What is Shadow IT

What Is Shadow IT and How Can You Manage It?

For all the benefits cloud computing has brought, it’s also spurred a whole new set of challenges for IT teams. One of the biggest challenges is the rise of shadow IT, which is the result of employees and departments purchasing software without involving IT.

According to a McAfee report, an estimated 40% of all IT spending occurs outside of the IT department. What’s more, shadow IT cloud usage is estimated to be ten times the size of known cloud usage, which could influence storage and network infrastructure costs. In 2021, we found that SaaS Sprawl was an issue for many companies and, on average, 56% of a company’s SaaS (software-as-a-service) apps were shadow IT.

This practice has earned mixed reviews among IT leaders. While some see it as a challenge, others view it as an opportunity for innovation. Though much of shadow IT lives in darkness, IT teams still have a responsibility to bring light to as many practices as possible. IT bears a responsibility to the organization to uncover the costs and risks associated with each software they use.

To do so requires an understanding of what shadow IT is, its costs and potential security gaps, and how to leverage it in a way that benefits the organization as a whole.

What is shadow IT?

Shadow IT occurs when employees, not IT departments, buy their own tools or sign up for software trials to get their jobs done. This process has become easier to do and IT is not always involved. As a result, many of these apps are not managed and lack traditional IT oversight. In a sense, IT has become a “shared practice” mainly due to the rise in SaaS applications.

SaaS tools can require little to no involvement from IT to deploy. In many cases, all an employee needs is a credit card and an email address to sign up for new tools. Employees often do this because they feel a specific tool or program is better suited to help them in their work than the tools the company has already purchased and made available.

It’s true that shadow IT can lead to higher productivity and better business outcomes. However, it also brings a number of risks, challenges, and unnecessary expenses to the mix — all of which fall squarely on the shoulders of IT to manage.

What is an example of shadow IT?

Members of the engineering team at a company aren’t satisfied with the communications app the business has rolled out. The functionality doesn’t quite suit their needs, so they decide to purchase a new communications tool and expense it without consulting IT. As a result, the app’s compliance certifications have not been properly vetted. Though the team is able to work more efficiently now, the data they’re sharing in the app may not be secure — and the spend for the app may not be appropriately allocated.

What is the risk of shadow IT?

For many IT departments, understanding the challenges of shadow IT is a top priority. Two of the most scrutinized complexities across industries and organizations include the increase in security risks and the increase in costs associated with having too many applications.

Security risks

Perhaps the single biggest risk of shadow IT is the fact that if IT doesn’t know about an app or program, they can’t safeguard devices and the infrastructure against potential threats associated with that app.

Cybersecurity continues to be a top focus of IT teams, especially as fraudsters are increasingly creative in how they infiltrate company systems and devices. According to HashiCorp’s Jim Fazzone, “Even a $5 app can represent a large threat to security.”

A lack of knowledge means potential gaps in defense, which could make an organization more vulnerable to threats.

Data breaches

If IT doesn’t have insight into what apps are being purchased, they are unable to verify certifications and ensure compliance. As a result, employees could be loading sensitive information into unsecure apps.

An IBM-Ponemon Institute study concluded that the average data breach costs a company north of $8 million. And Spin Technology found that around 49% of cyberattacks were due to shadow IT.

What are the costs of shadow IT?

Cloud services take the lion’s share of shadow IT, largely because the barrier to entry is low. There are a number of cost-associated risks with this, however.

Duplicate and redundant SaaS apps

For starters, employees who purchase certain tools to do their job may not realize the company has already invested in similar tools that accomplish the same goal. This is akin to paying for the same thing twice.

There may also be instances where multiple teams are purchasing the same software tools and products, with each team having its own subscription. A smarter and more cost-effective approach to this would be to consolidate the service. This is another task that should fall to IT and Procurement, as they can negotiate rates and services with vendors.

Missed renewal negotiations

Not having effective SaaS renewal management leads to a number of challenges. When programs and tools come up for renewal, the person who signed up for the service may “let it ride,” even when that tool is no longer being used to the extent it was. Or worse, the “owner” of the tool leaves the company and there’s no one to manage the subscription, which means the company continues to pay for it.

Along these same lines, a lack of IT oversight can lead to ill-informed decision-making when it’s time to renew. There’s no in-depth analysis of the value the tool brings to the company, which features are being used, and how they’re being used. In turn, this can lead to poor negotiations with vendors when it’s time to renew the software.

There’s also the fact that most non-IT employees don’t realize that software costs and service levels can (and should) be negotiated with vendors. This is a responsibility that falls to IT and Procurement teams as they right-size their licensing requirements and strike deals with vendors. When employees are in control of purchasing, they may skip this step altogether and ultimately end up paying more for the same product.

Product screenshot of the Productiv SaaS Intelligence platform showing shadow IT apps discovered in an organization

Productiv discovers shadow IT for organizations and surfaces key app information on the App Portfolio page.


How to maximize the benefits of shadow IT

Despite its many risks and challenges, there are times when shadow IT can reveal opportunities and benefits to the overall health of the organization. These may include, but are not limited to:

  • Increased employee engagement
  • Faster innovation
  • Training opportunities
  • Reduced burden on IT resources
  • Insight into employee needs
  • New opportunities for improvement

Increased employee engagement

Finding the perfect app or software to tackle a problem is a huge pain point among employees. This is a big reason why shadow IT exists in the first place!

Employees take matters into their own hands to find solutions that work the way they do. In turn, this may increase employee productivity and engagement because they have more control over how they work.

Faster innovation

Innovation isn’t something that’s always planned. Rather, it’s more often forced or happens by accident.

Allowing employees to test and source their preferred tools may help companies find better workarounds or solutions than what they currently have. It takes them out of the “If it’s broken, don’t fix it” mindset and forces them to consider new, potentially better ideas.

What’s more, all of this happens at a much faster rate than if IT were planning a large-scale rollout of a new system.

Training opportunities

At this point in the shadow IT practice, an employee’s mantra is “Ask for forgiveness, not for permission.” The motivated employee will charge full-steam ahead with whatever it takes to get the job done, and this creates a multitude of training opportunities across the enterprise.

For example, once a new app does come through the IT pipeline, an IT team member can approach the employee with informed questions. Most likely, they’ll want to know why a specific software was chosen, which features are being used, how they’re being used, the cost, and other specifics.

The answers to these questions may shift the conversation down one of two paths: For starters, IT may have been introduced to a valuable new solution that might become a company standard. Or, they might introduce the employee to software that’s already available but that the employee might not have had access to.

Reduced burden on IT resources

It’s no secret that today’s IT department is overworked. They protect the digital infrastructure, keep systems running, and are constantly putting out fires. Unsurprisingly, they can’t always stop to satisfy user requests for new solutions.

When employees take on this role, they’re removing some of the burdens from the IT department. The goal, however, should be to do so in a way that’s systematized and transparent so that it doesn’t further complicate the work of IT.

Uber leverages Productiv in this way. The CIO describes how they want to adopt new tools, but in a secure and systematic method. Productiv helps them create a sandbox with guardrails – letting them test a tool in one department and really understand business value and the KPIs of a new app. Meanwhile, if a tool is being used by more than 3 departments, then it becomes a “Corporate tool”. The end goal is a dynamic toolset where departments can easily see SaaS apps that have been blessed by IT.

Insight into employee needs

When IT has a bird’s eye view of the tools and technology in use at the company, they have greater insight into which tools are being used and how they’re being used. This gives IT teams a better idea of what’s needed to do certain jobs and what each employee needs to be successful.

Only known tools can be measured in this way. When apps are unknown, IT can’t successfully determine what’s needed in a certain team’s toolbox, which may lead to future purchasing indecision. IT leaders benefit from tools like SaaS management that can uncover apps hidden in Shadow IT. This way, IT teams can have more productive and impactful conversations with employees about what they really need from a technology standpoint.

New opportunities for improvement

IT is constantly evolving. CIOs and IT leaders are continually testing new tools and looking for better solutions that will support business outcomes.

To do this, they rely on how their current landscape is performing and look for inefficiencies and opportunities to improve employee and organizational performance. This is better achieved when all apps, programs, and tools are known.

How to get rid of shadow IT

Most organizations are aware of shadow IT in their organization. We reviewed shadow IT across our data and discovered that approximately 40% of apps are found from sources such as network traffic, expense reports, and payments. Or to put it another way, this means almost half of the applications are not actively managed by IT, behind SSO, or have even gained IT’s awareness.

But asking how to get rid of shadow IT is maybe the wrong question to ask. Rather, you should ask “How can I effectively manage shadow IT and shadow IT expectations?” Completely eliminating shadow IT would be near impossible and would have negative consequences of its own (think back to the benefits listed above).

While Shadow IT creates a number of opportunities for growth and innovation, you can’t overlook the potential risks and challenges. Because of this dichotomy, the best practice is to find a balance to maximize the benefits of shadow IT without exacerbating the risks.

HashiCorp’s Jim Fazzone gave us a great summary: Shadow IT is the opportunity to look for innovation. To help you find and leverage these moments of innovation, use a SaaS management platform like Productiv to get granular insight into your organization’s technology activities.

Productiv lifts the shadow IT veilby giving you more insight into the programs being used, including feature-level data, application overlap, cost, renewals, and app ownership. Doing so allows you to continuously monitor and manage your app sprawl at scale and identify previously unknown apps so you can take the proper security measures.

Last but not least, managing shadow IT expectations means creating policies around the practice and holding your team accountable. You can’t manage what you can’t see, and having all employees contribute to a systematized practice can help keep everyone safe, productive, and happy.

What’s next?

Read about SaaS Management and how it helps businesses manage shadow IT.

Learn how to get up to 100% SaaS visibility into app usage, spend, and engagement with Productiv.

Get a demo of the Productiv SaaS Intelligence™ platform to see first hand how we help you uncover shadow IT.