Have you a Shadowy Movement in Your Midst?
There's a part of your business you've never seen—and likely don't know exists. It operates from the shadows, filling the gaps between company-approved applications and ensuring your teams have the information and tools they need to do their jobs as effectively as possible. While these unapproved technical solutions often generate security and data integrity concerns, they're almost never born from negative intent. In fact, most of these shadowy solutions are created from an employee's desire to improve the effectiveness of their role—and do more for the company's continued achievements.
It's time to find out what's lurking in the shadows.
So what is it? To be brief, Shadow IT.
Shadow IT is a catchall definition for all IT solutions, whether software or hardware, that are not known to or managed by an organization's IT department.
Today the scope of Shadow IT is broader than it was two decades ago. Which makes sense—the range of software and hardware solutions accessible to the average employee has grown tenfold (not to mention the number of internet-connected devices employees use nowadays to do business). Understanding the roots of Shadow IT, in addition to the motivations of employees who use it, will help you decipher not only why Shadow IT exists (and persists), but also how to manage its negative effects and then turn them into opportunities rather than signs of breakdown.
The Story of Shadow IT
It all starts in the days when IT departments ruled their company's technology landscape with distance and complete power. This was the age when vendors had to ply these departments to accept their technology products. These departments acted as gatekeepers, controlling the flow of technology to the business units that relied on outside innovation. Once an appropriate tech passed security requirements and business functionality, it was disseminated to its users.
Perhaps business units had a say in which tech was best, or IT considered their feedback on currently installed tech. But the gatekeeper for tech innovation within the company remained the IT department. They weren't trying to be difficult by gatekeeping. They were doing their jobs by ensuring infrastructure governance and securing company and proprietary client data. All extraordinarily vital and valuable to the company.
This was also a time when technology know-how was not as ubiquitous as it is today. Fiddling with a company's server, router, or configuration settings was a specialized job. Best left to the professionals. But the process of getting useful technology to the business units, not to mention getting IT to come and fix the occasional tech mishap, was typically a slow one.
During these early times, another trend was accelerating. That trend was the consumerization of IT. Though the consumerization of IT arguably began in the 1970s, it was with the mass adoption of the internet just before the peak of the dot-com bust of 2000 that it became an undeniable force in spurring on Shadow IT.
After the bust, vendor markets evaporated, and having lost out catering to enterprises directly, shifted to consumers. New tech was hitting the U.S. market, like portable USB flash drives, that made it easy to bring software and files into the company from outside. Meanwhile, employees were becoming increasingly internet savvy.
With this newfound empowerment and a disdain for the sluggish processes of IT departments, employees overcame their IT challenges by relying on their wits. They used internet services for business tasks, relied on external hardware to overcome IT shortfalls, and altogether forgot to inform their IT departments that they weren't needed anymore. This introduced innovation into the workplace. But, it unwittingly ushered in IT consequences they'd either ignored or never perceived. IT labeled this form of undisclosed innovation Shadow IT.
And unseen innovation in the shadows was a threat to the company's IT. To IT, they didn't know what they didn't know. What unknown software and devices were accessing company data? Which ones were opening up the entire system to the outside? What viruses and trojans were being introduced to the company systems by way of employees' personal USB sticks? Now, in today's world, cloud services that employees deemed useful are granted access to company and client data. To IT, all this meant a loss of security and control and possibly an affront on their hard work to protect and enable the company's tech.
In reality, the term may have come about long before. Nevertheless, one thing is certain: employees were solving their IT problems outside of the IT department. However, through the eyes of the tech gatekeepers, those innovations were introducing an entirely new set of problems for IT teams.
Fast Forward to Now
In today's world, the average personal tech awareness is very high. Consumerism of IT has not decreased; instead, considered it a mainstay force. Vendors have found a reliable channel into the business culture by marketing useful services to employees on a personal level. This process is a form of innovation indoctrination.
In effect, the market has circumvented the gatekeeper.
IT departments, however, should refrain from seeing this as a threat to their company's tech. This broader phenomenon is the nature of innovation, and it is a positive phenomenon (even if not always positively expressed). People genuinely want to perform better; it's just sometimes formal channels move too slow for them when faced with a fast-changing, competitive business landscape. The power here is that employees who have specialized business experience and knowledge will more often have a better idea of what technology is best. They are the de facto innovators of the company culture.
Take a Look at Your Company's Shadow IT Culture
How many employees use personal smartphones for business? How many use social media to communicate with team members? How many maintain company files on cloud storage services?
Today, novel apps and IT solutions are being developed and marketed at rapid rates. And while there are many enterprise solutions, the chief marketing strategy aims at the end-user who will find immediate value. Ask the question: is shadow IT part of an overarching process of innovation in your business?
The answer is most probably yes. Innovation is happening all over your company, in the boardroom, and on the line.
While there are likely several supporting drivers encouraging Shadow IT, innovation is the king of them. Employees are actively looking for solutions to their everyday tasks. They want to be faster, better, and more productive. Nevertheless, company policy and market environment play key factors as well. More specifically, a company's attitude towards two factors—their policy in regards to employee personal devices, and their utilization of third party cloud software solutions.
Bring Your Own Device (BYOD) Policies Encourage App Intermingling
A prevalent trend encouraging Shadow IT is company policies allowing employees to bring your own devices (BYOD) to work. Barring an organization's need for absolute security control (perhaps carried out by such protocols like checking phones and other devices at the door) this trend is becoming a vital feature of the modern work dynamic, especially with remote work on the rise, which is up 30% from pre-COVID numbers.
Disallowing personal devices from work life is a tough prospect to get on board with—considering that BYOD leads to gains of up to 34% in productive efficiency from employees. Furthermore, from a cost standpoint, in both time and money, a company of 500 that adheres to a BYOD policy could save $1.5 million annually, and nearly 4 hours a week per employee (that's 4,333 days saved a year).
Allowing more Shadow IT, companies are finding this relaxed attitude towards personal devices, which shifts many costs to the employee, to be a tremendous strategic advantage. They can be more agile with their budget. All the while, employees are more comfortable using their own devices, unencumbered from switching systems when they shift focus from multiple tasks to personal concerns, a trend accelerated by the market availability of cloud apps.
Ubiquity of Cloud Services aka Software-as-a-Service (SaaS)
Software as a Service (SaaS) solutions have been a boon to many businesses that may not have the budget for an in-house IT department or custom-built solution. These are IT cloud services offering exceptional functionality, accessible almost anywhere on almost any device. For employees with an internet-connected device, SaaS introduces another Shadow IT opportunity.
In this age, it goes without saying, some of these SaaS companies are household names, and their products are well known—like Google Suite with their free email, spreadsheets, and document apps. More sophisticated SaaS solutions, like Salesforce, Zoom, and HubSpot, enhance and extend business units beyond what an in-house IT department can do and in much less time. But, these are just some popular and prevalent products. Putting SaaS into perspective, Gartner forecasted SaaS sales revenues to exceed $266.4 billion in 2020.
More than likely, SaaS has already infiltrated your company thoroughly and is likely no surprise. An oft-cited Cisco report, from 2015, found CIOs believed that there was an average of only 51 cloud services running under their organization, but further analysis pinned the actual average at 730. That was in 2015 when Forbes reported SaaS revenues to be only $78.43 billion.
By just connecting a few dots between performance improvements and application availability, it almost looks as though IT departments have become redundant. This is not the case. There are still issues that an organization must consider.
There are Obvious Drawbacks to all this Shadow Innovation, Right?
Drawbacks might not be the most suitable word. Remembering that Shadow IT is really a term that encompasses a phenomenon of innovation can go a long way to finding useful ways of managing it. Ideally, innovation is never a drawback, unless there is a tight grip on the way things used to be done.
Four key concerns spring to mind when considering the overarching responsibility that IT departments have, but these are nothing that they haven't been dealing with before.
IT Governance
The top concern of IT departments should be a cohesive IT governance strategy that achieves results. CIOs have seen Shadow IT as a symptom of an overhanging problem. That is, IT departments falling short of their purpose, which is to supply business units with the technology they need to make results happen. The longer the Shadow, the more significant the disconnect.
CIOs have agreed some amount of Shadow IT will continue to exist within an organization. However, when there are ever-greater amounts of unsanctioned tech, and employees are circumventing the department altogether, it says a lot about IT's effectiveness. Maybe the budget falls short. Perhaps employee feedback is not present. In any case, there is a misalignment between the strategy and the reality.
If employees continually turn to other tech and successfully achieve their goals, there are possibly some valuable lessons to be learned from those solutions. Investigate, even embrace, the new solutions.
Technology Risk and Security
Shadow IT nearly always brings to mind technology risk and security. This is an ever-present concern, whether systems are in-house or in the cloud. Risk is, unfortunately, part of the game. Perhaps it can never be eliminated, but it can be controlled. As the 80/20 rule tells us, understand that many of these risks come from only a few problems.
So what is the problem? The risk problem, simplified, is not that the IT department doesn't know that Shadow IT is there, but that they can't see how disparate the Shadow IT is inside. To illustrate, if a company decided it's best to institute a BYOD policy, it's a given that everyone is using their own laptops and smartphones. At this point, for example, a single company cloud communication system accessible anywhere may be the best solution for teams to communicate with each other. In contrast, if employees are using whatever means they want to communicate with teams and clients, and whatever cloud services they choose to send and receive files, well, it's much more challenging to manage security threats. There are simply too many products to understand how to craft a security strategy to address the gaps.
This disparity extends to compliance and regulations. Companies must comply with regulations, standards, and licensing. If there are too many products used in the course of business, it means more difficulty in creating a compliance strategy.
Extended again, into configuration management—how can the company maintain proper workings between systems if there are numerous products, both known and unknown? Again, extend that complexity into processes, collaboration, and standards. The greater the disparity, the more gaps for risk.
Revisiting the overall business' goals, and how best IT can address those goals with the right products is a great place to start reining in IT risk. Begin by understanding the issues being served by the products used in shadows.
Data Safekeeping
Many companies today have but one asset that gives them an advantage: that is their proprietary data. This data is everything, customer data, analytics, social media, invoicing, emails, and so on. And in most cases, each branch is housed on different systems. These systems don't talk to each other, they are not cross-referenced digitally, and sometimes they provoke turf wars between employee data owners.
They're called data silos. And it is a problem throughout companies and expounded further with Shadow IT. How much of a problem? It depends.
In a case, client and company data could be uploaded to personal accounts like cloud storage or an email system. Unwittingly, employees may just be attempting to complete a task quickly or simply complete it because the current tech stifles them. Now, that company data resides on some other system, and once the job is complete, the data remains forgotten. Or, an employee decides to use an external contacts system, putting all their client contacts into its database, now the data lives there. Then that vendor company is hacked, or perhaps they go bankrupt and out of business, what happens to the data? What can be done?
How about a more innocuous case. Two systems are used, one for client contacts, and another for accounting. But they don't talk to each other. They're never hacked, and they never go out of business. You now hire a new employee just to create a spreadsheet reconciling the two data silos. Data is outdated, redundant, or missing in both spots.
Keeping data safe is more than protecting it from the ravages of hackers; it also means protecting it from becoming useless to the company.
The Price of Cost Transparency
The concerns mentioned above help to illustrate one final matter: the bottom line costs of IT responsibilities. Shadow IT can contribute to reduced cost transparency for the company's IT operations; in short, it means there are ever-mounting hidden costs that crop up in the operations of IT departments.
Practically, it means the IT department doesn't know where its budget is going to go tomorrow, maybe even today. For instance, if Shadow IT exposes vital company data to cyber-attacks, the IT department loses time and money fixing it. Or, if someone connects an unauthorized device that crashes the network, the IT department loses time and money fixing it. In itself, reduced cost transparency is one symptom of failing IT controls. Companies should encourage something akin to controlled innovation.
These are some of the more potent concerns IT departments should address, but none of them, in principle, negate the positive effects that Shadow IT has had. As the saying goes, all things in moderation. So what is a company to do?
How do you manage the Innovative Power of Shadow IT?
The balancing act is to address IT's concerns with the innovative benefits of Shadow IT. How does a company do this effectively? Each will need to address their business needs with an appropriate IT strategy because clearly defined requirements often present the answers to the problem.
Consider a Strategic IT Pivot
An IT department's attitude has a lot to say about how employees will work with them. Will IT play gatekeeper, or will they be an enabler of innovation? Ultimately, that depends on the nature of the business and their company culture. Take, for instance, banks, their substantial data compliance, and regulation requirements warrant more IT oversight. However, a budding start-up that may only survive on its wits and agility may need a looser oversight grip to promote innovation and succeed.
In an interview with Martha Heller, a prominent contributor to CIO.com, founder of CIO Executive Council, and IT leadership author, she addresses some of the concerns IT can have with business units. A key take away, she suggests, is to "…tear down the wall between the business and IT, and create small, nimble product teams."
Communicate Clearly Defined Borders
Technology risk and security, as mentioned before, is often the first concern raised by Shadow IT, for a good reason. Protecting the home, usually, the data and infrastructure a company keeps is of paramount importance, not only from cyber threats but also from complete dysfunction through the drawbacks of data silos. Communicating clear borders to all company units regarding data, and IT functions, whether they exist in tight or loose IT cultures, should be top of mind when addressing security concerns.
Many cloud options that effectively address data security simultaneously address other operational challenges, such as decreasing costs. Consider all in one solutions that stay current with security trends, reduce operational costs, and cross-connect data to overcome compartmentalization created by data silos.
Shrink the Shadow but Adopt the Benefits
Shadow IT will continue to permeate; the idea is to quickly adopt those benefits made possible by Shadow IT under the company's IT umbrella and shrink the Shadow. In effect, make visible what was once invisible and cut out the rest. That is the real challenge for IT, rather than halting all innovation in the name of IT concerns. Companies small and large can take on this revolving innovation engine, maintain their security, and accelerate business when they pivot their mindset away from Shadow IT as a negative and focus on the positive.
Returning to strategy, understanding what, how, and why is paramount. Achieve this by asking and answering questions and asking more questions about those answers. In the case of Ascendware, an IT workflow and web development company, they took this strategic approach and tapped into their employees' innovative minds. Now empowered with a proper solution, they are considered citizen developers and actualizing real and visible innovation.
Consider a Low-Code/No-Code Development Platform
Today, empowering employees, technologically speaking, has shifted. What was once a field of programmers destined to spend their days in an ivory tower because computing was too esoteric a skill is now gone. The fact is anyone with a computer and internet connection can learn to code and build apps that serve their needs. Now, even if they don't know how to code.
No code platforms, sometimes called visual app builders, are extremely powerful and intrinsically designed to integrate with other programs. Employees can quickly develop solutions they need on a pre-approved platform that can be monitored and managed by their IT department. For example, no longer are spreadsheets the only option for tracking seas of numbers, prone to all of the formula, formatting, and data issues they bring. Now citizen developers can design and develop apps suitable to their needs and accessible anywhere on any device. This means that employees can create custom solutions fast, which are visible to IT so they can ensure security.
What are the Next Steps to Take?
By this point, Shadow IT should sound less shadowy. There should be an understanding that it acts as a powerful innovation engine. Yes, there are pitfalls that it can lay, but grabbing a firm handle on your company's strategy and goals, and understanding overarching IT concerns will draw a defined circle around the benefits.
Accept that employees are determined to perform their jobs well, and in this era, they are tech-savvy enough to provide real solutions on the IT front. Solutions like Kintone's development platform empowers employees to become citizen developers. It offers application building software to accelerate innovation and problem-solving at organizations: secure, connected, and mobile.
About the Author