Why does Shadow IT exist? It’s a question that we wouldn’t want any of our customers to hesitate to ask, because the answer leads to great discussions that are impactful on cybersecurity strategy and cybersecurity posture. When shadow IT exists, a good starting point is to assume that employees believed they did not have the tools they needed to excel at their job, and they took matters into their own hands.
That’s not necessarily devious. In fact, it’s almost never devious. It’s an employee wanting to do their job better, believing that a particular tool/software/website would help in that mission. When the employee takes the initiative to procure (sometimes freely) that tool/software/web account, suddenly you have Shadow IT.
Why is it called Shadow IT? It’s called that because IT doesn’t know about it. So, IT can’t help with vetting it, to make sure that it’s safe and suitable for use within the company. That said, what are the top reasons that Shadow IT exists? Lets go a click deeper to the most common root causes.
If you were an employee that needed a specific additional tool, and you thought the IT team’s involvement would slow your path towards procuring that additional tool, what would you do? Be honest. Most of us would find a way to procure the tool — for (in our eyes) the betterment of the company — even if it meant bending the rules about how IT is supposed to be involved in such decisions.
If you find yourself asking “why does Shadow IT exist?” and you know that your IT processes for vetting and approving newly suggested solutions is slow or burdensome, you may have just answered your own question. And, you might need to work with your IT leaders to accelerate the processes related to new software evaluation, because often the alternative isn’t non-use… it’s Shadow IT.
Put yourself in the shoes of a non-technical employee. The concept of asking for approval from IT, for the procurement/use of some additional software/account, can be daunting. Non-technical employees often realize that IT might apply nuanced criteria and standards to their evaluation of the proposed solution. And, it’s not uncommon for non-technical employees to have a predisposition to believe that IT is likely to disapprove the desired software/account.
If that’s the case in your organization, you may need to take steps to create a more positive culture of interactions between your IT team members and the rest of the organization.
Suppose you are a graphics designer who has just discovered a terrifically helpful website containing stock images related to the subject matter that your company specializes in. Do you think that designer — who races to create a free-level account on the website — first considers whether that is within (or not within) IT policy? There is a very good chance that it doesn’t even cross the employee’s mind.
In fact, if you asked that employee “why does Shadow IT exist” in your toolset, there is a very good chance that the response would be “what is Shadow IT?”
Many organizations leave the topic of Shadow IT wholly unaddressed in their training, policies, and handbooks. We think that’s a mistake. A heightened awareness of Shadow IT — and the risks associated with it — can help the employees in your organization think more critically before they press “Create Account” on that new/helpful website.
We’re not naive enough to believe that Shadow IT will go away anytime soon. If anything, the trend towards shadow IT is accelerating. We think the best move by companies wanting to productively engage the topic, is to take to heart the above three drivers of shadow IT. By engaging employees on these topics, by raising these topics to the surface for discussion, and by making these topics safe to discuss, your team may just be your very best ally in minimizing the proliferation of shadow IT.
Want to dig deeper on this topic? Check out our comments on “Knowing Shadow IT When You See it”, in this prior article on this site and Locking In on Security, Episode 4 (Forgiveness, Permission, and Shadow IT).