<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1078844192138377&amp;ev=PageView&amp;noscript=1">

Blog

Managing Shadow IT Risks by Building IT Resources for the Future

Shadow IT is a double-edged sword: It’s the greatest opportunity for innovation your company has, if the shadow IT risks don’t cut into your business first.

After all, cyber threats will very quickly wipe out any upsides shadow applications can deliver.

Shadow IT is also unavoidable.

Security and risk management is IT’s No. 1 job. It seems straightforward: Build out a system for testing every tool a company might use, then find and eliminate the security risks. The problem is that process takes time and keeps employees from using all the tools they might like or need. To solve this, they sneak them in here and there, because they don’t want to wait for approval, or because IT already said no, or because they just never really think to check with IT first. This creates significant risks IT departments can’t see.

Most CIOs know there’s a shadow technology or two operating outside the IT infrastructure. The problem is they underestimate how many by a factor of 15 to 22, according to Cisco’s Shadow IT report. Cisco’s survey found that, on average, CIOs estimated they had 51 cloud services running in their organization. The actual number was 730.

Each one of those 730 shadow apps has the potential to help your company grow faster. At the exact same time, each has equal or greater potential to tear all your progress down.

It only takes one mistake to lose your customers’ trust — or their credit card numbers.

There’s no stopping employees from trying to find the fastest way to get their jobs done. The only hope for securing shadow IT is supporting the shadow technologies employees rely on with a cloud framework that mitigates risk. First, though, you’ll need to find the shadow information technology lurking within your organization.

A shadow IT definition that explains why it won’t go away

Shadow IT makes it easier for your employees to do their jobs.

Refusing to be frustrated by company-mandated tech, proactive employees find their own tools and applications. By avoiding IT, they can use any software they want, and implement it on their own schedule.

When you define shadow IT like that, it’s a wonder 100 percent of IT purchasing isn’t hiding in the dark. You may even realize it’s something you’re guilty of yourself.

Read more about shadow IT:

Most employees don’t know there are potential risks to using an unauthorized app. Much of the security training focuses on downloads or malware-infected USB devices.

Employees who use an app to see who opened their emails don’t think about software procurement rules — they’re just trying to get the job done. So it’s quite the surprise when the app sucks all of their Outlook contacts into an unsecured cloud.

Scary as it may be, in truth, you don’t want shadow IT to go away. You just want to bring it to  light and put the proper risk mitigation measures in place. Decentralizing IT and allowing your business units to find their own tools can reduce time to market by two years per Gartner’s Shadow IT report. None among us can afford to be two years behind our competitors. That’s why Gartner also says companies must decentralize at least 25 percent of their IT purchasing over the next five years if they want a shot at transformative digital innovation. Based on our own research and experience, we at ServerCentral estimate that by 2025, business units will control 90 percent of IT spending.


Coming to terms with business unit IT is mandatory for digital business success. A business unit IT strategy should be a priority.

Kurt Potter
VP and Distinguished Analyst at Gartner


Understanding the shadow IT risks for companies

Given the shadow IT statistics, the odds are good that your company’s shadow IT risk is higher than you think.

The second employees set up tools that aren’t vetted, you have information and applications running in an area that’s not controlled by your data governance rules.

That’s when the problems really start.

The shadow IT risks compound when you’re dealing with regulatory compliance standards. In addition to the PR threats and business risks of a data breach, you have the potential for legal repercussions as well. The flipside is that regulated industries also face the largest risks to competitive advantage by eliminating shadow IT.

Proactive employees are the best shot many organizations have of finding and introducing new tools to get the job done better.

This risk/reward dichotomy is why so many people reach out to cloud providers like us to build infrastructure that supports PCI or HIPAA compliance. If you can build a cloud environment that reduces shadow it risks and threats, you can support decentralizing IT.

How shadow IT costs add up

Business risk should be the first thing you worry about. Cost, the second. Most shadow IT cloud applications come with costs — generally hiding on your expense reports. Then there’s the way those costs creep up. A team may purchase shadow software solutions for a specific project with a specific budget. If the trial period ends, or the usage bumps into a more-expensive tier, or any number of other things happen, all of the sudden that tool costs two or three times what they had planned.

Those extra costs also trickle into shadow IT cloud computing. All those applications access and store data somewhere.

We’ve had plenty of companies come to ServerCentral because all of the sudden their Azure or AWS bills are shockingly high. When we dig in deeper, we find out that increasing shadow use has been driving up costs.


You have individuals in the organizations being their own IT administrator, their own CIO. And that can be very problematic.

Jim Reavis
CEO of the Cloud Security Alliance in CIO


Business units can spin up cloud resources, but they’re likely to forget to spin them down without IT best practices to guide them. It doesn’t take long for your organization to be footing the bill for a massive cloud infrastructure you don’t need. In our experience, 40 percent of cloud infrastructure is underutilized.

What really hurts is when you realize a successful application your organization relies upon is actually built in a third-party cloud — without anyone knowing about it. Development teams, eager to quickly deliver solutions, may build an app in Azure or AWS to save time. Once management realizes this critical application is outside the scope of the IT organization, however, they need to move that application in very short order. We’re now looking at additional costs to migrate, reconfigure or rebuild it in a way that meets enterprise IT requirements. Unfortunately, the app’s current architecture may not support the tool sets of the enterprise.

Creating a sensible shadow IT policy, and training your staff to follow it, will support innovation without risking the high costs — and high disappointment — of retrofitting solutions to your data governance after the fact.

Running a shadow IT audit to quantify IT security and risk

A thorough shadow IT risk analysis starts with finding what’s out there. All too often, the shadow IT discovery process kicks off the same way: A team uses a specific application to get a job done. Other teams find it useful. Pretty soon folks across the organization are relying on this tool. Then someone stops and asks where it’s hosted and how its data is managed. When the answer to both is outside of the data governance scope, that’s the “oh my god” moment. And that’s when organizations start asking what else is out there.

Being proactive about shadow IT risk mitigation means looking for the potential pitfalls before they become problems. The same few shadow IT examples are present in almost every organization.

Look at the traffic going over your network. How much of it is to G-suite or Mailchimp or Box? Look at the expense reports. Do you see Azure or Dropbox or Salesforce? Find one popular shadow application and follow it. It’s likely to reveal all sorts of shadow use you might have missed without an audit.

The next task is to not freak out, but to really look into what capabilities people need and how you can structure them to reduce risk.

Taking back control by building an IT organization around shadow support

Once you’ve found your hidden applications and conducted a shadow IT risk assessment to determine the security threats, you can begin focusing on what it is your employees actually need. No one on staff is trying to create shadow IT security risks. They’re trying to find tools that will help them do better work, faster. IT needs to help them do that, while keeping potential issues at bay. That means making the switch from operating the technology to orchestrating the technology.

Shadow information systems crop up because employees fear they can’t go to IT. They expect to hear at best, “Wait,” and at worst, “No.” Neither will help them hit the goals they’re being evaluated on. What they really need to hear is “Yes, and here’s how we can help.”

The IT departments of the future will encourage experimentation. They’ll reduce risk not by limiting tools, but by working with a strategic partner to build an infrastructure capable of serving as a sandbox for innovation and scaling to support production. By creating secure systems and encouraging employees to use them, there won’t be a need for multi-month risk assessments on every piece of tech that comes into the organization.

The way you make shadow IT a benefit of your organization is to declare it one, then find a partner who can put the infrastructure in place to make it so. Let’s work together to reduce the risks, so you can reap the rewards.

Topics: Security Tips