Shadow IT really isn't in the shadows anymore. Technology purchases and management are being done by non-IT managers and employees across the company, including executives. And, oh by the way, IT employees themselves.
Those are some of the takeaways of a recently released study (PDF) from Stratecast and Frost & Sullivan, based on input from 300 employees in organizations in the United States, United Kingdom, Australia and New Zealand.
The report, written by Lynda Stadtmueller, program director of cloud computing for Stratecast/Frost & Sullivan, points to six key sets of findings about the true nature of shadow IT, and what organizations need to do about it. (The study was sponsored by MacAfee Software.)
Another term for shadow IT is BYOC, as in "bring your own cloud," which has a more benign ring to it. But whatever you want to call it, it's a major technology presence in organizations today.
(Thanks to CIO Insight's Tony Kontzer for surfacing the study.)
Here are the 6 truths of shadow IT, as found in the study:
1) Everybody does it. The study finds that more than 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs. In addition, the study finds, the average company uses around 20 SaaS applications; of these, more than seven are non-approved. "That means you can expect that upwards of 35 percent of all SaaS apps in your company are purchased and used without oversight," Stadtmueller writes. In turn, "the high penetration of non-approved apps argues that such usage is no longer in the shadows, but very open."
2) We have met the enemy, and he is us. The study finds that the biggest users of shadow IT services are ... IT employees! Stadtmueller speculates that IT users feel they can handle the risk better. Her analogy: "Like parents who down a latte and doughnut while admonishing their children to eat a healthy breakfast, it may be a case of 'do as I say, not as I do!'"
3) Lack of clear consensus and poor communication plague SaaS policies. Enterprises -- even the largest, most tightly run ships -- tend to have a hodge-podge of policies, if any at all, when it comes to SaaS usage. "You can’t expect employees to adhere to a policy that they are unclear about," says Stadtmueller.
4) Employees just want to do their jobs. There's nothing sinister, underhanded or rebellious about shadow IT. Users use such under-the-radar software simply because they know it and are comfortable with it. And that helps them get their jobs done. In today's hyper-competitive economy, they'll do whatever it takes.
5) Non-approved SaaS usage extends across all application types.While desktop productivity tools (word processing, spreadsheets), social media and file sharing top the list of off-the-radar applications, there are also substantial portions of employees using online analytics tools, web conferencing platforms, and even HR applications.
6) Employees recognize risks, but feel they are justified. Close to half of both IT and line of business users, for example, acknowledge that shadow IT may expose valuable or sensitive data to the wrong parties. In fact, 15% of employees say they are personally aware of incidents in which data was compromised. Yet, this sense of risk is not deterring shadow IT. Stadtmueller doesn't have the answer to this, but surmises that people are growing numb to all the warnings about risk being shouted at them all day long -- "from genetically modified food to terrorist attacks to NSA privacy invasions." What's one more?
In the report, Stadtmueller makes several recommendations to better embrace the shadow IT trend. First and foremost is to establish a consistent SaaS policy that encourages -- not tries to quash -- under-the-radar SaaS adoption, but while also retaining security. "Balance employee freedom with corporate protection," she advises.