Shadow IT appears unstoppable, how do you deal with it?

Shadow IT is defined as the IT within an organization that does not fall under the responsibility and management of the organization's (central) IT department. There is an increasing presence of shadow IT in organizations, especially due to the wide range of cloud services available and the increasingly adopted bring-your-own-device policy. It seems to be an ever-growing challenge for IT departments to manage shadow IT. IT departments will need to let go of some responsibilities while setting clear boundaries for shadow IT.

Shadow IT, IT, cloud services, bring-your-own-device, information security

Cloud services and bring-your-own-device

Due to the broader availability of cloud services, particularly Software as a Service (SaaS), it's possible for everyone within an organization to use paid and free services. Employees use SaaS services, for instance, to exchange files, share data, or collaborate on projects. Well-known examples of such SaaS services are Dropbox, WeTransfer, and Projectplace. At the departmental level, managers select their own cloud applications for tasks like customer relationship management, document management, or customer interaction. A creditcard is usually sufficient to start using an application with all department employees. 

As many organizations allow their employees to use their own devices (bring your own device), there are also more devices (laptops, tablets, and smartphones) outside the control of the central IT department. The employee uses their own device and is responsible for its operation, management, and maintenance, including upgrading and updating the operating system and apps. A common discussion arises: can the employer install software, such as mobile device management, on the employee's device for security purposes, like enforcing strong passwords or remotely locking or wiping the device? 

New risks

Both forms of shadow IT – SaaS services and personal devices – introduce risks for the organization. Employees and departments typically choose applications and devices based on accessibility and user-friendliness, often overlooking the organization's information security and (information) architecture policies. This leads to issues that were not considered during the solution selection, such as compliance with security and privacy policies, data security, availability of the application on all devices (including older ones with older operating systems), and integrating data from central systems and databases into the SaaS service, among others.

Letting go and setting boundaries

The days when the central IT department could enforce that it's responsible for all IT in an organization are over. Employees and departments are no longer satisfied with this, and the opportunities to procure a product or service outside the central IT department have greatly expanded. So, the central IT department will need to let go. They will need to accept that hardware and applications are being procured outside their control. They can handle this by educating employees and departments. This means providing explanations about possibilities and risks. But it also means setting boundaries on what is and isn't allowed, such as defining standards, interfaces, and security policies. By setting these boundaries, the IT department retains enough control over IT that is not directly under its management.

Want to know more?

The bring-your-own-device policy and shadow IT can pose a challenge for management within your organization. We can help determine the appropriate frameworks in consultation with you. Contact Highberg or me personally, Pim Schouten.

Related Insights