Thanks to delivery models based on cloud and software-as-a-service (SaaS), it’s possible for virtually any employee to find, buy, and download applications for just about any purpose. And while this ease of use increases an employee’s access to technology, the use of unauthorized applications — also known as "shadow IT" — can create major problems for a company.
To find out more about the prevalence of shadow IT and how to manage it, insiderPROFILES recently spoke with Lynda Stadtmueller, Program Director at Stratecast, a division of market research firm Frost & Sullivan that recently conducted a survey on the use of unauthorized applications in the enterprise. Following are excerpts of that interview.
Q: Based on your research, how prevalent is shadow IT in the enterprise today?
We know the most prevalent kind is the use of unapproved software -— mostly via SaaS applications — so we focused our research in that area with the goal of quantifying it. And we were surprised to find out just how prevalent it is. Our research shows that more than 80% of line-of-business managers use at least one non-approved SaaS application to do their jobs. And even more surprisingly, we found that the guardians of the data assets, the IT organization, are actually even more likely to do so.
Q: Are there specific departments or areas where you see shadow IT taking place more?
We found pretty consistent use across all functional departments, which was somewhat surprising. We found that even legal and HR departments were consistently choosing their own solutions. These are organizations you might not expect to because of the sensitive nature of their data.
Q: What does the future trend in IT look like?
Given the acceleration of the consumerization of IT and the greater options available in a low-barrier-to-entry SaaS model, there will be more opportunity to use unapproved software and an increased comfort level in doing so across the business. So it would be safe to say that means higher adoption of unapproved IT if left unchecked.
However, more businesses are beginning to recognize that they need to address the issue. So while there is likely to be more choice among employees for IT, it won’t be considered “shadow IT” in the future; it will become a monitored or approved choice of some kind.
Q: What’s driving the increased use of unapproved applications?
The consumerization of IT and the growth of mobile technology have affected users’ comfort and empowerment levels. A decade ago, IT was something that was handled by specialists. Now non-technical people are not only able to, but feel comfortable selecting and implementing their own software.
A decade ago, IT was something that was handled by specialists. Now non-technical people are not only able to, but feel comfortable selecting and implementing their own software.
And in a broader sense, what’s really driving this has more to do with how businesses are shifting the way they measure their employees. Many companies now use outcome-based measurements to evaluate employee performance.
Employees are given set goals to meet and told they need to be more agile and innovative to meet those goals. More employees today are paid to think creatively and come up with solutions, and that leads employees to seek out and select the tools that will help them meet their goals.
Q: According to the report, an entire generation today has never installed software from a disk. Is there a generational aspect to shadow IT?
We didn’t slice the survey results by age of respondent, but it is certainly true in the consumer market, as well as in business. Basically, the IT users who are most familiar with technology don’t think in terms of SaaS or installed software. They think, “I need an application so I will click and download it.” It’s simply about getting the right or desired application.
Q: What are the risks and possible impacts of shadow IT going unmonitored?
When individuals select and buy their own software for their personal use at home, their decision affects no one but themselves. In a business setting, employees who engage in shadow IT may not understand how their personal decisions affect the corporation. For example, perhaps the biggest issue is not necessarily how you get and use the application, but what goes out as a result of using it. Using a SaaS application allows another window into the corporate network and data, which creates the risks of corrupted data, unauthorized access, viruses, malicious attacks, and other similar issues. A big risk is that an employee may inadvertently send out proprietary data — like customer or employee private data — in a non-secure way.
Of less concern is the creation of issues of reliability and availability. The unauthorized application may not be part of corporate backup and recovery schemes, and therefore, you run the risk of losing data.
You also have the issue of money. Financially, if hundreds of employees sign up and pay for various applications, some of which might do the same thing as others and could have a volume discount negotiated, that is inefficient and costly.
Q: How can this activity be monitored? Is that an IT challenge, or does procurement get involved if employees are buying the applications?
Yes, procurement could get involved. But a lot of SaaS applications are available free in some capacity, so procurement likely won’t know because there won’t be a record of that purchase anywhere in the company.
And employees are more likely to assume it’s okay to use the application if it’s free. They think solely about the financial impact on the company. Some employees are even willing to pay out of pocket to get these applications — they’d rather pay than use something that doesn’t meet their exact needs.
Start by figuring out what you’ve got coming and going on your network. Don’t start by immediately cracking down; start by building an inventory.
You’re going to find unauthorized internet use for non-work things, but that’s really a problem for the line-of-business managers, HR, or the network folks to allocate bandwidth, and that’s not all that risky. A lot of companies may have a monitoring solution in place, but they’re using it to look for the wrong things. They’re worried about Facebook and Pandora, but that’s not the big problem or risk. What’s more important is what traffic and what data is leaving your network and how you get your arms around it.
Q: Who is responsible for defining what is and isn’t shadow IT?
The definition has to come from the top, like any kind of big decision. It has to start with a standardized policy. What does the company want? If it’s left to only IT and if the directive IT is given is “stop rogue IT,” then they will slap on a software package to block access to all but a few apps. That’s the wrong approach, but a lot of companies implement that strategy because they see the problem as being too many unauthorized apps in use. They think the solution must be to stop the usage.
But the business wants employees who are innovative, empowered, creative, efficient, and effective, and that solution conflicts with the use of innovative IT. So instead of saying, “We have to circle the wagons and close the doors,” the message has to come from the executive suite to enable employees in a way that still protects corporate assets; that message will produce a different approach.
Often, they’ll list the top software packages and charge IT with finding a way to safely allow employees — if not complete openness in choosing — at least a very broad list of top packages for use. Let them choose what helps them the most, but then find a way to make sure data isn’t being released and certain sub-functionality is deactivated.
Q: Was there anything in the research that you found especially interesting or surprising?
One point that came out of this research is that there is tremendous confusion from respondents about what the company policy is. There are a lot of folks using applications suspecting it’s not allowed, but the actual policies are very vague or people just don’t know how to access the policy. The policies have to be communicated. When the IT organization issues a PC that has apps on it, do the employees think those are the only apps they can use on the PC? How does IT communicate that? Without a clear policy, it’s hard to convey that message.
This is about protecting the business. If a company in your industry has a data breach that can be traced to shadow IT, circulating that story is the best way to get the message out. Let everyone in your company know this is what can happen. Then it becomes internalized, which is vital because you need your entire employee base to buy into the idea. The company can provide as much choice and options as possible, but the employee has some responsibility for protecting the corporate data assets.