Pulling Shadow IT Out of the Shadows

More than 80% of employees admit to using unapproved cloud applications to get their jobs done.

And according to analyst firm IDC, this year in the US, line of business technology spend will eclipse IT department spend.

There is a massive wave of change underway as a result of Shadow IT, and there are critical implications to Business, IT and Compliance/Risk stakeholders across the enterprise.

I head up marketing for a software company. In my group, I stopped counting the number of SaaS apps we use to help outpace our competition and deliver results quickly. Slack, SalesLoft, Hubspot, SemRush, Asana, LinkedIn, Twitter, Wistia, Discoverorg....I'm barely halfway through the list.

In my case, we are a flat organization and IT is well aware of what we are using. We have coordinated to ensure we are meeting regulatory requirements and are aligned with our company's risk appetite. This took some quick, face-to-face meetings, and collaboration via a dynamic spreadsheet. And we can do it that way because we are small, and co-located. But within our customer universe of large accounts in highly regulated industries, with dozens of business units and thousands of employees, this is rarely the case and not terribly realistic when it comes to the management of Shadow IT. And suffice it to say, with all of the data breach news headlines flooding our feeds, people are scared.

So given the risks it imposes, is Shadow IT all bad?

Certainly not! Shadow IT can drive speed, agility and innovation. It can empower teams to get their jobs done more efficiently. It can lighten the burden on IT resources and sometimes, it can offer more affordable capabilities, bringing budgets down. That's why we embrace it on my team. And here is the kicker - it's here to stay. No amount of coordination or policing is going to rid your organization of Shadow IT. Nor should it.

So why the concern?

While it can deliver material benefits, no doubt, Shadow IT imposes risk:

• Data vulnerabilities
• Software redundancies
• Excessive licensing
• Non-compliance

So how does a large enterprise reconcile the good with the bad and bring Shadow IT out of the shadows in a manner that supports business interests?

To start - you need a mechanism to identify all instances of Shadow IT. This can be a daunting task without the right tools and systems in place, especially if you have large, dispersed teams.

Once you have identified all instances, you will want to make sure cloud apps are being used in a manner that is aligned with corporate priorities and objectives - in terms of regulations, risk appetite, customer needs, business value streams and internal controls and protocols.

And then you will want to persist all of this valuable, business planning data so it can be referenced and traced ongoing, not only to prove compliance to auditors and regulators, but so IT has visibility into what is being used across the organization and to what end.

So don't throw the baby out with the bath water. Preserve the good, but establish sound risk mitigation and prevention strategy to make sure your teams don't go rogue and lurk too much in the shadows. You can check out what Blueprint is doing to address Shadow IT at www.blueprintsys.com.