Shadow IT: The Good, the Bad, The Ugly…

Shadow IT is by no means a new concept, to some extent businesses have always had to make room for IT solutions which were not known or approved by the IT department. In the past this may have nothing more than a business process using forms created in Excel, or software/hardware purchased “off the self” by an employee. I remember a time an employee logged a call to say his backups had stopped working and could I assist him. Considering we did not have a solution for personal backups at the time I quickly realised this was a case of Shadow IT with an employee backing up his personal data on his own external hard drive. In recent years though, Shadow IT has gone “viral” and there are a number of reasons for this. 

The easy availability and reliability of a wide range of cloud-based applications (SAAS) and Hyper Scalers (PAAS, IAAS) means that any department or division can quickly find a solution for an IT problem, using their own budget, without the need to involve the IT department. Just register your name in an online form, pay with a credit card and within 15 minutes you can spin up your own environment with half a dozen virtual servers without the need for any IT knowledge.

Particularly in SME’s it’s not uncommon for IT teams to be under resourced and for that reason they are often perceived by other departments as a hindrance or a blocker rather than a help. IT teams often focus primarily on supporting the underlying hardware and infrastructure which supports business applications. This can result in a lack of understanding of the complex needs of the end users, their “less-then-perfect” business processes and their daily frustrations, that in turn leads to employees, departments or divisions looking elsewhere to find their own solutions.

The Good

Shadow IT is here to stay. It would be a mistake to try to simply prevent it. In many ways Shadow IT has enabled SME’s to become more Agile and employees are empowered to control their own destiny. It can also mean a reduction in the burden placed on, an already stretched, IT team or Service Desk. In effect Support is “outsourced” reducing their workload.

The Bad

Off course it does not mean that businesses should declare “open season” on the company credit card (although a lot of Shadow IT is freeware, but employees don’t realise its only free for personal use and not for business purposes). So how do we allow for Shadow IT without losing control? First of all, it is essential that SME’s adopt a comprehensive Shadow IT Policy. This will provide boundaries and definitions on Licencing and Policy Compliance, Application Security and Network Compatibility. Secondly the organisation needs to maintain a central Risk Register or SAM (Software Asset Management) which keeps an accurate record of all Shadow IT used in the organisation. 

The Ugly

Failure to maintain control of Shadow IT could result in some serious issues such as a breach of Licence terms. Compliance to Standards such as ISO27001 or GPDR could be at risk due to the use of undocumented software or hardware. Both of these could do serious damage to the company’s reputation and result in big fines and loss of revenue. In the long run it will likely have a big impact on the efficiency of the business as multiple varieties of similar software co-exit rather than be managed by a single solution at a lower cost. Lastly, it’s only a question of time before the IT manager is asked to provide integration between Shadow IT and other back office applications usually when it’s too late to change. This can be time consuming, costly and present a risk to stability and scalability of your infrastructure due to a complete lack of planning, Change Control and UAT testing. 

In Summary, IT departments need to be ready for Shadow IT and ensure that the business is aware of the risks and ensure suitable mitigation is in place as well as strong leadership to ensure policies exist and are enforced. With these controls Shadow IT can happily co-exist alongside the organisation’s main business processes.