Shadow IT is becoming a big problem for many organizations. What are some of things your organization do to identify and manage shadow IT?

21k views9 Upvotes26 Comments

Director of IT in Education, 1,001 - 5,000 employees
In a college environment it is very hard dealing with Shadow IT due to the fact most faculty expect "academic freedom" and can do what ever they need to in order to teach.  To handle most of our Shadow IT issues we mainly try to educate our employees of the risks to the University due to the lack of security measures with Shadow IT.
VP of Product Management, 10,001+ employees
There are 2 ways in which we have been able to address Shadow IT issues. One is regulatory (SOX compliance) and other one which is more common is the inability for LoB to sustain and maintain the application on their own. I have experienced in some cases where the LoB team have their own technology dev, analysis, QA and change management team to drive implementations, but fall short of meeting SOX compliance parameters.

The best way to identify is to ask the LoB heads to self disclose these applications in their area, failing which they will have to take care of any SOX audit issues by themselves(which most of the LoBs do not want to). Once these applications are disclosed, IT teams can create a risk profile around these apps, and share the same with LoB heads. The risk profile should indicate how quickly these applications have to be remediated to meet compliance factors. The rest is the standard SDLC process to help these applications meet the necessary standards and helping set up collaboration between LoB and Tech to manage these apps. Obviously you cannot solve all the shadow IT issues in a year or two, infact you will
Have to live with, it is a choice of which apps to be managed by IT and which ones to be left with business
1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

Did you ever consider looking at a CASB tool? I would recommend looking at McAfee MVISION Cloud? This tool is amazing, it provides critical capabilities such as identifying all cloud applications/services being access through your network, it has a lot of additional capabilities for securing your network and systems.

VP of Product Management, 10,001+ employees
Yes, some of these tools can help identify the cloud application access. These tools can help you identify accessing of some SaaS applications, Office 365 and any other portal that LoB may be accessing for business or non business purposes. Filtering them and identifying the right apps is hard. But unless the onus of identification and remediation is with business, the tools will not help.
1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

I agree.

Assistant VP, Interim CIO in Education, 1,001 - 5,000 employees
What we're trying to do is make them as partners-- shadow IT as partners and assist us so that we share the same policies. If you want to do certain things, do it this way. Although we don't have that big of a shadow IT presence on campus.
Founder/CTO in Hardware, 11 - 50 employees
The need to help educate them on issues with running there own servers, printers etc. The reasons they don't want to is they believe IT is slow and cumbersome. However, what they miss is things like security issues, regulatory and compliance issues. The others are what happens when you have problem or the equipment fails? I will assume you have control over the network which means you have to have the tools to detect any malicious activity and you should be able to turn off any ports for physically connected devices and should be able to pull authorization or wireless. 
1 1 Reply
Director of IT in Education, 5,001 - 10,000 employees

It is balancing act and continuous challenge with evolving technologies.

CISO in Software, 201 - 500 employees
As for the identification, we were able to get the majority of Shadow IT under control by these following things: proactive discussion between the IT Manager and department heads - it took some time to build the trust. The key success factor was the ability of IT to prove that the majority of the "shadow" systems could have been "legalized" without any impact to the business -- IT took over the administration and that was it. The second part of that was the identification of what is the company actually paying for -- this took some effort of Corporate Finance as many of these systems were being paid on monthly basis by various credit cards or even expensed. In the end, Finance knows they are not supposed to pay for anything IT related unless the system & vendor was formally approved by the company (there's an inventory they can easily check). Of course, in the meantime we had to improve the system / vendor introduction procedures and we did spend a lot of time on the education and awareness. There are some residual non-compliances which are impossible to tame as we're in SaaS business ourselves and we allow our employees to use company laptops also for their personal purposes, but at least when it comes to the systems we are using for collaboration and business processes, we have regained the control.
CTO in Software, 11 - 50 employees
Here's a blog post that I wrote about #ShadowIT -->
Senior Director CIO Office in Software, 1,001 - 5,000 employees
I’ve still got a lot of meetings where people get up and talk about shadow IT. I don't really believe that shadow IT exists anymore in the way it was described. In the command and control era if anybody did anything without our knowledge, it was shadow IT like how did you go do that? Well, anybody that talks to us, they haven't really woken up to the new reality. In fact, ironically, IT has almost become shadow IT. If you think about it, the things we manage :the laptops, the Wi-Fi network, you know, make sure the security things are taken care of in the background. You know, these are not at all top of my concerns or most people that worry about out day-to-day business operations. They're worried about our Gainsight application or whatever. They purchased it to work in their particular functional area.

What happened was we all thought, as technologists, that information technology should be used much more pervasively and was deeply ingrained into the day to day operations of the company for years. We would say we're really missing an opportunity here but it's innovating so fast. There's so many ways of getting more benefit out of technology. And then we kind of woke up and realized that functions went off and did what we said out loud. They're using technology in ways that meet their immediate interest.

Chief Security Officer in Software, 10,001+ employees
Control it at the financial level. Set policies making it a fireable offense to expense IT services instead of going through procurement where it can be identified and controlled.
1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

It is a very good way to control the paid services, but how about the free cloud services (e,g., Dropbox, LinkedIn...), how would you control find those and control (approve/not approve)?

Director of Technology Strategy in Services (non-Government), 2 - 10 employees
Shadow IT is only a problem to the tech and security teams, to the line of business who adopted/implemented/developed it the problem they have is that IT didn't give them what they wanted (Real or Perceived).

The best way to overcome shadow IT is to stop working in isolation from the business. Connect with them and start asking what they need, and then delivering on it, even if that means taking over their Shadow IT elements - it's going to save you more time than trying to shut it all down 

You're both there trying to achieve the same outcome for the overall business, keeping an 'us and them' mindset doesn't do that. 
1 4 Replies
Assistant Director IT Auditor in Education, 10,001+ employees

Agreed, sometimes too much controls hinder creativity and could result of your organization losing their competitive advantage. Protect you sensitive information assets and PII data in a secure enclave (firewall), using strict access controls, 2f.

Director of Technology Strategy in Services (non-Government), 2 - 10 employees

 - there's a differentiation between shadow data and shadow IT. As you say, protect your sensitive information as it is an asset, but don't worry about shadow IT so much 

Assistant Director IT Auditor in Education, 10,001+ employees

Absolutely agree, it is critical that organization address it also.


Content you might like

An excellent language that has a bright future21%

A great language that enabling rapid MVPs, but not full products53%

Somewhat sustainable but should look to be sunset22%

A dead or dying technology5%


570 views3 Upvotes

Once a day28%

Once every few days34%

Once a week17%

Once a month10%

Once a year5%



818 views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments