6 Ways to Shed Light on Shadow IT


If you want to uncover risk in your IT ecosystem, just look in the shadows—of shadow IT, that is.

Don't have a shadow IT policy in place? Now is the best time to consider one.

How big is the problem? In a global survey from 2013 to 2015, IT executives surveyed by Cisco estimated that their companies were using an average of 51 cloud services. Cisco's examination of its customers' networks showed that the real number was 730—about 15 times more than was estimated.

The risks of shadow IT

Pressured to be productive, many employees are overjoyed to find they can access the tools they need with a credit card and a browser or mobile device—sidestepping the IT seal of approval and sometimes-lengthy procurement process.

What the average end-user doesn't see are the risks. To an IT professional, the security risks are obvious, given the inconsistency among cloud service providers. Compliance is another potentially costly risk, particularly in highly regulated industries such as financial services and healthcare with consumer data protection mandates.

Then there's the larger IT picture. Shadow IT can result in duplicated technologies, inefficiencies and overspending, loss of data governance and the general undermining of a strategic IT roadmap.

What you can do

In our view, it is possible to manage shadow IT risks and still deliver the services that end-users want. The following are six strategies:

  • Offer amnesty: Often, the fastest way to track down shadow IT and hidden data is to simply ask—making clear that you aim to solve a problem, not cause one.

  • Find the data: Use high-tech detective work to find out where your data resides—in house, in the data center, in the cloud, on someone's phone. Network monitoring and log data are two places to start.

  • Prioritize risk: Look for the cloud services that present the highest risks, starting with the mostly likely users—often the sales and marketing department.

  • Establish guidelines around BYOD and apps/cloud services: Now that BYOD is standard at many organizations, having a well-rounded BYOD policy is a best practice.

  • Offer alternatives: Provide a list of approved software beyond the standard issue, educate teams about compatibility and risk concerns, and create a fast-track approval path for apps that business units want.

If you can't beat 'em, join 'em

A sixth approach, in conjunction with the five above, is to consider shadow IT an opportunity. For example, one trading company's IT team decided to focus on managing risk rather than controlling applications—and greatly improved relationships with business leaders.

The more you know about what business users are trying to accomplish, the more you will be able to manage risk while supporting users. That's always a positive, and can help bring shadow IT into the light of day.


November 22, 2016