May 06, 2022

Over the better part of a decade, Shadow IT has become a growing concern for IT leaders. Shadow IT refers to any purchase or implementation of information technology systems outside of IT’s purview in order to work around perceived or actual shortcomings of the company’s existing systems.


So, why is there a rise in unsanctioned departmental IT purchases?

Infographic

In the era of infinite cloud solutions, the purchase and adoption of new applications is easier than ever for departments looking to satisfy a need - and quickly. This has led to a decentralization of technological decisions where business analysts are increasingly taking departmental IT matters into their own hands. In fact, according to Cisco1, more than 50% of technology budgets on average go to resources that business units are purchasing and using outside of ITs awareness.


In other words, the market has circumvented the gatekeeper.


Business units now have more flexibility than ever to respond to emerging technological needs. But what's the tradeoff? Though more tech-savvy than ever, your average business analyst likely doesn't understand the extent of the implications behind a departmental IT purchase. Driven by a need to adapt quickly, security considerations are often neglected at the expense of flexibility.

HD Security vs Flexibility

IT and business leaders alike are asking:

Is there a way to maintain security while increasing flexibility?

The implications – why business executives are becoming concerned

Business leaders must understand the implications of Shadow IT if we are to play a part in alleviating it.

1. Shadow IT is unprotected, and therefore can introduce major business risks.

The average company uses over 1,000 cloud services, but the IT department only knows about 100 of them. Employees feel comfortable downloading applications and cloud software that make their jobs easier – but at what cost?

Since these systems aren’t vetted by the IT department, they don’t go through the same security procedures as IT-sanctioned technologies. Without knowing what applications are in use there’s no way of knowing the security risks to the company.

Most companies run internal updates and patches on their software packages as well as monitor systems to ensure security standards are always met. However, IT can’t monitor or run updates and patches on systems and applications that fall outside their purview. This leaves the company exposed.

These systems can collect sensitive information and open the company up to risk of data breaches and other liabilities. Without ample security, your sensitive information is more vulnerable to leakage and theft.

2. Shadow IT fragments the company’s information, preventing a single version of truth and limiting access to data.

It may have started as one or two systems and before you knew it your data was fragmented across a complex web of disparate systems running in the background. Many of which are not connected to your primary systems of record, leading to increasing amounts of manual work just to achieve a semblance of that coveted ‘single version of truth’.

What happens when pieces of data live across multiple systems? Collaboration becomes inefficient, you lose timely visibility into the business, and cannot make data-driven decisions.

3. Audit and business governance concerns are introduced.

Unsanctioned applications threaten business governance. Business governance consists of the rules, practices, and processes by which a firm is directed and controlled. Essentially, governance ensures that controls are followed so the company can operate with proven integrity and offer transparency to stakeholders and shareholders.

Similar to how shadow IT fragments the IT landscape, it also fragments your business processes, leaving them undocumented, and likely unapproved. Without consistent internal controls in place, companies lose audit trails, and ultimately transparency into the business.

Companies that don’t sufficiently comply with audits and regulatory requirements are subject to publication of their noncompliance and are ultimately considered a ‘risky investment’.

How can leaders respond?

Shadow IT is impossible to evade completely. So, rather than waging a war and trying to stamp it out, here are 2 strategies you can take to respond and bring Shadow IT out of the shadows.

Innovative solutions to get at the root cause of Shadow IT

Stamping out Shadow IT might inadvertently stamp out innovative ideas and projects. But not all hope is lost. The promise of continuous innovation that got us all into this mess is likely the solution.

IT can provide line business units with IT-approved tools to build their own solutions.

A no-code platform allows for the citizen developers within your organization to build the applications and functionality they need, lessening the frequency of purchases outside of the known IT landscape. The right no-code platform can also alleviate fragmentation by integrating with your core systems: ERP, CRM, and HRM, rather than requiring continuous exports of critical data into a spreadsheet to be consumed by one-off applications. These are systems that hold vast amounts of company data that is needed oftentimes for even the most ancillary of departmental IT solutions. A no-code platform allows for IT to use the platform as a tool of first response when needs arise. This creates a more consistent model and experience while ensuring that data is secure and auditable.

Educate the buyers

It can be a complicated and long process to get applications or software approved by the IT department. Hence why business units choose to side-step the approval point and covertly purchase the software themselves.

IT can partner with these business units, equipping them with the information needed to make smart purchases and properly evaluate the risks and benefits of a potential new system. Creating an open relationship between the functional areas ensures that all parties are invested in preventing disruptive glitches and embarrassing data leaks.


Of course, not all software requires the same level of security and reliability. When it comes to evaluating a new system, there are 4 important topics to consider:

Screen Shot 2022 05 09 at 9 34 20 AM