Five ways to shine a light on shadow IT

Today’s fast-paced work environment finds employees striving to improve efficiency, productivity and communication. In an attempt to excel at work, they often use applications, services, data storage and sharing beyond IT’s approval. This practice — known as shadow IT — is having an obvious impact on technical support teams by undercutting sound governance and reducing operational efficiencies. According to Gartner, by 2020, one-third of security breaches will be because of shadow IT.

There are five ways, though, that IT can become a trusted ally across an organisation and build a plan of action against the security vulnerabilities and unnecessary costs of shadow IT.

Seek out the biggest shadow IT opportunities

Information is knowledge and knowledge is power. Take inventory of who is using what programmes across the company. With this information, IT can then assess potential issues and make appropriate changes. Monitor closely to see if any new and unknown tools or applications pop up in regular scans. Depending on results, an enterprise-wide vulnerability scan may be necessary. Network sniffers and security scanning tools can provide detailed information on new and unknown data streams. And while monitoring does not remove the threats of shadow IT, it does provide the IT department with better insights and the ability to start risk assessments or research alternative solutions.

Assess security and efficiency risks and provide suitable alternatives

Take advantage of creating an open dialogue with your colleagues — your internal customers — across the company. Listen to their feedback, learn more about the problems they’re trying to solve, and be willing to provide input on which tools may be a security concern and offer an alternative. I once had a request to review a tool that was already approved and deployed by another department in the organisation. In this case, it was a lot easier (and a lot cheaper) to adjust our plan to add a few more licenses than it would have been to initiate a whole new contract.

Encourage employees to come forward with their requirements

Let’s look at supporting teleworkers as an example. If you don’t have an IT-approved way of enabling employees to work remotely, it is almost certain they will find a way to do so on their own. That’s when things get tricky. There is a tendency for IT organisations to not be as open to new requirements needed by employees to do their job.

IT should offer a safe haven for those employees and departments to come forth with their requirements and even suggest possible solutions that they would like to see implemented. By working together, IT can then take a look at the programmes, determine the risk and offer comparable solutions, where needed, to achieve beneficial outcomes for all.

Become more involved in the application selection process

This truly comes down to trust and relationships. It is important for IT to build a rapport with every department head and meet regularly to discuss their technology strategy. Establishing an open dialogue between departments and the IT organisation helps to remove the “us” versus “them” notion and makes technology transparency and potential risks of adopting unapproved technologies less of an issue. Having a seat at the table in the strategic planning stage will reduce most surprises around shadow IT down the road.

Keep in mind that not all shadow IT is bad

It is very possible that not everything you discover when mitigating shadow IT is bad. The tools you discover are truly the voice of the customer, showing you what teams really need to be successful. And it even may be that these applications can be beneficial to other departments. Be open to feedback from the department heads and work together to have IT be part of the strategic planning for the department and company from the beginning.


The bottom line is that shadow IT doesn’t have to be prevalent if there is open communication between IT and its customers. Employees typically engage in shadow IT because they think it will save time and money by not involving IT in the approval process for the technology they want to use to be more efficient.

In reality, going around IT just bypasses the critical management, integration, and security and compliance — related safeguards they support. While it may take a bit of time, additional due diligence and even a bit of hand-holding make it possible to mitigate the risk of shadow IT and safeguard the security, profitability and efficiency of the entire company.