How to deal with “Shadow IT”

EducationSummary: Shadow IT–a term used to describe unapproved IT systems and solutions used inside organizations–is growing rapidly. Why is it such a problem? When left unchecked, “Shadow IT” can hurt your business in 3 important ways. In this article, you’ll learn how it can harm your company, along with five steps to address the issue.

photo credit: PublicDomainPictures via pixabay cc

photo credit: PublicDomainPictures via pixabay cc

It’s a growing problem. “Shadow IT” is now practiced in the majority of companies–often without the IT department’s knowledge.

What is “Shadow IT?” It’s a term used to describe unapproved IT systems and solutions used inside organizations.

Why is it a problem? It takes company data outside of the IT department’s control. If employees (or entire departments) purchase and use third-party solutions, IT has no way of managing and securing that data. This often puts sensitive data at risk.

For instance, the IT department may avoid a specific cloud solution because it’s insecure. But, what happens when an employee starts using this cloud solution without IT’s knowledge? They place company data at risk.

Another problem: “Shadow IT” wastes money. When employees license software without communicating with the rest of the business, there’s bound to be overlap. Different departments might purchase the same software, or license software that the company has already licensed.

Yet another problem with “Shadow IT”: It harms data visibility. IT departments already struggle to integrate multiple business systems and provide users with a clear view of their data. Now, imagine what happens when every department uses a different piece of software–unbeknownst to the IT department. Data visibility is nearly impossible.

So, we know why “Shadow IT” is a problem. But, what can you do about it? How can you deal with “Shadow IT” in your organization? Here are 5 steps you can take to address this issue:

1. Understand the extent of the problem

“Like many problems, you first need to acknowledge it, get an understanding of how widespread it is and then find pragmatic ways of adapting to the situation,” says Nic Grange, CTO at Retriever Communications. “The aim is to bring these out of the shadows, which doesn’t necessarily mean IT needs to be in full control or managing it but at least they are aware of it and part of the conversation.”

The first step to fixing any issue: Acknowledge you have problem. The problem is, understanding your Shadow IT problem isn’t easy because it’s performed in secret.

How widespread is it? A recent study found that 61% of business units use Shadow IT. Another study found that only 8% of companies can track it.

So, how can you even know whether or not you have a Shadow IT problem? How can you know how widespread the problem is? As explained below, start with a survey of your employees.

“Start with an inventory survey of employees to find out what they’ve been using,” says J. Colin Petersen, President & CEO at J – I.T. Outsource. “Reassure them that they are not in trouble. Let them know that it’s important for saving money and securing the network. Also let them make the case for keeping some services, but just making sure the company retains ownership and the ability to access and monitor it.”

2. Figure out why it’s happening

photo credit: Helga Weber via photopin cc

photo credit: Helga Weber via photopin cc

Many businesses make it through the first step (acknowledging the problem) just fine, but fail at this step. Once they understand that users are bypassing the IT department, it’s treated as an “Us vs. Them” problem. The users are putting data at risk and must be stopped!

While a legitimate concern, this approach won’t solve your problem.

If you want to manage Shadow IT, you must first understand why users feel the need to bypass IT in the first place. Is IT moving too slow? Do they not have access to the right applications or data? This is an essential step, and as explained below, one that cannot be addressed with scare tactics.

“Often CIO’s react to Shadow IT with a focus on eliminating it and bringing the work into the IT Department,” says John Picciotto, Senior Principal at Accenture. “In doing this they fail to diagnose and address the cause of Information Technology work being performed outside of the IT function. Scare tactics and corporate edicts will fail when juxtaposed with perceived rapid deployment, quick paybacks and greater control. What CIO’s must do is understand what is driving their counterparts to authorize these shadow projects. Is the underlying issue that IT is unable to deliver services in alignment with business expectations? Does the corporate culture reward these types of projects? Are the leaders just looking to avoid the aggravation of dealing with the corporate bureaucracy? To address Shadow IT the CIO has to seek to understand the why of Shadow IT, and this starts with an open and honest conversation with their customers about why they are using other “suppliers”. Sometimes the right answer is not to remove Shadow IT, but to provide the support necessary to enable the business to achieve their goals, even if this means working with your IT competitors in the business.”

3. Provide proper education

photo credit: jarmoluk via pixabay cc

photo credit: jarmoluk via pixabay cc

Chances are, employees aren’t behaving maliciously when they go behind the IT department’s back and obtain third party solutions. They’re simply trying to solve a problem. They might not realize that their actions can compromise company data.

Rather than outlaw the use of outside technology, explain the risks involved. Provide the users with proper education. Make sure they understand the reasons behind the decisions.

“Do employees know why they should avoid shadow IT?” asks Roger Smith, Consultant at R & I ICT Consulting Services. “Often they don’t understand the risks, or they believe that cybercrime couldn’t possibly happen to their company. Organisations must make the investment in education so that their employees know why their company has the restrictions that it does, and why they shouldn’t trust business information to that unsecured network or chat interface. If companies provide employees with the IT they need, and the information to use it correctly, they won’t have to fear a shadow IT disaster.”

4. Adjust IT’s approach

In the past, the IT department performed the duties of a technology “gatekeeper.” They controlled technology because it was scarce, and hard for business users to obtain and use.

Unfortunately, this created what many describe as a “culture of no” among IT departments. These IT departments were more likely to deny user requests than attempt to help solve their problems.

Those days are gone. IT departments aren’t the only ones with access to technology, but many still behave as though they are. In today’s world of easily accessible technology, IT departments must change their approach. Rather than trying to keep all outside technology out of the business, focus on helping employees address their needs in a secure manner.

“If businesses are using tools they want and find effective, this will increase the effectiveness of these teams,” says Jon Mittelhauser, CEO of CloudBolt. “From IT’s point of view, it is an opportunity to play a more advisory (rather than dictatorial) role in choosing applications and technologies and also an opportunity to up-level IT to a more strategic player – helping to solve fundamental IT issues like security, networking, public vs. private cloud – versus the day to day support of business level apps.”

5. Implement controlled, self-service options

photo credit: OpenClips via pixabay cc

photo credit: OpenClips via pixabay cc

On the other side of the coin, many will argue that the IT department has no choice but to act as the “technology gatekeeper.” Giving users the freedom to choose and manage their own technology only sets the company up for a data breach.

Besides, most IT departments are already overworked. How can they manage their day-to-day activities, while monitoring software usage on a per-user (or per-department) level? As explained below, the answer lies in data control.

“A strategy the Roman empire successfully adopted was porous borders,” explains Steve Songaila, Development Director at Twin Systems. “Effectively allowing free movement of people but monitoring this movement. The people in our case could be described as data. Therefore the central strategy of the CIO should be to ensure data is available where required but access is secure and traceable.”

The big question: How can IT departments control the data, while giving their users access to the tools and software they need? I’ve seen this problem addressed in a couple of ways:

The “approved software” list
This method involves giving users access to tools approved by the IT department. Of course, this is only possible through clear communication between the IT department and the users. The IT department must understand the business user’s needs, and provide access to the necessary tools.

“The IT department has to accept its changed role from an owner of all IT resources to a service broker, responsible for governing the use of all the cloud resources -Dropbox, Amazon, Azure, Google Docs – corporate staff wants to take advantage of,” says Torsten Volk, VP Product Management – Cloud, ASG Software Solutions. “Delivering these services via workspaces that are integrated with a modern self-service IT store enables the IT department to harness hybrid cloud and deliver the apps and services that corporate staff likes to use in a secure and well-governed manner.”

Self-service tools
With this approach, the IT department locks down the data and gives users access to self-service development tools. The users can build the necessary applications over that data, without placing the data at risk. In this way, IT still maintains control over the business data, while giving business units the ability to meet their own needs.


These are just a few ways to deal with Shadow IT, but there are plenty more. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.

If you enjoyed this article, sign up for email updates

Email Address

We value your privacy. We will not spam you or share your email address with anyone. You're free to unsubscribe at any time.

Related Posts:

9 thoughts on “How to deal with “Shadow IT”

  1. Joe,
    Thank you for publishing this. It’s a very useful guide for any small or medium business.

    Any business owner could take this blog post and implement a complete strategy. If you get any pushback from your current I.T. provider, show them this list! This is what their peers, who are leaders in the industry, are doing for their clients across the country.

  2. Joe – this is an excellent article. The approach you outlined worked well in my organization. In having the necessary conversations with business partners, we found that in most cases, Shadow IT was done with good intentions and that business partners did not understand the risks. As such, some were offended by our use of the term ‘Shadow IT’ and that it implied they had done something underhanded. We made better tractions with our conversations when we substituted the term ‘business managed IT’. Just a consideration for your readers.

  3. Nice post and Your website is very cool. Well thanks for the article. I was very happy to seek out this web-site. Any business owner could take this blog post and implement a complete strategy. If you get any pushback from your current I.T. provider, show them this list! This is what their peers, who are leaders in the industry, are doing for their clients across the country.

Leave a Reply

Your email address will not be published. Required fields are marked *