Shadow IT: Difference between revisions

In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to work around^[1] the perceived shortcomings of the central information systems.^[2] Shadow IT often introduces security and compliance concerns.

Origins

Information systems in large organizations can be a source of frustration for their users.^[2] In order to bypass perceived or actual limitations of solutions provided by a centralized IT department, other departments may build up independent IT resources to suit their specific or urgent requirements.^[3] It isn't uncommon for resourceful departments to hire IT engineers and purchase or even develop software themselves, without knowledge, buy-in, or supervision from a centralized IT department.

Implications

In most organizations, the prevalence of shadow systems results in a heavily fragmented application landscape, where consistency, security and governability are sacrificed to achieve the necessary level of business agility, whether for the purpose of innovation or mere survival.

Benefits

The main benefit of shadow IT is the increased reactivity. The host department has direct power over its shadow IT resources, as opposed to central ones. Also, alignment between departments, a time-consuming and sometimes impossible task, is avoided.

For example, with the rise of powerful desktop CPUs, business subject matter experts can use shadow IT systems to extract and manipulate complex datasets without having to request resources from the IT department. The challenge for IT is to recognize this activity and improve the technical control environment, or to guide the business in selecting enterprise-class data analysis tools.

Placing barriers to shadow IT can be the equivalent of improving organizational security. A study^[4] confirms that 35% of employees feel they need to work around a security measure or protocol to work efficiently. 63% send documents to their home e-mail address to continue work from home, even when they are aware that this is probably not allowed.

Drawbacks

Besides security risks, some of the implications of Shadow IT are:^[5][6]

• Wasted time Shadow IT adds hidden costs to organizations, consisting largely of non-IT workers in finance, marketing, HR, etc., who spend a significant amount of time discussing and re-checking the validity of certain data, setting up and managing systems and software without experience.
• Inconsistent business logic If a ‘shadow IT’ spreadsheet application encapsulates its own definitions and calculations, it is likely that over time inconsistencies will arise from the accumulation of small differences from one version to another and from one group to another, as spreadsheets are often copied and modified. In addition, many errors that occur from either lack of understanding of the concepts or incorrect use of the spreadsheet frequently go undetected due to a lack of rigorous testing and version control.
• Inconsistent approach Even when the definitions and formulas are correct, the methodology for doing analysis can be distorted by the arrangement and flow of linked spreadsheets, or the process itself can be wrong.
• Wasted investment Shadow IT applications sometimes prevent full Return on investment (ROI) from investments in systems that are designed to perform the functions now replaced by Shadow IT. This is often seen in Data warehousing (DW) and Business informatics (BI) projects, which are initiated with good intentions, where the broader and consistent usage of DW and BI in the organization never really starts off. This can also be caused by management failure to anticipate deployment, licensing and system capacity costs when attempting to deliver DW & BI solutions. Adopting an internal cost model that forces potential new users of the DW/BI system to choose cheaper (shadow) alternatives, also plays a part in preventing successful enterprise implementation.
• Inefficiencies Shadow IT can be a barrier to innovation by blocking the establishment of more efficient work processes. Additional performance bottlenecks and new single points of failure may be introduced when Shadow IT systems layer on top of existing systems. Data might be exported from a shared system to a spreadsheet to perform the critical tasks or analysis.
• Higher risk of data loss or leaks Shadow IT data backup procedures may not be provided or audited. Personnel and contractors in Shadow IT operations may not be put through normal education, procedures or vetting processes. Originators of Shadow IT systems may leave the organization often leaving with proprietary data or leaving behind complicated systems the remainder of staff cannot manage.
• Barrier to enhancement Shadow IT can act as a brake on the adoption of new technology. Because IT artifacts, e.g., spreadsheets, are deployed to fill critical needs, they must be replaced carefully. But lacking adequate documentation, controls and standards, that process is slow and error-prone.
• Organizational dysfunction Shadow IT creates a dysfunctional environment leading to animosity between IT and non-IT related groups within an organization. Improper motivations behind Shadow IT efforts such as seeking job-security (i.e., "Bob is the only person with this data," or "What will happen if he leaves?"), data hoarding, self-promotion, favor trading, etc. can lead to significant management issues.
• Compliance issues Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with the Sarbanes-Oxley Act (US) and many other compliance-centric initiatives, such as: Basel II (International Standards for Banking), GLBA (Gramm-Leach-Bliley Act),^[7] COBIT (Control Objectives for Information and related Technology), FISMA (Federal Information Security Management Act of 2002), DFARS (Defense Federal Acquisition Regulation Supplement), GAAP (Generally Accepted Accounting Principles), HIPAA (Health Insurance Portability and Accountability Act), IFRS (International Financial Reporting Standards), ITIL (Information Technology Infrastructure Library), PCI DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation),^[8] CCPA (California Consumer Privacy Act), NYDFS (New York Department of Financial Services) ^[9]

Prevalence

Shadow IT is notoriously hard to measure. Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations typically don’t volunteer these. As a notable exception, The Boeing Company has published an experience report^[1] describing the alarming numbers of shadow applications which various departments have introduced to work around the limitations of their official information system.

According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget.^[10]

A 2012 French survey ^[11] of 129 IT managers revealed some examples of shadow IT :

• Excel macro 19%
• software 17%
• cloud solutions 16%
• ERP 12%
• BI systems 9%
• Websites 8%
• hardware 6%
• VoIP 5%
• shadow IT support 5%
• shadow IT project 3%
• BYOD 3%.

Examples

Examples of these unofficial data flows include USB flash drives or other portable data storage devices, instant messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.

References

1. Handel, Mark J.; Poltrock, Steven (2011). "Working around official applications: experiences from a large engineering project". CSCW '11: Proceedings of the ACM 2011 conference on Computer supported cooperative work. pp. 309–312. doi:10.1145/1958824.1958870. S2CID 2038883.
2. Newell, Sue; Wagner, Eric; David, Gary (2006). Clumsy Information Systems: A Critical Review of Enterprise Systems. Agile Information Systems: Conceptualization, Construction, and Management. p. 163. ISBN 1136430482.
3. Zarnekow, R; Brenner, W; Pilgram, U (2006). Integrated Information Management: Applying Successful Industrial Concepts in IT. ISBN 978-3540323068.
4. RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017
5. Raden, N., October 2005, Shadow IT: A Lesson for BI, BI Review Magazine, Data Management Review and SourceMedia, Inc.
6. Myers, Noah and Starliper, Matthew W. and Summers, Scott L. and Wood, David A., The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making (March 8, 2016). Available at SSRN: http://ssrn.com/abstract=2334463 or https://dx.doi.org/10.2139/ssrn.2334463
7. "Gramm-Leach-Bliley Act".
8. "Under Construction".
9. "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.
10. "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.
11. RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/

External links

• [1] Discussion on Tech Republic
• [2] Industry's First Cloud Adoption and Risk Report