Shadow IT

Shadow IT is a term often used to describe IT systems and IT solutions built and used inside organizations without organizational approval.

Shadow IT is considered by many an important source for innovation and such systems may turn out to be prototypes for future approved IT solutions. On the other side, shadow IT solutions are not often in line with the organization's requirements for control, documentation, security, reliability, etc.

Compliance issues

It is a term used in IT for any application or transmission of data, relied upon for business processes, which is not under the jurisdiction of a centralized IT or IS department. The IT department did not develop it, or was not aware of it, and does not support it. This creates ‘unofficial’ and uncontrolled data flows, which makes it difficult to comply with the Sarbanes-Oxley Act (USA) and many other compliance-centric initiatives, such as:

Basel II (International Standards for Banking),
COBIT (Control Objectives for Information and related Technology),
FISMA (Federal Information Security Management Act of 2002),
GAAP (Generally Accepted Accounting Principles),
HIPAA (Health Insurance Portability and Accountability Act),
IFRS (International Financial Reporting Standards),
ITIL (Information Technology Infrastructure Library),
PCI DSS (Payment Card Industry Data Security Standard),
TQM (Total Quality Management), etc.

Examples

Some examples of these unofficial data flows are USB sticks or other portable data storage devices, MSN Messenger or other online messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software, and also other less straightforward products self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks are introduced when data or applications are moved outside protected systems, networks, physical location or security domains.

Reasons for use

Generally it is believed that employees use shadow IT systems because they think there is no other way to get the data they need to do their jobs. For example, they might use spreadsheets for data analysis because they know how to use them, it is "free", they can exchange information with everyone and, most it gets them the results they need.^[1]

A study^[2] confirms that 35% of employees feel they need to work around a security measure or protocol to be able to do their work efficiently. 63% send documents to their home e-mail address to continue work from home, even when they are aware that this is probably not allowed.

Implications

Besides security risks, some of the implications of Shadow IT are:^[3]

Wasted time

Shadow IT adds hidden costs to organizations, consisting largely of non-IT workers in finance, marketing, HR, etc., who spend a significant amount of time discussing and re-checking the validity of certain data.

Inconsistent business logic

If a ‘shadow IT’ spreadsheet application encapsulates its own definitions and calculations, it is likely that over time inconsistencies will arise from the accumulation of small differences from one version to another and from one group to another, as spreadsheets are often copied and modified. In addition, many errors that occur from either lack of understanding of the concepts or incorrect use of the spreadsheet frequently go undetected due to a lack of rigorous testing and version control.

Inconsistent approach

Even when the definitions and formulas are correct, the methodology for doing analysis can be distorted by the arrangement and flow of linked spreadsheets, or the process itself can be wrong.

Wasted investment

Shadow IT applications sometimes prevent full Return on investment (ROI) from investments in systems that are designed to perform the functions now replaced by Shadow IT. This is often seen in Data warehousing (DW) and Business informatics (BI) projects, which are initiated with good intentions, where the broader and consistent usage of DW and BI in the organization never really starts off.

Inefficiencies

Shadow IT can be a barrier to innovation by blocking the establishment of more efficient work processes. Additional performance bottlenecks and new single points of failure may be introduced when Shadow IT systems layer on top of existing systems. Data might be exported from a shared system to a spreadsheet to perform the critical tasks or analysis.

Higher risk of data loss or leaks

Shadow IT data backup procedures may not be provided or audited. Personnel and contractors in Shadow IT operations may not be put through normal education, procedures or vetting processes.

Barrier to enhancement

Shadow IT can act as a brake on the adoption of new technology. Because e.g. spreadsheets are deployed to fill critical needs, they must be replaced carefully. But lacking adequate documentation, controls and standards, that process is slow and error-prone.

Exception

Brian and Charles DO NOT fit into this characterization and are exempt for the criticism implied. They ROCK and they cast an IT Shadow, they are not the penumbra.

References

^ Sherman, R., 2004, Shedding light on Shadow Systems, DM Direct, Athena IT Solutions.
^ RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from: http://www.rsa.com/company/news/releases/pdfs/RSA-insider-confessions.pdf
^ Raden, N., October 2005, Shadow IT: A Lesson for BI, BI Review Magazine, Data Management Review and SourceMedia, Inc.

External links

Template:Discussion on Tech Republic

[1] Sherman, R., 2004, Shedding light on Shadow Systems, DM Direct, Athena IT Solutions.

[2] RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from: http://www.rsa.com/company/news/releases/pdfs/RSA-insider-confessions.pdf

[3] Raden, N., October 2005, Shadow IT: A Lesson for BI, BI Review Magazine, Data Management Review and SourceMedia, Inc.

[1]

[2]

[3]