Too often, Shadow IT systems—those not authorized by IT—are used by the business to perform work. Here are a few common examples:
- A cloud storage system (such as SharePoint) may be authorized and managed by IT, but employees may use external cloud applications (such as Dropbox or Google Drive) when working with external vendors.
- A collaboration tool (such as Slack or Basecamp) may contain important information and documentation that are effectively invisible to the IT portfolio.
- Vast spreadsheets may exist across disparate programs, requiring manual reconciliation and long email chains for even the most minor changes.
Why Is Shadow IT a Problem?
Wasted time. Wasted time expands as employees start to work in different manners across different applications, causing error, rework and redundancies.
Wasted investment. Investments in your IT tools are wasted if the approved tool is not fully leveraged—the company effectively pays for an underutilized tool. A Gartner research study found that more than 40% of IT spend is on shadow IT.
Security risk. A final repercussion is security risk, which grows as your firm’s data moves through uncertain and potentially unsecure channels. McAfee sponsored research found that over 80% of users admit to using some sort of non-approved IT tool to help perform their job. Are these shadow tools aligned with your firm’s security and compliance standards? Is the cost of a data breach more appealing than the cost of identifying and mitigating this reality? Is data properly backed up, or is it at risk for loss?
Why Does Shadow IT Exist?
The first step to fixing any problem is to understand the root cause. In the case of shadow IT, several factors may be driving users towards alternative solutions:
Factor 1: Licensing restrictions. If users are unable to access certain functionality of an approved system due to licensing restrictions, they may circumvent lack of access by using alternative tools.
Factor 2: Lack of awareness. Users may not utilize an approved tool if they were not properly trained, or lack sufficient working knowledge of its capabilities.
Factor 3: Comfort with old tools. Old habits die hard. Mastering a framework by spending years in one tool will generate discomfort when moving to a new tool.
Factor 4: Lack of capability within approved tools. If your approved tool does not provide employees with the capabilities they need to perform their job, they will look for tools that do.
How to Expose and Address Shadow IT
To draw IT out of the shadow, an effective way to start is with a 2-week assessment phase. The goal is to understand the prevalence and potential severity of your shadow IT. An assessment is a fast and non-committal method to rapidly gather insight into this shadowy aspect of your company, and provide options for immediate mitigation.
After the assessment phase, a Value Stream Mapping (VSM) workshop with a trusted facilitator will shed more light on the issue.
A VSM identifies the flow of people, data, and tools in your company’s end-to-end value delivery chain, and provides baseline metrics to quantify a need for change.
A transformation plan is a primary output of a VSM. This plan provides your company with concise and effective strategies to drive change. Deliverables may include a project governance plan, a risks & mitigations matrix, a tooling fit analysis, or other solution blueprint.
“Sunlight is said to be the best of disinfectants.” – Justice Louis D. Brandeis
Bring your shadow IT infrastructure into the light to mitigate the risk of wasted time, wasted investment, and compromised security.