Shadow IT Remains An Issue: Organizations Can Cope

Digital Transformation Driving Shadow IT

Esther Shein

Shadow IT is certainly not a new topic, but the prevalence of cloud apps developed outside of IT has made this a continued thorn in the side of IT organizations. If not mitigated properly, it can – and does -- cause problems for any organization, regardless of industry.

Shadow IT occurs when employees develop apps that are not sanctioned by an organization’s IT department, which, consequently, doesn’t support them. Shadow IT issues often arise when businesses feel pressure to digitally transform their organization in order to stay competitive in the marketplace.

Gartner estimates some 30 percent t0 40 percent of IT budgets at large enterprises is designated for shadow IT, according to CIO.

Sixty-two percent of respondents to a Cloud Security Alliance (CSA) Mitigating Risk for Cloud Applications report said their companies have written policies discouraging use of unsanctioned apps, but few have technical controls in place. The report also found that 38 percent block unsanctioned apps outright, while 29 percent use a proxy or firewall to redirect users.

Growing Concerns

The majority of security professionals remain as concerned about shadow IT as they were last year (49 percent), the report also found. Another large portion are more concerned than the previous year (30 percent), while a smaller percentage are less concerned or were never concerned (13 and 8 percent, respectively).

Jayme Williams, senior systems engineer at TenCate, a global materials manufacturer, said shadow IT occurs primarily in their marketing department because “marketers often need to get things done very quickly and don’t feel as though they have the time to work with us for things like transferring large files in a safe and compliant way.”

That sentiment is echoed by Peter Bendor-Samuel, CEO of IT consultancy Everest Group. Typically, business users find IT is too slow or unresponsive to their needs for quick efficiencies and functionality, he writes in CIO. Enterprise IT operates differently – and what business users want often doesn’t align with its focus on functional costs per unit as the value it delivers, he says.

Accept And Embrace

Some cloud observers believe that IT can mitigate the risks of shadow IT by embracing it and working with the business to build an appropriate security and compliance framework to address any lingering concerns. Bendor-Samuel suggests CIOs redesign IT and establish cross-functional DevOps teams that align to the needs of the business – rather than IT’s.

Everest Group has seen significant improvements in business impact, speed and worker productivity within companies that integrate DevOps teams into their operations, he says.

“My advice is to deploy a DevOps model and create an integrated pod with a cloud stack and cross-functional teams that are placed into the various business departments to address their needs, Bendor-Samuel reiterated in a blog post.

He also sees a shadow IT market opportunity for third-party providers, noting that AWS, Rackspace, Google and Microsoft Azure, along with all SaaS companies are benefitting.

“Third-party service providers leveraging the DevOps model and cross-functional teams in business departments will be well positioned to capture a significant share of the huge shadow IT market.”

Here To Stay

Let’s face it, though. Shadow IT will likely continue to exist because ever-changing technologies whet people’s appetite for instant gratification. So what can you do about unsanctioned apps? One way to secure data could be the use of cloud access security brokers (CASBs) to improve visibility and control over both those and sanctioned apps. The role of a CASB is to monitor data activity and enforce policies across multiple cloud apps, the CSA report notes.

Gartner has projected CASB deployments will grow rapidly in the next few years, reaching 85 percent of large enterprises by 2020.