Shadow IT is an aptly-named phenomenon. It’s the notion that obscured in the shade of official information technology processes, companies often have unofficial tools that aren’t in IT’s direct line of sight. As sources of data, employees who input sensitive information or integrate into unsupported applications will unintentionally expose their companies to untold cyber risk. This isn’t entirely the fault of IT teams, but also managers and employees who choose to use applications that they prefer, rather than the ones chosen by experts looking out for their best interests.
The funny thing about shadow IT is that it often makes these managers’ or employees’ working lives more convenient, or is even a boon for the business. By not going through the proper channels, however, shadow IT can have a severe cost to the organization: one that is often paid with its security. To avoid being on the receiving end of this bill, companies are removing trust from their network access models, to help regain visibility over where their datastreams are exposed, and at the same time reinforce the parts of shadow IT that aren’t necessarily bad.
At its core, shadow IT is a cultural issue. If managers and veteran employees – the ones ultimately responsible for leading by example – feel like they can sidestep IT guidelines and introduce new products into the network then other employees will feel safe doing the same. This practice is surprisingly common, even for organizations that pride themselves on education, personal security hygiene, and a strong overall security posture.
Employees engaging in shadow IT are usually only trying to make their tasks easier to accomplish, and this is something to applaud, when done correctly. According to a Gartner report, IT now sets aside over 40% of its enterprise budget for shadow IT, and some measurements put the number over 50%. It’s only natural that employees would gravitate towards technology that makes their lives easier. But if IT isn’t supplying or supporting it, then the problem isn’t only that it doesn’t acknowledge or secure shadow IT, it’s that IT isn’t aligned with greater business goals.
For this reason, it’s important for IT professionals to embrace good shadow IT and make fighting bad shadow IT a part of their responsibilities. That means identifying solutions that defend the corporate network from security threats, while also letting employees pursue productivity. Technologies that enable an idea called Zero Trust are most relevant to finding this balance, and with some supplementation offer a quick win against bad shadow IT.
Bad shadow IT is the IT department focusing on its own goals and ignoring the possibility of employees using unsecured tools to interact with company data. Good shadow IT is the IT team’s recognition that employees will always chase convenience and that this is generally good for the business. It’s also the support for this notion: providing a forum for employee tech discussion, using flexible self-service solutions and incorporating technology that enable an idea called Zero Trust.
IT can use Zero Trust to address some bad shadow IT risks, simply by reducing the impact that any single individual can possibly have on the overall network. If they decide to use an unsupported tool, the damage they can do should their user be hacked is limited – and also immediately obvious to administrators. This is accomplished by revamping the perimeter-based security models of yesteryear, and replacing them with tools that refocus access policies and permissions on users, not on resources.
To refocus IT teams on supporting employee tech preferences, organizations should first establish the correct processes and technologies. In an age when most of the tools employees choose are cloud-based, adding Cloud Access Service Broker (CASB) and micro-segmentation to the network security arsenal ensures IT has control over all cloud-adjacent tools.
This software-defined model extends and deepens security policies beyond the traditional network perimeter, limiting users’ mobility and trust within the network. Most importantly, it also monitors their activity at all times, to watch for breaches of official shadow IT guidance.
The Zero Trust model described above is designed to be a relatively effective safety net for the inevitable breach of shadow IT policy. Even with an IT department that encourages employees to bring new tools into the fold, this process alone will always create too much friction for the busy salesperson, for instance, resulting in bad shadow IT.
For this reason, employees need as much productivity encouragement as they do security enforcement, and while Zero Trust helps, it does not proactively stop employees from engaging in shadow IT, it merely limits the damage they do and helps IT become aware of it.
To truly combat poor shadow IT practices, the best long-term solution for any organization is to invest in a DevOps department whose purpose is to align with overall business goals, understand departmental pain points, and push the IT team to implement them. A good strategy that DevOps might target is to find tools that allow employees to self-service rather than find a workaround. It could take the form of a data platform where employees can generate reports themselves, and avoid waiting for their ticket or request to be pushed through the BI team.
These types of technology implementations are only possible with a DevOps team that runs parallel to the business needs instead of IT goals. It shows employees that their tech preferences are heard, and can be integrated seamlessly at the speed of business. With this type of corporate culture and with Zero Trust as a backdrop, bad shadow IT is outpaced by worker productivity.