IT, employees are often treated like children with a box of matches: in other words, as a serious risk to everyone’s safety and security. If we accept this analogy, then what is the correct course of action – to deprive them of the matches, or to educate them about the potential danger and ensure, through supervision and education, that they learn to use them sensibly?
This, broadly, is how organisations should approach the challenge of Shadow IT – not least because organisations’ exposure is much greater than they believe. The average CIO believes that his or her business uses between 30 and 40 cloud apps, but Symantec estimates the true figure is well over a thousand. The only realistic approach is therefore not to allow employee-led technology to multiply in the shadows, but to make it safe.
This is fundamentally a question of good governance. Shadow IT should simply fit into any well-aligned governance structure. As digital transformation accelerates and the line between business and IT continues to narrow, organisations need to become far better at understanding how IT can enable the business, and discuss the issue with employees to make sure IT really is delivering on its promise.
If organisations establish robust governance, then employees and the IT department can have a grown-up conversation about how to balance each other’s needs – for agility and collaboration on the one hand, and security on the other.
So, let us look beyond what we mean by “Shadow IT”, and instead focus our energy on creating working environments that employ the best tools, deployed and used in the safest, most secure way.