With Perfect Processes, How Does Shadow IT Happen?

Shadow IT. It’s a phrase that sends shivers down the spine of any IT leader. It speaks to unknown threats and vulnerabilities with no easy solutions or pathways to mitigation. And while it has expanded recently with the rise of software-as-a-service (SaaS) purchasing, it’s not a new phenomenon.

IT leaders have employed any number of processes and controls to combat shadow IT and impose order, but it seems to be a losing battle for most businesses. Why? Why does shadow IT persist despite the best efforts of organizations to eliminate it? The answer most often lies in the good intentions of high-performing employees just looking to do their jobs as efficiently as possible. 

The go-getter

Often the most successful employees are those predisposed to action. They can go from idea to execution in the blink of an eye, and the last thing they want is some pesky IT roadblock standing in their way. 

Thanks to SaaS delivery, the only thing required to get up and running with new software is an internet connection and a credit card, and even the credit card isn’t necessary when dealing with free or trial software. The go-getter knows that doing his/her primary job effectively is more important than always following the rules – better to ask for forgiveness than permission. 

The result is something between controlled chaos and the Wild West – dozens, if not hundreds, of SaaS applications running in an organization’s environment. IT is unaware of these apps, along with the waste and redundancy, security/regulatory threats, and data loss that typically accompany shadow IT.

Waste and redundancy

When purchasing is decentralized and taking place in silos, waste is almost unavoidable. Typical problems include:

Siloed purchasing doesn’t only result in waste. Redundancy is a factor as well. Having multiple tools that address the same use case – file-sharing, instant messaging, project management, etc. – is inefficient for purchasing and results in unnecessary support costs.

In an environment where every dollar counts, this type of waste is something any IT leader is eager to avoid.

Security and regulatory threats

All shadow IT represents a security threat in some form. Software that is unknown to IT presents security risks, because they are:

Similarly, it’s unlikely anyone has reviewed the data handling and data storage procedures of these vendors. This increases the risk that you’ll run afoul of regulations such as GDPR and HIPAA when dealing with customer information. 

Data loss

Employees share all sorts of data with the apps they use, but who owns that data once it’s sitting on a SaaS vendor’s servers?  What happens to the data when you are no longer a paying customer? These are questions you can’t possibly answer for apps you’re not even aware are in use in your environment. 

Additionally, just as faulty data handling and data storage practices, or lack thereof, can lead to the security threats described above, they can also lead to data loss. There are few assets you have that are more valuable than your data, so it’s critical to be fully aware of how it’s handled, how it’s stored, who owns it and how you get it back once you part ways with the vendor.

How to bring order to chaos

Preventing shadow IT by layering more and more processes and controls on employees is bound to cause dissatisfaction internally and is unlikely to fully address the problem. After all, the more roadblocks you erect, the greater the incentive for the go-getter to find a workaround. 

A better path is to couple reasonable purchase procedures with comprehensive visibility of everything running in your environment. That’s where we come in. Reach out to us now to get started.