Shadow IT: A Business Risk or Competitive Advantage?

A new report was released this past week by Entrust Datacard, and I found the results to be surprising, thought-provoking and requiring action.    

The research is titled: The Upside of Shadow IT: Productivity Meets IT Security. The report outlines how implementing solutions that let your employees own their work experience can lead to increased productivity, improved employee retention and greater trust in leadership.   

Why was I intrigued?

The report has an interesting mix of good and bad news for enterprises. While it lays out both benefits and drawbacks to shadow IT and new (unauthorized and unmanaged) technology showing up at work, the headlines focus more on the positive aspects of shadow IT and encourage openness.  

The report touches on the power of innovation, creativity and new devices under the Internet of Things (IoT) umbrella.  

Here are some of the key findings:

• Empowering employees to use their preferred tools can deliver long-term benefits
  IT teams recognize the rise in Shadow IT suggests employees want better ways to work. 77 percent of IT employees surveyed believe that their organizations could earn an edge over competitors if company leaders were more collaborative about finding solutions to Shadow IT needs from both IT and non-IT employees.
• Ignoring employee requests drives more Shadow IT
  Slow IT approval processes can frustrate employees and lead them to introduce even more security risks to organizations. Only 12 percent of the IT departments surveyed follow up on all employee requests for new technologies.
• What risk? Communicating the risk and consequences of Shadow IT is critical
  Although IT departments are aware of the security risks of Shadow IT to their organizations, most employees are not. More than one-third (37 percent) of the IT employees say their organization does not have clearly outlined internal consequences for when employees bring on new technologies without IT approval.
• Does your Shadow IT problem come from within IT itself?
  While most would think IT departments are the most diligent when it comes to following protocols, this is not always the case. 40 percent of the IT employees reported having used a device, application or other technology that is new to the organization without first receiving approval from IT.
• Balance low friction and high security: Solve the Shadow IT Challenge
  The findings of The Upside of Shadow IT research suggest that it’s more important than ever for organizations to identify the right solution or combination of solutions that best protect them from security threats without disrupting employee productivity, such as:
  • For cloud-based productivity tools, organizations should consider CASBs to extend the reach of security policies beyond company infrastructures.
  • When technology approval and other security processes create too much friction for employees, organizations should consider identity-based security solutions to create a 360-degree view of employees based on a profile of factors like the user’s usual IP addresses and location.
  • To navigate changing regulations and standards, organizations should consider investing in compliance to establish that alignment with industry regulations is a top priority for the company.

New Research Findings On Security

Here are some interesting questions and percentage answers from the report. 

Some of the most interesting statistics from the report include:

• 21% of organizations don’t have any policies surrounding the use of new technology
• 77% of IT pros agree that if left unchecked, shadow IT will become a bigger issue at their company by 2025
• Despite understanding the risks, 40% of IT pros admit to using unapproved tech themselves
• 37% say their organization lacks clear-cut consequences for employees caught using unapproved tech. And when there are consequences, they are too harsh — 35% of employees are afraid to report unapproved technology due to their fear of getting co-workers in trouble

Definitions and Context Please

So what is “Shadow IT” anyway? This brief video defines some related terms.

Over the past few years, I have written about shadow IT in several different articles. From Christmas presents that staff bring to work in January to cloud apps, to cheap or free back-ups of personal devices with work data, the challenges are daunting and evolving.

The other aspects of this report address the critical need for technology and security staff to work hard to get to yes with secure solutions for staff – and not just dismiss requests from staff for new tech. This topic is certainly not new, and the challenge has been around for well more than a decade. For example, see my “enabling innovation” stories from BYOD is the new WiFi or “Why security pros fail – and what to do about it” or “Idea to retire: Cybersecurity kills innovation.”  

Related to this topic, I have also covered how cloud security is closely linked to shadow IT, such as these pieces entitled: Trust and Risks Both Growing in Government Clouds and Where Next With Cloud Security?

Final Thoughts

I find this report both helpful and a bit concerning at the same time. The authors clearly believe that Shadow IT can be a benefit to productivity and innovation, and they offer some tips to show how security can be addressed. They clearly state that the “glass is half full” with Shadow IT.

So full-speed ahead into the shadows, right?

Not so fast.

At a basic level, I don’t know how CIOs, CTOs and CISOs can address what they do not know about. Report recommendations like “encrypt all your data” can only be acted upon if you know about the data in the first place. Playing “hide and seek” in enterprises with new tech between IT staff and business areas is an inherent problem with Shadow IT and a paradox not easily embraced, in my experience.

So here’s a challenge for you. I’d love to see real-life examples and case studies of governments or private-sector organizations who encourage shadow IT (with all the benefits described) and who also do cybersecurity well with those devices and technologies.

Nevertheless, the report is well done and worth reading. Take this opportunity to address (or re-examine) your shadow IT policies, procedures and cybersecurity in your organization.