While sitting at our booth during a recent conference, a college student asked me a great question: “Is the impact of shadow IT on business good or bad?” The question stemmed from a point made by one of the student’s instructors, which was that shadow IT is necessary for a business today to function successfully. And while the answer to the question might seem obvious to those of us in the cybersecurity world, I also wanted to make sure I was thinking through the idea completely before giving a knee-jerk answer or going into an in-depth discussion on the spot.
As I began to delve into the topic, I decided to ask several people the following question internally to see how some of our consultants and architects would answer the following question:
What is your opinion on shadow IT and its impact on business? Do you feel that shadow IT is necessary in today’s business environment?
The first person I asked was my manager, and his response was thought provoking. He suggested rather than considering whether shadow IT itself was good or bad, instead consider why an employee might feel the need to circumvent whatever policies and procedures are in place to successfully do their jobs. That answer, plus some of the following answers from my colleagues, has helped me think at a deeper level about the topic. But before I give my opinion, let’s look at some of the responses:
I believe Shadow IT does increase the risk to an organization and should be addressed.
How to address it is the tricky part. The presence of Shadow IT usually indicates one of two things. Either the Central IT policies and procedures are too burdensome or do not fit the needs of the Business Unit. Or the Business Unit doesn’t understand the need for and benefit of the Central IT policies and procedures.
If we review Central IT policies and procedures and determine they do need modification to better suit the Business Unit, then this could be a benefit to other Business Units and have a positive impact on the overall company.
If no policy and procedure changes are needed or possible, then we should try to help the Business Unit understand why the requirements are in place and the importance of meeting them through their own Shadow IT or by utilizing Central IT (i.e., internal support requirements, contractual obligations, compliance, etc.).
If neither of these helps to bring Shadow IT into compliance, then putting a wholesale stop to any detected Shadow IT might be necessary. Keep in mind that this can also lead to cat-and-mouse games where the Business Unit tries to circumvent Central IT in different a manner and possibly tries to evade future detection.
~ Chuck Brown, Service Delivery Manager
The effect of Shadow IT on businesses can be advantageous or disadvantageous based on how it is managed. While it can enhance innovation and efficiency, Shadow IT can also make organizations vulnerable to data breaches and security threats. Consequently, modern businesses should aim to achieve a balance between providing technology access to their employees and implementing robust security protocols and controls. This equilibrium would help organizations to harness the benefits of Shadow IT while minimizing associated risks.
~ Justen Wilson, Senior Security Consultant
Shadow IT really is dependent on the organization. Do we see Shadow IT every day, yes absolutely. The question is why. Here are some of the main reasons I have seen for Shadow IT.
- Some people will take whatever shortcut they can to achieve a desired goal. So, bypassing all corporate best practices and control in order to “get something done” drives them to do something in the realm of Shadow IT. It’s right in their mind. But is it really right, or even necessary, or even in the company’s best interest? The answer is at best a maybe, but many times the answer is no. Again, it comes down to the org. With the IT sprawl it the large Enterprise space it is easy to have Shadow IT. But at least in the Large Enterprise space I deal with it is the bane of the existence of the IT domains it exists in and it often increases the threat surface for little to no benefit.
- Organizational policies are so restrictive that Shadow IT is necessary to complete certain functions. This is when Shadow IT in many cases operates with tacit approval. The “I don’t want to know” from management. This may be case where Shadow IT is needed. Again, it relates directly to point #1. Is there a reason the policies and procedures are so restrictive and while speed and agility are nice to have. Do they put the business at un-needed risk.
- Dysfunctional IT. Shadow IT is really what drives the organization forward. IT as it exists doesn’t really work. Traditional IT is not really enabling the organization, so people take matters into their own hands in order to “get things done”. This is a case where Shadow IT might be needed, and what you will often find in the SMB space rather than the large Enterprise space. Just a bunch of cowboys out making stuff happen. Again, not necessarily the best idea, but in many cases well intentioned. The main issue I see is whoever is enabling that Shadow IT may be in a hurry, may just want to get something to work, may not be putting things like patching, security, least privilege access, etc.… in place when enabling some sort of Shadow IT. As a result, while well intentioned it increases the threat surface to the business.
I lived with and used Shadow IT for my professional career. I’ve seen a lot of stuff good and bad go into production in corporations. Ideally, you want an organization that enables the business, and enables innovation. Along that plot outside of it somewhere exists Shadow IT. How much and how needed depends on the org. How much is needed again depends on the org. But even Shadow IT needs controls.
~ Jarrod Cunningham, Global Solutions Architect
I believe that shadow IT, or shadow anything really is not good for business. At best, it is an indicator that there is something wrong with the processes of the business, or the goals of a project. Overly restrictive policies that prevent innovation for the sake of “this is how we’ve decided things should be done” need to be reviewed and updated based on new information. On the other hand, a project that cannot clear the standards and policies hurdles that are in place should evaluate the reasons why their project can’t get past the gate. I’ve seen projects fail to clear policy review because it strayed too far from established tool sets and technology stacks “because it’s the latest and greatest”. I’ve also seen policies that prevented business from operating at scale and speed that was required of the business objectives. Regardless of the reason justifying shadow IT, its existence is a symptom of a greater problem.
~ Greg Porterfield, Senior Security Consultant
While agility is certainly critical in today’s business environment, shadow IT entails unknown and unsanctioned systems/applications, thereby resulting in regulatory noncompliance and unmanaged cybersecurity risks. Instead, cybersecurity and IT organizations should enable the business through automation and streamlined security gates. Establishing well-defined architectural patterns and focusing on technologies, such as configuration management, infrastructure as code, and automated application security testing not only ensures adherence to standards, but also drastically increases efficiency for the business – win-win.
~ Aaron Parker, Senior Security Solutions Architect
I don’t think we can say that shadow IT is “good for business” or “bad for business” because it depends on too many variables. As an IT, business, security, and GRC practitioner – but also as a user – I see this from a bunch of angles. Shadow IT arises from people trying to solve problems, either aligned to business needs or their own convenience, or both; when it’s out of alignment with business needs then it’s “bad” for business. Otherwise, it’s not so simple.
To whatever extent shadow IT exists in an organization, it reflects the fact that established business processes are inefficient, ineffective, or inconvenient to the extent that users feel they have to circumvent them. It’s on the business to understand that extent and make its own determinations as to what it’s willing to accept, and what to do about what it’s unwilling to accept.
In short, I think shadow IT is inevitable, but it can lead to innovation and improved insight into business and employee needs if appropriately managed, so it should not be simply tamped down but mined as a resource for business insight.
~ Stephen Alexander, Practice Manager, GRC
By reading these responses and doing some research of my own, I’ve come to the opinion that relying on untracked assets (software, hardware, processes, or procedures) can create unnecessary strain on interactions between employees and IT, especially when that untracked asset becomes the root cause for a business-wide outage. When encountering shadow IT within the business, it should be seen as an opportunity to review why the employee felt the need to use an untracked asset in the first place. Employers should investigate the reason behind the behavior first and then take appropriate action. This may involve providing more comprehensive employee training or implementing changes to current policies and procedures. Policies and procedures should be protective of the business and those that it serves, but at the same time shouldn’t be so restrictive that they stifle innovation or performance.
***
This blog was written by Chris Hayes, Principal Consultant at Set Solution