Shadow IT is the name given to the situation in which employees use their preferred software rather than the officially-approved software. As the ICT Co-ordiinator in a couple of schools, I did my best to lock down the school systems to avoid shadow IT, mainly because I was concerned about viruses and the potential costs of support, in terms of my time, if something went wrong. But as a user in a large local authority, I became increasingly frustrated at the lack of flexibility which meant I was obliged to use software that was far inferior to other applications that were available. Indeed, when a helpdesk application my team was using proved to be worse than useless, I quietly rebelled — and wrote my own.
The following article is written from a business perspective, but I’ve included it here because I think it highlights many of the issues involved, and provides an interesting perspective. Much of what is said could be applied to an educational environment.
The article was written by Greg Smith, Michail Papadopoulos, Andreas Macek, Noémie Bristol-Courgeon and Elliot Gilford of Global Management Consultancy Arthur D. Little. Reading time is approximately 16 minutes.
Embrace the shadow
Shadow IT is a term used to describe technology systems and solutions built and used by business units in enterprises without explicit organizational approval from the IT function.
Shadow IT is becoming both pervasive and unavoidable across a wide range of departments within most organizations. Technology now allows business users to download their own digital solutions without the permission, participation, or even knowledge of the official IT department. There have been many negative stories around the consequences of this trend. However, if managed correctly, shadow IT can actually serve as a key enabler, driving innovation and rapid time to market, rather than becoming a sinkhole for effort and budget. Given that it will happen regardless of attempted central control, IT departments should therefore learn to embrace shadow IT as an essential element of modern business life – and be prepared to manage it effectively. In doing so, they will genuinely empower employees and start to demolish the traditional divide between the business and IT.
In this article we will look at some of the drawbacks and potential benefits of shadow IT, and how companies can go about reaping these benefits. We will focus on the software-as-a-service (SaaS) aspects of shadow IT, not because all SaaS solutions are deployed as shadow IT, but rather because SaaS is currently the approach most used by employees to install shadow IT solutions.
Why shadow IT is unavoidable
Enterprise software is set up and configured to satisfy the requirements and needs of the business, rather than those of individual users. The aim is therefore to deliver a consistent, standardized approach. However, in today’s highly personalized world, where the commodity off-the-shelf applications we use every day can be heavily customized, users now expect far more of the systems they use in their business lives. In many cases standardization has led to businesses deploying inflexible, bureaucratic, non-intuitive software applications, for which it feels as if the solution is the master and the employee the servant.
IT organizations, processes, tools and technology have evolved over time to address major project and business needs – such as delivering back-office efficiency through ERP software. However, the process of re-platforming from legacy technologies and ways of working to current-day needs has simply not provided the same level of personalization and user-friendliness that employees expect in today’s consumer-driven digital world.
By contrast, shadow IT is seen as fresh and new, using what is perceived by employees as leading-edge technology. It aligns perfectly with their demands and requirements, as it was set up by business users. In addition, shadow IT embraces the latest technologies via SaaS, platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), and other consumption-based models, and is agile by design – not as a costly retrofit.
Focusing on shadow IT using the SaaS model, it is obvious why users are embracing it:
- Ease of access. A SaaS application is accessible over the internet, usually solely through a browser. Little or no client software is needed, so the employee can access the service from anywhere.
- Ease of maintenance. SaaS applications are maintained by the provider. There is no necessity for the end user to install patches or updates, and no need for expensive and/or scarce internal technical resources.
- Free/low cost. SaaS applications are generally available through a pay-as-you-go licensing model – all that is needed is a credit card, with no requirement for an enterprise-level agreement (and all the complexity attached). Many are free for small-scale or personal use. Subscriptions can be terminated at any time, meaning there is no residual cost or need to write down capital expenditure.
- Fast deployment. Solutions are available on demand – end users do not have to wait to have their applications deployed or for an enterprise agreement to be signed. They can just get on with their work.
The drawbacks of shadow IT
Press coverage of shadow IT has normally concentrated on its negative points, focusing on a long list of detrimental implications. In fact, the term “shadow IT” itself is most likely to be used by IT functions in a pejorative way. This is understandable, as traditional enterprise IT departments place a premium on control and centralization, and don’t like end users going behind their backs, especially when the implied message is that what IT provides is not good enough. Shadow IT is therefore normally seen as an unacceptable risk to the organization that needs to be actively eliminated, with the most common drawbacks being that it:
- Creates inconsistency in business logic and approach, as different parts of the organization may end up using different IT services and processes, which do not necessarily integrate. For example, if some parts of an organization use Google, while others use Microsoft Office 365, this potentially creates discrepancies in working practices, such as around document sharing, meetings and communication.
- Adds extra cost to the business, as the business has to pay for its traditional services as well as shadow IT, which do not generally sit under the same budget and are not subject to the same scrutiny in terms of cost/benefits. This makes it difficult for the organization to estimate the true cost of IT. For instance, a team within the business may be using a different chat system, such as Slack, and charging it back to the business, meaning the organization ends up paying for multiple systems.
- Creates inefficiencies, as the business needs to support more than one service, which can lead to duplicate support costs, as well as introducing potential extra expenses to integrate different systems.
- Increases security risks, as data held in shadow IT services may not be managed, maintained and secured in the same way as corporate data. For example, using personal Dropbox accounts to store sensitive information might result in employees still having access to the same data after they leave the business.
- Constitutes a barrier to enhancing IT services, as end users, satisfied by shadow IT, may not feel the need to push for better services from the IT department. For instance, if discrete parts of the business are using WhatsApp or Slack for communication, they may not push for the whole organization to move away from traditional collaboration systems. This means that small pockets of employees have leading-edge tools, while the majority of the business struggles with outdated or inadequate legacy technology.
The benefits of shadow IT
Despite the long list of possible problems and opposition from IT, end users continue to see benefits from shadow IT, often crediting it as central to driving innovation, business transformation, and increased productivity. By embracing shadow IT, enterprises can realize benefits, including:
- Increased productivity. Due to their informality and the fact that they may be hidden, it is difficult to uncover metrics for improved productivity driven by shadow IT systems. However, with the main reason given by end users for using shadow IT solutions being, “I want to do my job,” the implication is that existing, official systems are, at best, cumbersome or not fully fit for purpose. The shadow IT solution provides a better user experience that allows employees to perform more effectively, driving user adoption. A good example of this is a DevOps team that ADL recently worked with, which needed to manage product fixes with suppliers in real time. The team started using the free version of Slack to reach all parties and reduce the time to detect problems. This localized success has led to a more formalized solution being rolled out for the rest of DevOps.
- Innovation. Shadow IT solutions fill a gap between what IT currently supports and what an end user needs. These gaps highlight inefficiencies with existing IT solutions, while new tools introduce innovative new ways of working that challenge existing ideas, bringing new benefits. One example of this is Trello, a lightweight tool that helps support project management, commonly used by employees who want to create a simple scrum/agile board. Using such simple and user-friendly tools would enable end users to adopt innovative ways of working faster than a more complicated one would. Innovation can come from any direction – simply limiting technology selection to the IT department reduces the potential for the rest of the company to drive new ideas and ways of working.
- Ability to attract talent. End users are generally more engaged and productive when they can choose their own systems. Therefore, allowing shadow IT helps attract and retain high-performing talent. For instance, allowing users to choose their own project management tools, such as Pivotal Tracker or Teamwork, empowers teams within the business and enables them to be more efficient.
- Flexibility. In organizations in which shadow IT is accepted, end users are more likely to follow the latest technology trends by choosing either systems they know and love (such as WhatsApp), or that are generally the best on the market. Embracing these intuitive, consumer-style technologies enables companies to move to new systems faster than through traditional channels, with less need for formal training and rollout activities.
How businesses can manage shadow IT and reap its benefits
It is a natural response for IT to feel overwhelmed by shadow IT, and to therefore attempt to block everything and anything not directly sanctioned by the IT function. However, that will stifle innovation and productivity – businesses must recognize that shadow IT emerges as employees seek to be more efficient and take control of their working lives. It is not a conscious attempt to endanger or undermine the business. As such, IT must start looking at ways to manage and monitor shadow IT usage. The enterprise must be able to keep pace with today’s rapidly evolving business landscape, and that requires taking advantage of the cloud/SaaS revolution. It also requires a more collaborative approach across the organization, recognizing that technology innovation can no longer be the preserve of a single business department.
There are multiple methods that can be used by IT to pragmatically manage or channel shadow IT:
- Training around BYOD and application/cloud services – Cloud solutions and highly connected applications, from Facebook to WhatsApp and Skype, are now part of our daily lives. However, this ubiquity tends to create a false sense of confidence in the security of all SaaS applications. Consequently, training is a vital first step to provide end users with the necessary mindset of ensuring security in the cloud.
Training and talking to users is therefore the most important step in managing shadow IT effectively. Typical IT policies, which restrict individual users from choosing the applications they are able to install, will generally not work in today’s world, as there is a whole generation of employees who solely use browser-based, cloud services in their daily lives. It is therefore much more effective to help users understand the risks, work with them to mitigate them, and inculcate a culture of trust and personal responsibility.
- IT as a platform – Traditionally, IT supports applications that aim to provide employees with the required tools for their jobs. However, as users have increasingly different and more specialized needs, they are turning to shadow IT. In this new world, IT should aim to support platforms and allow users to choose their own preferred solutions. IT’s focus should shift to supporting integration between different applications, removing barriers to choice. For example, Okta and Box’s platforms enable organizations to build identity and content collaboration into their applications, supporting multiple users based on their preferred choices and allowing simple working between both Microsoft and Google documents. One benefit of this approach is to ensure that all documents are still on the company’s platform, which negates the risk of an employee leaving with sensitive information. Effectively, by moving from maintaining a standard application to supporting a broader-collaboration platform, the real risk of data leakage is managed, rather than relying on the rigorous but ineffectual policing of an application that is increasingly bypassed.
- Network monitoring – IT should most definitely not be in the dark about which apps are being used and, most importantly, what data is being sent into the cloud. Vendors such as Microsoft and Cisco have identified this requirement, and are now offering solutions such as Cloud Access Security Broker (CASB) and Cisco’s Elastica Audit. These solutions collect data from all network devices, such as firewalls, in order to analyze traffic and provide a detailed picture of the cloud apps employees are actually using. This allows the business to effectively manage and monitor app usage and data flows. Each app can then be rated in terms of whether it meets industry standards, its security risks, and its business value, and an informed decision can be made on whether to encourage or discourage its use. Greater visibility and monitoring of shadow IT can therefore effectively allow an enterprise to foster innovation while minimizing risk.
- Shadow IT amnesty – Instead of going down the usual, binary path of blocking access to applications that employees are using, IT should attempt to talk to end users by offering an internal amnesty, bringing shadow IT into the light. This will allow IT to gain knowledge of applications being used and start a dialog, inviting end users to describe why they require a particular shadow IT solution and existing enterprise systems are not up to the task. Fostering dialog between end users and IT is often surprisingly difficult – especially for something as divisive as shadow IT. Both sides of the discussion therefore need to be prepared to leave their prejudices at the door and genuinely listen if progress is to be made.
How embracing shadow IT led to 43% OPEX savings
A global education company, operating across the world, was facing rapidly escalating costs for its video-conferencing (VC) solutions, which were a critical part of its business environment. Arthur D. Little was brought in to identify cost inefficiencies with the current solution, assess alternative VC tools, and select the best tools to fit the organization’s global needs and digital strategy.
The client had been using the same VC tool for the past 20 years, and while it had been fit for purpose in the 1990s and undergone a series of upgrades and retrofits, it no longer met today’s business needs. This resulted in two types of behavior:
- Employees who used the official tool, but asked the provider for increasing amounts of optional functionality. This led to a very complex, fragmented and costly global contract – with more than 300 additional services included in it.
- Users saw the tool as unsuitable for their needs and took it upon themselves to find a new video-conferencing solution through shadow IT.
While assessing the tools available in the market, ADL also engaged with end users to identify their VC needs and real-world use cases, while offering an amnesty for shadow IT. Employees were encouraged to be honest about their VC experiences through interviews, polls and forums. Research and employee feedback pinpointed a specific tool that not only met business needs, but that a large number of teams were already using – and even paying for separately, unknown to IT.
The client therefore added the new VC solution to its existing platform, seamlessly integrating it with the company portal, help desk and email. Additionally, training was provided on the solution, through instructor-led sessions, quick-help articles and regular open engagement on the client’s internal forum.
Embracing shadow IT and adding the VC solution to the corporate platform brought annual OPEX savings of 43%, by eliminating duplicate payments and unnecessary additional services. It also greatly simplified internal processes, as the employees’ favorite solution was directly integrated into the corporate platforms, allowing for much richer functionality. This illustrates some key lessons that can be applied more broadly:
● Embracing shadow IT and listening to employees’ needs can unlock large-scale savings
● The earlier IT engages with users, the sooner costs can be reduced
● While not all shadow IT tools work for all users, it is still likely that some tools emerging from shadow IT will become the solution of choice for the whole business.
Insight for the Executive
Shadow IT is an accepted trend, with the majority of users already deploying SaaS solutions in their workplaces without the knowledge or sanction of the IT department. There is no way to reverse this – the reality of our cloud-pervasive, highly connected world is that shadow IT is the new normal within today’s enterprise.
IT departments must learn to embrace shadow IT as an element of modern life and practices that will happen regardless. Instead, they should spend their time, energy and budgets on tools, practices and training to properly manage shadow IT and effectively empower employees.
This means the IT function needs to take a more collaborative approach across the organization, and adopt new practices for managing shadow IT by effectively making it an integral part of the overall enterprise IT strategy. This can be accomplished by:
- Training employees in using SaaS in a safe and secure manner
- Shifting the focus of IT towards platforms rather than specific applications
- Monitoring and analysis of shadow IT used
- Engaging in dialog to understand why and where shadow IT is being used, including offering an internal amnesty to ensure accurate reporting.
Shadow IT is effectively a paradigm shift in the modern world of enterprise IT that has created profound changes in the fundamental model of how IT departments must serve the needs of the business. As with all change, there are challenges to be addressed, but also ample opportunity for significant benefits to be gained.
About the authors
Greg Smith is a Partner in the London office of Arthur D. Little, and a member of the Digital Transformation Practice.
Michail Papadopoulos is a Manager in the London office of Arthur D. Little, and a member of the Digital Transformation Practice.
Andreas Macek is a Consultant in the London office of Arthur D. Little, and a member of the Digital Transformation Practice.
Noémie Bristol-Courgeon is a Business Analyst in the London office of Arthur D. Little, and a member of the Digital Transformation Practice.
Elliot Gilford is a Business Analyst in the London office of Arthur D. Little, and a member of the Digital Transformation Practice.