6 common Shadow IT misconceptions - mrc's Cup of Joe Blog

Summary: Shadow IT–a term used to describe unapproved IT systems and solutions used inside organizations–is growing rapidly. Learn a few common misconceptions surrounding the topic, why it’s so hard to control, and what your company should be doing about it.

A hotly debated topic, “Shadow IT” is a term used to describe unapproved IT systems and solutions used inside organizations. According to this study, over 80% of employees admit to practicing Shadow IT in their job.

Why is this such an issue? First and foremost, it takes company data outside of IT’s control. If employees (or entire departments) purchase and use third-party solutions, IT has no way of managing and securing that data.

Imagine the problems caused by widespread Shadow IT adoption.

The problem is, solving Shadow IT isn’t cut and dried. Why? One reason: It’s hard to identify. You can’t solve a problem if you don’t know you have one. After all, employees won’t tell the IT department that they’re operating behind their backs.

Another reason: It’s surrounded with misconceptions. It’s hard to solve a problem that you don’t quite understand (or understand incorrectly). In this article, let’s focus on some of those areas. Here are 6 of the most common misconceptions surrounding Shadow IT.

1. Shadow IT is just an end user problem

We hear about Shadow IT in terms of business departments and employees. An employee may use an outside cloud solution without IT’s knowledge. Or, entire departments may adopt third-party software products behind IT’s back.

But, did you realize that Shadow IT isn’t just an end user problem? According to the same study mentioned above, IT departments are even more likely than business users to engage in Shadow IT.

For executives trying to control Shadow IT, this adds an extra layer of complexity to the problem. Addressing Shadow IT doesn’t stop with end users and business departments. It extends to the very employees in charge of securing your data.

2. Shadow IT exists because IT Departments don’t want to give up control

photo credit: Found Animals via photopin cc

A common misconception held by business users, many assume that IT opposes outside software/services because it lessens their control. In reality, IT departments oppose it because it creates security risks. After all, managing corporate data is their job. How can they manage that data if they don’t know where it is?

“Many users don’t realize the importance of keeping IT in the loop,” says Tom Scearce, senior product marketing manager at Attachmate. “It’s the IT department’s job to track sensitive information that goes in and out of an organization and when people collaborate through a mix of email, FTP and third-party SaaS platforms it creates a messy file system that the organization’s IT experts can’t keep track of and exposes vital corporate information assets to a wide range of threats. If IT isn’t in the loop, it’s a problem.”

3. Cloud services are secure enough for enterprise use

Some business users adopt cloud services behind IT’s back, assuming they are secure. But, as we’re learning with every new security breach, proper security practices aren’t always practiced. Business departments can’t assume that any third-party service includes the security measures required by the company.

“Cloud-based services like Dropbox have become incredibly popular among business users because they’re easy to use and convenient, but users don’t realize that these services do very little to manage the risks inherent to file sharing in a business context,” says Scearce. “A common misconception is that cloud-based services are secure enough for enterprise use but groups, both legitimate and otherwise, have poked holes through the encryption of various cloud apps, showing that they lack proper encryption to prevent data breaches. This is incredibly important because it leaves organizations vulnerable to security breaches.”

4. Shadow IT control = Controlling devices and software purchases

Too often, we focus on the symptom rather than the root of the problem. Shadow IT is no different. Businesses see employees using their own devices and purchasing third party tools, and assume that’s the problem.

Rather, they must address the root cause of that problem–understand WHY employees are doing that in the first place. To truly control Shadow IT, you must move beyond the misconception that it revolves around device and software purchasing control.

“Many organizations focus on devices and not users to address Shadow IT,” says Matt Bingham, Director of Product Management at LANDESK. “The reality is, if organizations focus on managing devices, they neglect to address the root of the issues around Shadow IT, which is the productivity needs of their workers.”

5. Shadow IT is always a bad thing

One of the most dangerous misconceptions, many businesses approach Shadow IT like any other problem. They look for ways to stop it. Why is this so dangerous? As explained below, Shadow IT holds great potential for businesses. Approaching it as a problem keeps your organization from potential rewards.

“One of the biggest misconceptions surrounding ‘Shadow IT’ is that it is inherently negative,” says Fred Kirwin, Business System Analyst at Eliassen Group. “I don’t feel that’s the case. Shadow IT becomes a positive when the enterprise experiments with systems that may not be approved by the IT department because of a lack of experience or organizational politics. Piloting ‘unsanctioned’ technology, to cite one example, can help to serve as prototypes for larger projects. ” ‘Shadow IT’ can also be deemed a positive for an organization when it expedites the delivery of a solution to a problem within the business. A great example of this is within the realm of BYOD. Say your organization did not have in place the necessary mechanisms to use a specific device that your sales team needs to perform its duties. What happens? They adopt the technology on their own, which in turn, pulls the organization along with them. In such a scenario everybody wins.”

He makes an excellent point. Shadow IT isn’t a problem to be stopped. When properly controlled, it becomes an opportunity for your business, and can boost overall productivity.

“At the end of the day, employees are hired, fired and compensated based on their ability to do their jobs,” explains Kirwin. “The IT department may not have the expertise, time, budget or willpower to meet everyone’s needs all of the time within the time-frame that they need it. Shadow IT may increase productivity and help the business.”

6. There is a one-size-fits all solution

When approached as a problem, businesses seek a solution. The only problem: There is no one-size-fits-all solution for Shadow IT. Every business is different. Security needs are different. Users are different. How you approach Shadow IT may differ from how the company down the street approaches it.

“Too many departments use a one-size-fits-all approach,” says Bingham. “The reality is that each organization is different – some have high security, some are more balanced and some have a completely open environment. To be effective, organizations need to customize their approach to their IT policy and how they will handle Shadow IT.”

If there’s no single solution to Shadow IT, what should you do? My advice: Don’t try to stop it. After all, that’s one big reason Shadow IT occurs in the first place. Users feel they can’t get the solutions they need from their IT department, so they seek outside options.

Instead of control, work on securely channeling Shadow IT. Understand what solutions they need, and securely implement those solutions. Give them a way to accomplish their goals, while giving your IT department control over data and user access. While there’s no single solution for every company, that approach will help you turn Shadow IT from a negative into a positive.

So, what do you think? Is there anything you would add to this list? If so, please share your thoughts in the comments.