SaaS adoption is growing at a remarkable pace. Businesses keen to update old legacy systems are faced with two options: rebuild software solutions from scratch or look for existing SaaS solutions intended for the same purpose at a fraction of the cost. Although the payoff from custom software can be substantial, it also generally requires a larger initial investment, so it's no shock that some businesses, mainly startups, choose SaaS solutions. SaaS solutions are easy to navigate and present the opportunity for teams that don't require much customization to take control of their technology and improve upon processes.
As the first cloud service to truly take off, SaaS has a significant lead on other cloud services. This rise in SaaS adoption is an indicator of the practicality, convenience, and accessibility of the software-as-a-service model. However, the approach is not without risks.
Rise of shadow IT in the SaaS era
Imagine a company's business head trying to pull some data to make a quarterly update. She's trying to copy information, create her reports, and draw up her graphs manually on Excel. It's a time-consuming process, and she wonders if there's an easier way to do this.
She explains her situation to the company's IT team, who inform her that they could build her a solution, but they've got about six months of projects ahead of hers. She can't wait that long, so she considers her options:
Tackle a long line of approvals, and push her requirement to the front of the queue
Continue slogging it out
Look for a ready-made solution online
You can probably guess what she's most likely to do, by this point.
Cloud computing has made it easier for workplace users to bypass IT security protocols to access the programs they need to fulfill their job requirements. Studies show that employees are responsible for a high percentage of all cloud app downloads, and while 35% is purchased at department level, only 15% can be subscribed to IT teams. This shows that the bulk of software procurement happens without the knowledge of the IT security department within the enterprise.
IT supervision and governance policies for software procurement are in place to protect the organization, but they don't address the challenges of IT users at the workplace. The freedom of adopting unapproved SaaS software at the workplace creates the opportunity for shadow IT.
What is shadow IT?
Shadow IT is any IT technology- solutions, services, projects, or infrastructure that a company builds or buys without their internal IT department's formal approval and support. Shadow IT technologies generally don't align with organizational requirements and policies on:
Service level agreements (SLAs)
Other key factors
The most widespread form of shadow IT systems are SaaS offerings. These include unique products and solutions that address specific requirements not included in the IT solutions already supported by the organization.
The second most common source is commercial desktop software and phone and tablet apps. Cellphones and tablets are usually locked down for email, but they are frequently left open for app installations. Remote PCs and laptops configured as desktop administrators, employees using their own devices not controlled by IT often house unauthorized free and commercial software.
Why do users turn to shadow IT?
Despite caution from IT teams, business users continue to download, subscribe to, and share apps they find to get their job done. These downloads are made bypassing company protocol and risking confidential data, but users feel they have no other choice.
For example, a sales team member is meeting with a prospect. The prospect prefers Zoom, even though the sales team's organization uses WebEx. The sales team member may then download Zoom to connect with the prospect. Research shows that 35% of employees need to work around IT security protocols and access unauthorized programs to get their work done.
Companies play a major part in employees downloading unauthorized programs by:
Not providing support for software that employees require
Making the governance, approval, and provisioning process slow, to the point of ineffectiveness
Why is shadow IT bad for business?
Lack of visibility - IT teams have to categorize their applications, quantify their importance, analyze risks, and determine how to support them—and data on shadow IT software doesn't give them the visibility to do this. More software causes more potential points of failure. This raises risks for security and regulatory non-compliance, makes it harder to find data leaks, and hinders teams from performing disaster recovery measures for this data when required.
Loss of data - Organizations, can lose access to cloud-based data stored on unauthorized programs, mainly if the employee who owns the information leaves the organization—for example, a personal Dropbox account where a user keeps customer contracts and other project documentation. Without the user, the company may face problems getting critical customer information back from the user's personal account. Personal cloud service accounts may also get quickly disconnected when the user stops paying their bills.
Inability to see the big picture - If the organization isn't informed of data flow, IT teams can't plan for capacity, security, and performance. Storing and using data in disparate and siloed shadow IT apps can lead to skewed data analysis and reporting. This gets even more complicated when data versions exist in different unmapped infrastructure locations. It then ends up requiring hours of menial patchwork effort to collect meaningful metrics and understand what your organization's data is trying to tell you.
Cost - Once a shadow IT system, like cloud storage, becomes critical to a project and IT users need to scale resources, the cost incurred by the organization to continue using the service may be unjustified.
Noncompliance - Usage of shadow IT can have far-reaching consequences, especially for organizations subject to stringent compliance regulations. Shadow IT creates additional audit points where proof of compliance must be expanded. For instance, if a healthcare institution stores sensitive patient data in unauthorized cloud storage, they will eventually have to audit, identify, and disclose the scope and impact of each incident.
Risk of cyber attacks - When unmanaged data repositories lie outside established security boundaries, weak credentials risk the exposure of privacy-sensitive information to cyber-attacks. None of the organization's penetration testing, intrusion detection, or threat log management will be able to cover shadow IT.
Kills collaboration - Spreading tasks and conversations across multiple tools and platforms makes for inefficient collaboration. When one part of a team is on Slack, another on Google Hangouts, and another on Skype, you have a fundamental problem: the conversations are happening, but there's no common place for standardized collaboration that can be seen or shared by/with anyone else. This is critical for distributed organizations where team members don't share physical space.
Shadow IT comes with an extensive list of problems, yet so many companies still struggle with it. Why are employees and teams so quick to take on the risks of using new tools?
The answer is the results. Many downloadable solutions, despite their risks, fill the gaps many traditional software solutions can't. A business that uses legacy software made in 2001 may no longer have all the features that employees need in 2021. So the employees find workarounds. It's easier to download the necessary apps and buy a few licenses rather than ask an already busy IT team to rework legacy software that contains years of data.
Shadow IT is a symptom of a much bigger problem, and its rise is a marker of the need for customizable tools that can be task-specific, but are flexible enough to do precisely what individuals need—not just entire departments or the company as a whole.
What is the rise in shadow IT trying to tell us?
This rise in shadow IT services can usually mean a few things:
The need for highly customizable software, flexible enough to be tweaked to any specific workflow
Technology made for the workplace is developed to appeal to as many departments/tasks/groups as possible, so tools often come with very rigid limits for customization. Office software offers a wide array of features, but these features are often generic; they don’t serve specific workflows without requiring the user to jump through several extra, unnecessary steps. All this points to the need for customization—tools that can be task-specific but flexible enough to do precisely what users need.
IT departments should be able to provide solutions quicker
Employees are tired of waiting for their IT department for an application or service, since implementations often take a long time. IT departments simply cannot attend to every implementation in the designated time frame, making shadow IT an unavoidable and dangerous necessity. Custom software development and implementation needs to be faster.
There is high demand for technology that responds to market changes & user needs
The way we do business is constantly in flux, and technology is often at the core of those developments, spread across four or five different platforms. As the business grows and technology shifts, there's a pressing need for tools to adapt to these circumstances.
Unfortunately, however comprehensive an office suite of tools is, users may not find the right tool to meet a sudden requirement. So they find workarounds using new tools that can help them keep pace with demand. If companies can’t find a solution to keep their resources all-encompassing and responsive, then shadow IT is a given.
How to respond to shadow IT
Here are some approaches that you can use to respond to shadow IT:
Take strategic measures to reduce the need for shadow IT solutions
Here are a few things you can do to reduce the need for shadow IT:
Break the silos between IT team and users: Discover the needs of employees and enable more effective communication between IT departments and users. To provide efficient solutions, IT must understand end-user requirements, experience, and feedback on existing and new required technologies.
Educate users on the risks associated with shadow IT and how they can fulfill technology requirements without bypassing standard governance protocols. Security-aware employees are more likely to look for appropriate solutions to address their technology needs.
Detect and monitor for shadow IT, proactively: Deploy technology that can monitor network activity, unauthorized purchases, data migration, IT usage patterns, and other indicators of shadow IT. Proactive discovery practices like reviewing on-premises web filtering logs and configuration management databases can help you discover instances of shadow IT.
Establish policies that anticipate and manage shadow IT
Develop an IT governance structure with user-centric policies that use vetted technologies. Establish policy enforcement with the flexibility to evolve and respond to the changing IT needs of end users. Compiling a list of sanctioned, authorized, and prohibited organizational IT resources can be made part of your organization's monthly security review. Continuous assessment of workplace technology can allow organizations to mitigate the risk of shadow IT.
Consider tools that strike a balance between agility and security
Employees look to third-party applications because either their internal IT team is unable to provide the tools they need or the tools they need cannot be verified. One solution is for IT to meet every business user's need, but this isn't really feasible in many situations. Even if an organization hires more programmers, there will still be additional requests, and homegrown solutions aren't always as functional as users want them to be.
How can one get flexibility and customization without chasing shadow IT solutions? Simple custom app development is the solution that comes to mind—the ability to build custom business applications without the need to spend long project timelines on traditional app development.
There are significant advances in the software industry; new tools and development platforms that can allow companies to work inside a single ecosystem and support all their needs: security, flexibility, management, and maintenance. Better yet, there are platforms that can deliver highly customizable features, workflows, and interfaces.
Enter low-code, a sustainable custom solution
Low-code platforms speed up the development of enterprise solutions. A low-code platform authorized by an organization's central IT department can be essential to mitigating shadow IT.
Low-code application platforms deliver many powerful benefits, like allowing business users and citizen developers to quickly create solutions on their schedule, and not based on the priorities of the IT department. However, the central IT department must govern and support the low-code platform. Instead of leaving employees to fend for themselves with hopelessly slow manual processes, teams can have the tools they need to create solutions. Low-code platforms give teams the freedom to develop the applications they need without the risks of shadow IT.
Low-code vs. shadow IT
After a thorough evaluation of leading low-code platforms, central IT can find one that meets an enterprise's requirements. Business users can then use the platform to build tools that meet enterprise regulations, bridging the gap with IT.
Modern low-code platforms can help battle shadow IT by providing you with:
A digital sandbox environment where you can securely build and test your business applications
A development platform with a visual programming interface that users at any level of technical proficiency can easily learn and use
Drag-and-drop graphics that you can use to build robust, customizable databases and optimized workflows
Applications that can be maintained and modified in real time, as per user needs
Separate development, testing, and production environments, and easy deployment
Scalability to extend applications from personal use to departmental to organization-wide
Integration options and APIs so you can seamlessly access data from other enterprise-wide systems
Out-of-the-box security and authentication
Both on-premises and cloud options for enterprises, so you can choose the solution better-suited to your office infrastructure
Not all low-code platforms provide these features, so make sure the platform you choose adheres to your organization's guidelines.
What would a low-code enterprise ecosystem look like?
Suppose a member of the marketing team of a software company needs to collect customer use cases. They need the support of the sales team or account management to identify the customers who can share their stories. The data they need for the use cases includes the customer's name, the product features they use, the customer's challenge, and more.
The marketer outlines a basic flowchart of what the workflow to produce more customer stories might look like. They outline the steps for the process of data collection, identify the information they need, and determine who will be responsible for each step.
Once the requirements are clear, they open the company-approved low-code software to create the workflow. Then, without code or the IT team's help, they build a new workflow in the matter of an hour or two. When it's done, they launch it—and now it's ready for use.
Because the new workflow is built within the company-approved ecosystem, it doesn't fall outside IT guidelines. The application doesn't require new software adoption since it's created in a pre-existing enterprise software platform. Best of all, it's something the marketer can design and build without developer help, and without trying to communicate their vision with the IT team.
Create new workflows to respond to new requirements
Build solutions on their own, without relying on IT or third-party developers
Get the customization they need without wasting time evaluating new tools
Create a solution without putting their data or the company's security at risk
Low-code platforms can release IT from mundane development tasks and create an environment of collaboration with employees. Customer-facing teams can pivot on demand and rapidly build solutions without waiting for IT, and IT can oversee the results, especially when these solutions are going to be deployed company-wide. Low-code development reduces the need for shadow IT, putting technology back where it belongs: supporting the business.