Shadow IT

In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to bypass^[1] limitations and restrictions that have been imposed by central information systems.^[2] While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.^[3]

Origins

Information systems in large organizations can be a source of frustration for their users.^[2] In order to bypass limitations of solutions provided by a centralized IT department, as well as restrictions that are deemed detrimental to individual productivity, non-IT departments might develop independent IT resources and for the specific or urgent need or requirements.^[4] In some cases, IT specialists could be recruited or software solutions procured outside of the centralized IT department, sometimes without the knowledge, or approval of corporate governance channels.

Benefits

Although often perceived as attempts to undermine corporate governance, the existence of shadow IT often is an indicator of needs from individual departments not being satisfied from a centrally managed information ecosystem. Thus the immediate benefits of shadow IT are as follows:

Innovation: Shadow IT could be seen as sandbox for potential or prototype solutions in response to evolution of changing business requirements. Also, alignment between departments can be avoided or enhanced dependent on the constraints within the broader business.
Individual productivity: Shadow solutions are customized to the needs of the individual departments and thus allows the individuals involve to be more effectively. A study^[5] confirms that 35% of employees feel they need to work around a security measure or protocol to work efficiently.
Reduced internal costs: Some shadow policies, such as BYOD, reduces direct hardware and software costs, while allowing localized support decreases overhead for IT departments.

Drawbacks

In addition to information security risks, some of the implications of shadow IT are:^[6]^[7]

Costs: Additional time and investment could incurred at a corporate level on additional integration and validation and compliance of discovered shadow IT infrastructures. On the other hand, department choosing the solutions with the lowest price-tag for their shadow solutions might not have considered costs for deployment and maintenance. This also results in diminished return on investment in case of insufficient buy-in.
Consistency: As shadowed technical solutions might beyond centralized version control, they might deviate from standardized methodologies or calculations. Multiple, coexisting shadow infrastructures also introduces a heavily fragmented application landscape. This also makes centralized configuration management more difficult.
Operating inefficiencies: Established shadow solutions might prevent overall implementation of more efficient processes due to widespread use or inadequate documentation. The shadow system might also be beyond the capacity of the centralized IT department for integration and maintenance, especially when it becomes "too big to fail".

Compliance

Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with various legislations, regulations or sets of best practices. These include, but are not limited to:

Sarbanes-Oxley Act
(US)
Basel II (International Standards for Banking)
GLBA (
Gramm-Leach-Bliley Act),^[8]

COBIT (

Control Objectives for Information and related Technology

)

FISMA (Federal Information Security Management Act of 2002)
DFARS (
Defense Federal Acquisition Regulation Supplement
)
GAAP (
Generally Accepted Accounting Principles
)
HIPAA (Health Insurance Portability and Accountability Act)
IFRS (International Financial Reporting Standards)
ITIL (
Information Technology Infrastructure Library
)
PCI DSS (Payment Card Industry Data Security Standard)
GDPR (General Data Protection Regulation),^[9]
CCPA (California Consumer Privacy Act)
NYDFS (
New York Department of Financial Services) ^[10]

Prevalence

Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations are reluctant to voluntarily admit their existence. As a notable exception, The Boeing Company has published an experience report [1] describing the number of shadow applications which various departments have introduced to work around the limitations of their official information system.

According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget.^[11]

A 2012 French survey ^[12] of 129 IT managers revealed some examples of shadow IT :

Excel macro 19%
Software 17%
Cloud solutions 16%
ERP 12%
BI systems 9%
Websites 8%
Hardware 6%
VoIP 5%
Shadow IT support 5%
Shadow IT project 3%
BYOD 3%.

Examples

Examples of these unofficial data flows include

VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros

. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.

References

^
S2CID 2038883.[1]

^
ISBN 1136430482
.

ISSN 1617-9854
.

ISBN 978-3540323068
.

^ RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017

^ Myers, Noah and Starliper, Matthew W. and Summers, Scott L. and Wood, David A., The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making (March 8, 2016). Available at SSRN: http://ssrn.com/abstract=2334463 or https://dx.doi.org/10.2139/ssrn.2334463

^ Fábián Tamás, Shadow IT in the New IT Management Triangle (2022). Available at https://doksi.net/en/news.php?order=ShowArticle&id=1909

^ "Gramm-Leach-Bliley Act".

^ "Under Construction".

^ "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.

^ "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.

^ RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/

External links

[2] Discussion on Tech Republic

[3] Industry's First Cloud Adoption and Risk Report

[4] Shadow IT in the New IT Management Triangle

Retrieved from "https://en.wikipedia.org/w/index.php?title=Shadow_IT&oldid=1219007644"

[Handel-2010-1] 
S2CID 2038883.[1]

[Newel-2006-2] 
ISBN 1136430482
.

[3] ISSN 1617-9854
.

[4] ISBN 978-3540323068
.

[5] RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017

[6] Myers, Noah and Starliper, Matthew W. and Summers, Scott L. and Wood, David A., The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making (March 8, 2016). Available at SSRN: http://ssrn.com/abstract=2334463 or https://dx.doi.org/10.2139/ssrn.2334463

[7] Fábián Tamás, Shadow IT in the New IT Management Triangle (2022). Available at https://doksi.net/en/news.php?order=ShowArticle&id=1909

[8] "Gramm-Leach-Bliley Act".

[9] "Under Construction".

[10] "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.

[11] "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.

[12] RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]