Skip to main content
Software

Shadow IT is often a self-inflicted wound, experts say

Unhelpful or overly restrictive IT desks can often drive workers to unapproved IT resources.
article cover

Fcscafeine/Getty Images

4 min read

The cybersecurity risks of shadow IT are well-known—a recent cyberattack on password management firm Okta is an illustrative example.

But the biggest reason workers turn to unapproved IT resources isn’t to cause headaches: It’s simply to find the right tools to do their jobs.

Shadow sprawl. Tim Morris, chief security adviser at systems management firm Tanium, told IT Brew via email that he has heard shadow IT referred to as “suburban IT sprawl.” Confronted with slow or inefficient services, he wrote, workers often download software independently and trigger issues in “every area of IT management.”

Gartner research found that 41% of employees acquired, modified, or created shadow IT in 2022, and projected the percentage to grow to 75% by 2027.

Beyond the risk of a breach, shadow IT usage can make it difficult to conduct vulnerability assessments or management, Morris warned. Hidden costs can also creep in outside of traditional procurement processes, such as licenses for unused “shelf-ware,” and overuse of expensive third-party software and support.

“Even in a centralized model, better efficiencies can be gained using federated support models that are managed versus autonomous satellite support teams,” Morris wrote.

Keeping track of assets as they pass through stages like acquisition, testing, deployment, and end of life, Morris added, is the biggest challenge of IT inventory management.

IT assets “must be managed at every step—not just the hardware but the software that runs on it, plus patching and vulnerability assessment,” Morris wrote. “Often assets may move between environments and can get lost or mislabeled. With mobile devices, like tablets and laptops, they can literally get lost or stolen.”

Decommissioning is another of the “multiple areas for deviation or errors,” Morris added, due to multiple potential stages including discovery, legal hold, and physical destruction.

Embrace the shadow. “IT organizations used to think everything should be centralized,” Anudeep Parhar, COO of access management company Entrust, told IT Brew. Users confronted with high barriers like obtuse ticketing systems and arcane approval processes, he said, are prone to going rogue.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Harnessing shadow IT could come with significant benefits. A 2019 Entrust survey of 1,000 US-based IT professionals found 97% of respondents said their organizations are more productive, and 96% said employees are more engaged, when workers are allowed to use preferred technologies. Around 77% said their organizations would be more competitive if management took a more collaborative approach to filling gaps in technology needs.

Meanwhile, the same poll found just 12% of IT departments follow up on all new technology requests, and 46% of respondents said poor processes cause “moderate to severe conflict between IT and other departments.”

Parhar said cloud services and remote work have challenged old norms, in large part by enabling workers outside the IT department to procure software and subscriptions directly. While the centralized mindset is still prevalent in highly regulated industries like finance, he added, he’s noticed many IT leaders now think in terms of enabling technological innovation throughout the rest of their organization.

“The number of IT assets have increased quite a bit,” Parhar said. “You have to have a pragmatic view around it.”

Implementing zero-trust principles, where no devices are trusted by default from within or without a network, is one way organizations can benefit from shadow IT while minimizing risks, Parhar said.

“Go back to the foundational security infrastructure and stop focusing on just stopping people from building shadow IT," Parhar said. “There is no way we can take account of every single software and machine that people use and be able to actively block it.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.