Shadow IT Series: What It Is & Why It Happens

Posted inApplication Security, Cyber Security, Information Security, Information Technology, Security

Shadow IT technologies are a plague to IT departments worldwide, especially the parts of the department assigned to security. Why is this a problem? Because when an employee downloads or decides to use a tool that the IT department doesn’t know about, it can wreak havoc on company systems and create weak spots they don’t know exist. Those weak spots are easy targets for hackers looking to gain access.

Before you can recognize shadow IT as a problem, you have to know what it is. According to Cisco, “Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware.”

The rapid adoption of cloud-based services is a big concern today. Users are more comfortable downloading and using apps and services from the cloud to help them do their job, which is evidenced by increasing rates of shadow IT. Information technology has become consumerized, making lay people more at ease with using it and more likely to try things they might not have tried a few years ago. So why do people turn to shadow IT, what makes them seek out an app or service to assist them with their work?

There are three real reasons employees turn to shadow IT:

  1. The tools given to them are not adequate or industry standard for doing their job
  2. The tools they are provided with have been adapted or constrained. For example, features have been removed for security or budget without correct analysis of impact to users. Or the process of getting their tools is difficult and time delayed. If you need a tool to finish a task today, but you have to put in a request and wait a week to get that tool, you’re going to turn to shadow IT.
  3. The tools needed aren’t offered in any form, or getting them is so difficult and convoluted that employees don’t know how to get what is offered.

Underneath these three reasons for turning to shadow IT, there are two common security/tech principles to consider. These principles are in the front of our minds with consumer-facing products, but tend to get ignored for internal processes. One, if a process is too complex, a user (employee in this case) will give up or find another way that is simpler. Two, creating a user-centric design. Business owners tend to make budget and security decisions for internal tools without considering the impact on the employees.

What happens is that business owners fall into a trap of false equivalency. They think that they are making the best decisions for the business, which they might be with regard to budget and security, but they end up hampering their employees. When that happens, efficiency drops, productivity goes down and profits with them. Think of it like this, if all you need to do is hammer a nail, it generally doesn’t matter what kind of hammer you have. You can hammer with a carpenter hammer, claw hammer, ball-peen, sledge or mallet. Any of those will work. But the moment you need to remove the nail, you definitely want the claw hammer.

If you find that your employees are turning to shadow IT, take a look at the apps and services they are downloading. Try to pinpoint what your employees are looking for that they aren’t getting from you. See if there’s a better way to get them what they need that’s secure and safe. Your business depends not only on the security of products being used, but also the efficiency and productivity of your employees.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY