Maybe shadow IT isn't so bad after all, study suggests

IT leaders agree shadow IT serves as a force of innovation and productivity. End-users simply need more guidance and support.

What's not to love about shadow IT? It's been a never-ending worry for IT leaders, especially when it comes to security, control and data formats. End-users subscribe to their own cloud accounts, use their own assortment of devices, and often even hire their own outside developers to build mobile apps and localized applications. 

it-worker-by-michael-krigsman.jpg

Photo: Michael Krigsman

The icing on the cake comes when the call finally comes from end-users begging IT to help clean up the mess. There is also the sticker shock CFOs experience when they see the monthly bill for a plethora of online services. 

At the same time shadow IT may not always be a bad thing. It also serves as a force of innovation and productivity as well. 

That's the conclusion drawn from a recent survey of 1,000 IT professionals published by Entrust Datacard. In fact, 77 percent believe their organizations could earn an edge by embracing shadow IT solutions. Supporting shadow IT helps empower employees to use their preferred tools, delivering long-term benefits, the survey's authors point out. IT teams recognize the rise in shadow IT suggests employees want better ways to work. Security ranks relatively low as a consequence of shadow IT.

When employees at my company use their preferred technologies, they are...
(Strongly agree)

  • More productive    49%
  • More engaged   45%
  • More likely to stay at the company long term   40%
  • More likely to adhere to IT security requirements   40%
  • More likely to introduce security risks into the company   25% 

The "shadow IT" infrastructure, as the survey's authors define it, is "ungoverned and unapproved solutions from file hosting services to personal smartphones on the corporate network that introduce serious security blind spots for management." More than three in four respondents (77 percent) agree that by 2025, shadow IT will become a bigger issue at their companies if left unchecked. However, more than one-third (37 percent) of IT employees say their organizations still do not have clearly outlined internal consequences when employees bring on new technologies without IT approval. 

The problem, the survey finds, is that today's IT departments often lack the processes and protocols to enable employees to use preferred technologies securely. Collaboration between IT and executive leaders to put security protocols in the right places may help get more out of shadow IT, the survey's authors state.

Communicating the risk and consequences of shadow IT is critical to the equation, they state. "Although IT departments are aware of the security risks of shadow IT to their organizations, most employees are not. More than one-third (37 percent) of the IT employees say their organization does not have clearly outlined internal consequences for when employees bring on new technologies without IT approval."   

IT employees themselves have their own shadow IT going on. At least 40 percent of the IT employees reported having used a device, application or other technology that is new to the organization without first receiving approval from their managers. At the same time, most respondents (80 percent) say they feel comfortable speaking up about shadow IT concerns, indicating it's a prioritized concern among organizations. "However, rigid processes and unclear consequences prevent IT professionals from actually following through on their concerns," the survey's authors state.  

It may seem obvious, but the Entrust Datacard survey now has the data: ignoring employee requests drives more shadow IT. "Slow IT approval processes can frustrate employees and lead them to introduce even more security risks to organizations," the study's authors point out. "Only 12 percent of the IT departments surveyed follow up on all employee requests for new technologies." 

Most respondents (80 percent) believe their companies need to be more agile when it comes to deploying technologies suggested by employees, and 36 percent indicate that developing a clear process for how employees can request technologies would increase this agility, the survey finds. At least 42 percent say that a clearer policy describing how employees can request technologies would help employees introduce new tools in a more IT-compliant way.

The study's authors urge the creation of pre-sanctioned libraries of approved cloud apps in an enterprise app store. In the event an app is not previously sanctioned, IT should be equipped with easy-to-provision authentication platforms that can use protocols such as Security Assertion Markup Language (SAML) and Open
ID to quickly connect the corporate authentication service.