It’s no secret that IT teams are overwhelmed. Sometimes they don’t have the time or resources required to get everything that needs to be done done. And when employees have to wait long periods of time for IT to approve something, sometimes they decide to take IT matters into their own hands. 

Shadow IT is the practice of non-IT organizations trying to bypass IT to access or provide services for themselves that should be controlled by central IT. 

Shadow IT can be a risky business. Services that are completely out of the control of the centralized IT team can introduce new risks, said Jay Chapel, CEO of cloud cost analyzer company ParkMyCloud

“The fact that shadow IT exists at all is a problem because it’s an indication that IT isn’t getting the job done and those in the business feel that they can do a better job of providing IT,” said Glenn O’Donnell, VP and research director at Forrester. For example, a marketing team could set up their own communications channels, like Slack, rather than relying on the company-wide messaging system. 

Shadow IT — especially unintentional shadow IT — can be difficult to track, especially when free services are involved. It’s a bit easier to keep track of when there are paid services that are showing up on expense reports. 

Departments that are doing shadow IT may not even realize they are doing it. “If you go out and get an account on HubSpot or if you go out and take advantage of some of the new SaaS capabilities that are out on the market to do something within your department, folks might not even think of that as shadow IT, it’s ‘hey, it’s just an app, it’s just something I’m using,’ without thinking of the potential exposure of what you’re putting up there,” said Chapel.

The risk of shadow IT will also be dependent on how savvy those individual departments are. “If it’s shadow IT by a department that’s just run rampant and has not taken proper care of data then it can become a serious problem,” said Chapel.

Policies like remote working and Bring Your Own Device (BYOD) can also contribute to IT having less control over its users. Companies that are implementing those policies have decided that the potential risks are outweighed by the overall benefits, Chapel explained. 

Depending on the company, those policies may be strict or more lenient, if they even exist at all. Some companies may lock down devices heavily if they are leaving the office. “On the other extreme, there’s the companies that are letting folks VPN in or at least bring their laptops home. And at that point the laptop is a piece of corporate managed infrastructure and if somebody is going to steal data they can do it just as well sitting in the office as they can sitting at home, so  to that extent, there’s just a certain amount of trust going on.”

Shadow IT can be useful in certain scenarios
But shadow IT doesn’t have to be all bad. It’s possible that some departments will have people that have the skills to handle IT issues. If IT puts proper safeguards in place, such as password control and encryption, then it could be a viable option, Chapel said.

And by giving employees more control over IT services, IT teams can focus more on managing the core infrastructure and services in an organization, Chapel explained. 

O’Donnell explained that companies tend to gravitate toward two extremes of IT. “One is everything sits in IT and the other extreme is everything sits in business and there is no IT.  And as is usually the case, both extremes are ill-advised. You’re better off finding that right balance between the two, or what I keep calling the Goldilocks balance — it’s not too little IT and it’s not too much IT. It’s the right level.”

Chapel recommends companies ask the question: Is shadow IT recognized as a practice that is available within an organization? “As long as there are certain standards available for everyone to use, like password control, encryption, availability of the knowledge of good practices, and corporate wide training of how to do your own shadow IT, it can be okay,” said Chapel.

Of course, it’s important that IT teams evaluate that risk. According to Chapel, risk will vary depending on the individual organization, and the individual departments within that organization. For example, if it’s a software development group that doesn’t have access to customer data, the biggest risk will likely be the availability of proprietary software source code. Or it could be a marketing group that has access to customer data, which will need to be handled differently. “I think it depends on the nature of the department itself and what the sensitivity is of data that they might hold. Maybe the cafeteria is not a big deal, but the building management is if it means someone might have access to security systems.” 

It’s also important that organizations have thorough policies in place, and that these policies are enforced. A company may determine that certain services, such as Dropbox or Google Drive, are okay, but that others aren’t allowed to be used. “There probably should be corporate level policies that let people know ‘shadow IT will not be tolerated, this includes these types of services’ or ‘managing your own IT resources is okay, within the following bounds’ or maybe there has to be a simple approval process,” said Chapel.

Chapel believes that the best solution to shadow IT is to allow IT to review things, but not actually have to manage it. This takes the burden off of IT, while still ensuring that they know what services are in use in the organization. 

“Again, the reason shadow IT exists is that there’s a fundamental disconnect between those two parties,” said O’Donnell. By opening up a dialogue between employees and IT, they can share what’s important and come up with common goals. “And shadow IT isn’t necessarily a bad thing, but it is in the sense that it’s a communication issue…Especially now, as business is getting smarter, you’re getting a lot of IoT devices and edge computing that are more applicable to the business directly and less applicable to a central IT organization. You have to have that shared responsibility and that balance between the two extremes.”