Build and transform technology landscapes to support evolving business strategies and operationalize innovation.
Learn moreMaximize market potential through a partner program offering LeanIX solutions tailored to your business model.
Learn moreWhat is shadow IT? The risks, costs, benefits, examples, and how to discover & manage it.
of an organization's SaaS estate can operate unknown and non-centrally managed
Compromised company data and security information is the most commonly-identified risk of deploying un-approved technologies.
of SaaS spend is wasted because of under-used, unused orphaned, excess licenses, and overpriced vendors.
IT professionals agree that by 2025, Shadow IT will become a bigger issue if left unchecked.
of IT professionals believe their organizations could benefit from embracing shadow IT solutions,
IT professionals say employees are more productive when allowed to use preferred technologies.
With the consumerization of information technology and steadily increasing adoption rates of cloud-based services, shadow IT has become an important topic that won’t go away anytime soon.
In fact, current trends show that individual employees are responsible for 50% of all cloud app purchases, while 35% is procured at departmental levels and only 15% can be subscribed to IT teams. This means that the majority of purchases happen without the knowledge of the IT or security group within an enterprise.
In this article, you’ll learn more about shadow IT, the associated risks, costs, and benefits, and how to successfully discover and manage the software that’s off the radar.
Shadow IT describes the procurement and use of IT-related hardware or software without the explicit approval of IT departments. This includes hardware, off-the-shelf packaged software but most commonly cloud services, including SaaS (software as service) and IaaS (infrastructure as service).
Even though unmanaged apps can refer to many things, the main concern enterprises have today, is the increase of SaaS applications that haven’t been approved by IT departments. After all, employees feel increasingly comfortable with downloading apps and services that help them get their job done.
And while this relatively new phenomenon comes with its risks and challenges, it also has its benefits like increased productivity, fewer bottlenecks, and immediate problem-solving. It creates a gap between Business and IT — Business Led IT embraces innovation and productivity but the key is to ensure it is managed properly: Efficiency, Productivity, and Security. Thus, shadow IT doesn’t deserve the negative reputation it currently has.
Next, learn about the most common shadow IT examples and the three main software categories they belong to.
📚 Related: What is Shadow AI?
Most SaaS applications that are purchased by individuals and lead to shadow IT fall into one of the three main categories: productivity, communication, and collaboration. As there are constantly new providers and applications with various new features, employees tend to choose the apps that best suit their needs and update software whenever they see fit. Below are some examples of typical shadow IT applications.
Productivity: More often than not, these are apps for better project management like Trello or Hive that allow employees to assign tasks and keep track of time and progress. Other productivity apps are designed for social media management like Hootsuite or help employees check the quality of written output like Grammarly.
Communication: Especially with an increase in remote job opportunities, communication tools are more important than ever. SaaS applications like Slack allow for easy communication and video conference applications like Zoom or Webex help remote teams hold video conferences and allow screen sharing.
Collaboration: Since sending big attachments via email isn’t always possible, most teams use different file-sharing tools like Dropbox or OneDrive to upload and share files. And of course, there’s a whole collection of SaaS tools for working collaboratively. The best example is GoogleDocs or apps for better workflows featuring discussion boards and real-time notifications.
When it comes to hardware, common shadow IT includes items like servers, PCs, personal laptops, tablets, smartphones, or hard drives.
There are a few reasons why shadow IT applications have become more common in almost every enterprise. One of them is directly linked to the rapid growth of cloud services or software as services that are easily accessible for employees on all levels.
Remember that 85% of all cloud app purchases are made by non-IT team members. Plus, the average employee is becoming increasingly tech-savvy and doesn’t usually wait for IT teams to approve of solutions that enhance their efficiency and productivity.
On top of that, most businesses experience a shortage of developers. That means teams take matters into their own hands instead of waiting for busy IT experts to develop an in-house solution to a problem.
More often than not, there is also a mismatch between the business and developers – many applications designed for developers neglect certain business aspects which lead managers and their teams to look for quick fixes.
Since shadow IT seems to be on everyone’s radar, there is an increasing amount of research investigating its usage and impact on enterprises around the world. Below are five recent Shadow IT statistics that might leave you surprised.
As the above data suggests, shadow IT is difficult to control and still an untapped field for most organizations. However, it doesn’t have to have a strictly negative impact on a company but can be a source of employee productivity and empowerment. But first, learn about the specific risks that are associated with shadow IT.
Considering how many employees procure SaaS applications without prior IT approval, there are certain risks that are growing alongside the amount of shadow IT. However, if IT departments and leadership know about these challenges, they can make better-informed decisions and mitigate problems as soon as they arise.
Below are the 5 biggest Shadow IT risks that you should be aware of:
Security issues: With more than half of all organizations not including shadow IT in their IT threat assessments, shadow IT introduces new security gaps to any enterprise. While some applications might be harmless, others could promote data leaks. Thus, IT departments should at least be informed about which apps are being used for file sharing and more.
Non-Compliance: To protect their customers, clients, and business partners, organizations are subject to stringent compliance regulations that are enforced by their respective governments. In case of non-compliance due to shadow IT, a company can face hefty fines should unapproved software jeopardize the confidentiality of sensitive data.
Configuration management: IT departments invest a good amount of their time to create the perfect IT workflow with the help of a configuration management database (CMBD). When shadow IT is introduced, it’s likely not supported by the CMDB as the right people don’t know of its existence. This could lead to a disruption of the existing system workflow.
Collaboration inefficiencies: When teams rely on different apps to get their job done, collaboration might decrease or become less efficient. Example: If one team uses Google Drive for file sharing and another team uses Dropbox, documents will get uploaded, downloaded, and edited multiple times.
Lack of Visibility: Shadow IT truly lives up to its name, meaning that it is invisible to IT departments. Even though SaaS applications typically don’t take up much space, they can impact the bandwidth or simply break. If a team heavily relies on a broken app that IT doesn’t know about, it’s difficult to provide quick fixes or solutions.
While the risks and challenges that come with shadow IT can’t be denied and shouldn’t be ignored, there are also numerous benefits that enterprises are starting to embrace.
However, keep in mind that it’s important to communicate the risk of shadow IT to your employees and let IT teams review new solutions in an unbiased manner.
It’s not a surprise that the outlined shadow IT risks also come with a financial burden. And there are various types of costs that can occur when the negative aspects of shadow IT start outweighing their positive ones. But where do these costs come from? Most of them fit into one of the two categories below.
The more your organization adopts a cloud-first approach, the more you will have to deal with shadow IT. However, you don’t necessarily have to suffer under the challenges and associated costs. In order to mitigate the risks and to embrace the benefits that this trend has to offer, shadow IT needs to be discovered and properly managed.
The shadow IT governance process described below enables you to discover, manage, and audit any unknown application employees use within your organization.
In the first step, you need to know what is actually in your environment. Discover all apps in your software portfolio by using application portfolio management or Software Asset Management (SAM) platforms, or employee surveys (spreadsheets). Keep in mind, that manual discovery methods prove to be inadequate and time-consuming, especially within bigger organizations.
Once you have a complete inventory, you’ll be able to store a variety of characteristics for each application, e.g., application owner, number of licenses, seats, users, total spend, purchase type, renewal period, etc. Knowing each characteristic will enable you to establish accountability for applications that will help you to act on the findings moving forward.
Do apps comply with your enterprise’s standards? With an overview, you can perform risk assessments on all applications you discovered in the first step. You can also find out if an app is associated with a recently published security breach. Assessments described below can prioritize actions you take. These can be done based on the following criteria:
In the next step, you can leverage integrations and API connections to track application usage patterns and identify underutilized purchases. Best practices to analyze applications is, to begin with:
Data gathered from the previous steps helps you rationalize applications according to which applications are needed, by whom, and for how long. At this stage, companies must define their needs and take steps to optimize or retire unused software. Best practices for evaluation and rationalization can be done through:
With a controlled intake and usage awareness, companies can build a process around buying SaaS applications to avoid recurring rationalization. Best practices around buying and renewal processes are to:
Since there’s constant movement in a cloud environment, you need to keep monitoring your network and keep a record of new applications. Plus, many SaaS apps are updated on a daily basis, so there might be policy changes that you shouldn’t miss.
Automated monitoring ensures repeated rationalization and reduces the need for overly-controlling centralization measures or cuts in the wider enterprise. Regular reviews will help make sure:
In this day and age, shadow IT comes with the territory of cloud-based environments and is difficult to avoid. That’s why you should focus on its benefits while managing the associated risks in an effective way.
By understanding what shadow IT is and knowing its potential impact on your enterprise, you can address challenges and create a culture of employee empowerment and productivity. This involves strategic shadow IT discovery, getting all departments on board, and the openness to technical innovations even if they disrupt the status quo.
After all, employee satisfaction translates into productivity which has a positive effect on your products, customers, and overall growth.
Ask the right questions to obtain the right data.
Cost savings – Eliminate redundant or unnecessary applications
Better resource allocation – More budget for innovation
Improved efficiency – Streamline your portfolio to optimize business processes
Enhanced security – Better define and manage your application perimeter
Increased agility –Pivot quickly while freeing up resources for strategic innovation.
What is shadow IT?
Shadow IT describes the procurement and use of IT-related hardware or software without the explicit approval of IT departments. This includes hardware, off-the-shelf packaged software but most commonly cloud services, including SaaS (software as service) and IaaS (infrastructure as service).
What are the risks of shadow IT?
The most common risks of shadow IT are:
What is an example of a shadow IT?
The most common shadow IT examples are project management tools, like Trello or Hive, communication tools, like Zoom or Webex, and collaboration tools, like Dropbox or OneDrive.
Why people use shadow IT?
People use shadow IT to increase their productivity and efficiency during work.
Increased needs of employees, set up the growth of SaaS services that are created to provide solutions for any small tasks they have.
Most often, employees don't want to wait for developers or IT to develop or provide their own solution and rather use their tech-savvy skills to find one for themselves.
How to detect shadow IT?
Shadow IT can be detected by sending out employee surveys to ask each one what applications they are using for their work and compile data in the spreadsheet, or by using smart-automated tools like Enterprise Architecture, SAM or, SaaS management platforms.
Tackling shadow IT depends on the size of the company and the regulatory requirements the organization is in. The bigger the company is the more automated application discovery it requires.
How to audit shadow IT?
Shadow IT is audited either by Enterprise Architecture, SAM or, SaaS Management platforms that discover the organization's complete application portfolio with all the software information, each in its own way.
The shadow IT audit starts with a full application portfolio discovery that uncovers the number of licenses, seats, total spend, purchase type, and renewal period for each application.
Complete application portfolio allows doing risk assessments for each application and helps with evaluation and rationalization of applications that are inactive or underused.