The Perils of Shadow IT: Your Most Senior Executives Are Doing It

In CIO/IT by Shelly Kramer1 Comment

They say any press is good press, and the ruling is still out as to whether or not Hillary Clinton knowingly broke any laws when she used a private, home based email account for official State business as Secretary of State. She admitted on Tuesday that she had made a mistake and should’ve created two email accounts: a government one and a personal one. Still, one thing is clear: When the story broke last week, the entire world was talking about the latest threat to corporate security: shadow IT.

For those of you heavily immersed in the tech side of running a business, this won’t be news to you. But for many business executives and CEOs the idea of classified information being run through outside servers or software can be chilling.

Basically, Shadow IT, also known as Stealth IT, describes solutions and SaaS, specified and deployed by departments other than the organizations own IT department.

As far back as 2012, IT research and advisory company Gartner was predicting that 35 percent of enterprise IT expenditures for most organizations would be managed outside the IT department’s budget by 2015. Surely today, based on the innovations in technology which have occurred in 2012, that number’s even higher.

And if you think the blame lies with those hipster millennials and their “always on” lifestyle, you would be wrong.

The Enemy Is Us

According to a 2014 study by Stratecast and Frost & Sullivan and based on input from organizations in the United States, United Kingdom, Australia and New Zealand, the biggest users of Shadow IT services are IT executives and employees.

Now extrapolate that fact across your organization, to other executives, managers, and employees, and you can see just how quickly those numbers begin to add up.

In fact, according to the survey respondents, the average company already uses 20+ SaaS applications — think about it: Asana, Dropbox, Skype, Basecamp, Apple iCloud, Gmail, LastPass, not to mention your Facebooks and Twitters. But of those 20 or so SaaS platforms, more than 7 are non-approved. So, “…upwards of 35 percent of all SaaS apps in your company are purchased and used without oversight.”

So, if you can’t blame the millennials, who or what can you blame?

You can blame technology.

Get Off’a My Cloud

More to the point, you can blame the rise of cloud computing. As with most things in life, that which can benefit us the most, can also harm us.

With more and more companies adopting BYOD policies (often also referred to as BYOC, or cloud), it’s no surprise that Shadow IT isn’t really in the shadows anymore. Which probably isn’t news to any of you.

In fact, as the study discovered, Shadow IT is now being perceived as an important step in innovation, opening new channels of development for businesses, and reducing overall costs.

Here’s why:

  • Ease of access – Users can access SaaS apps via the Internet, using and from any Internet-accessible device. In most cases, little or no client-side software is required, which means that the SaaS solution leaves no “footprint” on company-owned devices.
  • Ease of maintenance – SaaS apps are maintained by the provider. Users have no responsibility for patches or updates.
  • Free or low cost – Many software providers offer a limited functionality or limited capacity version of their applications at no cost. And if subscriber based, most can often be terminated at any time, with no strings attached.
  • Quick deployment – SaaS is available on demand, with a click of the “accept” button on the Terms and Conditions page. Users do not have to wait weeks or months for server provisioning and application deployment (assuming the request is approved).

Of course, these are in addition to the direct benefits to a corporate IT department: No monies paid out in development costs, maintenance, testing, upgrades capacity planning, or performance management. Plus, backup and recovery of data and infrastructure is generally also the responsibility of the platform’s vendor.

Manage Your Risk

So, where does that leave us? With remote working, job sharing, file sharing, and BYOD policies becoming commonplace, along with the rise of mobile and the ever evolving technological advances happening around us daily, it’s a little too late to shut that barn door.

And, contrary to how nefarious the term Shadow IT “feels,” it appears most employees who “go rogue” and use unapproved SaaS during work hours are doing so with the best of intentions: They simply want to do their jobs, as efficiently and as cost effectively as possible. What’s not to like about that?

They’re not doing it just because, either. These are generally speaking a smart group of people who want to get things done. They cite reasons like quickly gaining access to the right tools, overall comfort level with certain apps and platforms, and, perhaps most importantly, the desire to avoid a steep learning curve and the waste of time conquering such a learning curve entails if forced to adopt something new.

I think the responsibility today in handling cloud computing and unregulated corporate SaaS usage lies squarely with each organization. As we need to look inward to see who’s really performing this Shadow IT (our own executive, managers, and IT people), we also need to look inward when it comes to corporate policies and guidelines. Because most companies today don’t have any.

Instead of losing sleep over perceived risk, companies must develop clear and concise policies governing cloud computing and SaaS usage. And don’t stone me for saying it, but IT departments shouldn’t exclusively own this exercise. Today, most executive level employees are well versed in SaaS, and they are probably well aware of what systems and platforms their teams are using day to day.

The ideal approach to Shadow IT is to collaborate. We’ve got to break down silos between IT and the rest of the organization, and involve all areas of your organization to work together to create best practices and help put the right policies in place to minimize corporate risk. Think outside the box. Remain flexible. Be prepared to drop old-school “firewall” thinking. And remember, the end-goal really is to improve business outputs and add to the bottom line of the organization.

Was Clinton breaking the law with her Shadow IT efforts? I don’t know. The State Department’s email system is known to be vulnerable to hackers. But what I do know is she was leaps and bounds ahead of Romney and Palin, who conducted official business on free email services from Microsoft Corp. and Yahoo Inc.

Sometimes, perspective really is everything.

What do you think? Are you aware of any Shadow IT occurring in your organization? What do you think would be the most important things to include in policies and guidelines supporting SaaS usage? I would love to know your thoughts in the comment section.

photo credit: 3D Cloud Computing via photopin (license)

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMoreDell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Shelly Kramer

Shelly Kramer is a 20+ year marketing veteran and CEO of V3 Broadsuite, a marketing consultancy, and the President of Broadsuite Media Group. She’s a business strategist focused on B2B digital transformation, and delivering integrated marketing solutions for clients. She’s an expert at omnichannel marketing, content strategy and execution, connecting social media to business initiatives, and helping clients leverage the web for growth and profitability.