Reliance on shadow IT, which in its most basic form is the use of software, apps, or services without IT department approval, has become central to the way workers everywhere get things done. Many of us are familiar with the temptation to download a new app, sign up for a free cloud service or use personal accounts to collaborate when official systems seem slow or restrictive.
Ten years ago, this typically involved individuals using their own personal devices for company work or perhaps setting up unauthorised databases. Fast forward to today, and shadow IT is heading towards near-universal levels, and according to Gartner, “by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility.” Despite the efforts of many organisations to more tightly control their use, or even stamp it out altogether, users have become stealthier in their adoption of unauthorised tools and services.
Shadow IT has also gone cloud-first. SaaS subscriptions can be activated with just an email address and a credit card. Indeed, the barrier to entry is now so low that anyone in a company can effectively become a ‘mini’ system administrator without realising it.
In particular, the rise of remote work and the explosion of SaaS apps mean employees now have more options at their disposal than ever before. On the surface, that’s empowering; an employee might spin up a free trial of a file-sharing app or a project tool to move faster, for example, but in doing so, they may also have inadvertently created a potential back door into their company’s systems.
The same qualities that make modern SaaS tools so appealing, such as instant availability, no infrastructure to maintain, easy collaboration, etc, also make these services invisible to traditional IT management processes. It’s no exaggeration to say that while a CFO might not blink at a £20 recurring charge, that insignificant-looking tool could expose customer data, create regulatory headaches, or introduce vulnerabilities out of proportion to its cost.
Taking back control while embracing innovation
So, how can IT leaders wrestle back control of their IT estate, including those items they didn’t even know were being used? The first point to appreciate is that most employees aren’t out to undermine security; they’re just trying to get their work done. In this context, a “block everything” or “punish first” mentality really doesn’t work. Instead, a much more effective approach is to build a culture where IT is seen as a partner to productivity and effectiveness, not a roadblock. That means providing people with safe, approved options that are just as simple and convenient as the tools they have found on their own.
Visibility is key, not least because the more clearly IT can see what’s happening across the organisation, the faster they can catch patterns and step in with guidance before a minor issue grows into a real problem. For example, if the marketing team wants to try a new analytics tool, involving IT early in the procurement process doesn’t have to get in the way; it just means making sure the tool is safe, compliant, and won’t create avoidable security issues later. If IT can shift the narrative from always saying “no” to new technology requests to a place where it helps find a secure “yes,” it not only cuts down on shadow IT but also encourages the kind of creative, out-of-the-box thinking that allows people to innovate.
In practical terms, there’s never going to be one blueprint that works for every company. For instance, for some organisations, it will make more sense to prioritise on-premises infrastructure, whether it’s for performance, compliance, peace of mind or all these important reasons. Almost inevitably, however, other workloads are better off in the cloud, where organisations have a wide choice of providers and, in many cases, mix and match to get the best blend of capabilities and pricing. Whatever the approach, the key is pulling all this together, so IT isn’t managing a messy patchwork of systems. Instead, leaders should end up with a consolidated approach across the whole environment. In doing so, they can aim for the best balance of versatility and control.
With all that in place, departments or individual members of staff don’t need to spin up their own unsanctioned tools in the background. Instead, new apps or services can be adopted without them becoming security blind spots. What businesses get is a win-win, whereby employees still get the freedom to move fast, but using processes designed to be safe from the outset. It also gives IT leaders a lot more confidence that sensitive data isn’t being shared externally when it shouldn’t be, and that their compliance processes aren’t going to be compromised by something as simple as using an innovative new tool that introduces new and uncontrolled risk.
Terry Storrar
Terry Storrar is Managing Director of Leaseweb UK. With over 25 years of experience in the technology sector, Terry is a proven leader, business founder, and turnaround specialist who drives growth and innovation at Leaseweb, a global provider of cloud hosting solutions. Terry leads the UK operations and oversees the strategic direction, customer engagement, and team development of the organisation.
