Building a Shadow IT Policy: What CEOs, CTOs, and CISOs Need to Know

When a US contact-tracing company exposed the details of 70,000 individuals, the term Shadow IT resonated: employees had used Google accounts for sharing data as part of an “unauthorized collaboration channel.”

Do you know what technology your teams are using and what company data is being used on them? If the answer is “no,” the next step should be better understanding Shadow IT.

While not a new phenomenon, Shadow IT is increasingly challenging IT security leaders as businesses shift to the Cloud and more apps are added to the network. Teams regularly rely on file storage apps, task management tools, messaging and email platforms, or even Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) systems everyday. One company with dozens of teams and hundreds of employees across unlimited channels clouds any leader’s chance of clarity in a hurry in this reality.

The main problem, though, with Shadow IT isn’t really the need for new tools, it’s the fact that people use them without IT knowing. This usually happens because they perceive IT policies as restrictive and antagonistic toward their productivity. In this way, Shadow IT is a policy, not a software, issue.

So how can leaders encourage employees to involve IT without reducing their autonomy? Put simply, the solution to Shadow IT relies on people, processes, and technology.

If you are a CEO, CTO, or CISO, or are somehow involved in technology decision making, here’s what you need to know to combat Shadow IT.

Understanding the Shadow IT issue

First, answer the question: What is Shadow IT? Gartner defines it as any IT devices, software, and/or services used in an organization that are outside the ownership or control of IT teams. In other words, it’s the use of hardware, software, or Cloud services without the approval of the Information Technology (IT) area, often introducing security and compliance concerns.

Shadow IT can encompass enterprise-grade tools or consumer tech. Some common examples of Shadow IT, only when they’re not officially licensed or sanctioned by the IT department, include:

• Productivity tools like Slack, Trello, or ClickUp
• VOIP tools like Skype
• Google Suite apps like Sheets, Docs, Gmail, or Drive
• File-sharing tools like Dropbox
• Messaging apps like WhatsApp
• File-sharing tools like Dropbox

It’s important to note that these applications are not dangerous per se, but only when they’re used as a workaround that’s different from the solutions proposed by IT. Imagine a scenario where a file is too big to send via Gmail (the official email app), so someone decides to use Dropbox instead. That’s Shadow IT.

Why is Shadow IT a concern for IT and security leaders?

The use of unsanctioned apps creates a shadow supply chain – a complex web of unknown cloud applications, user accounts, data, and permissions scattered across the internet that are connected to the enterprise network.

When the pandemic accelerated digital transformation, organizations focused on business continuity, often at the expense of cybersecurity. Certain policies were suspended to support the rapid shift to the cloud as staff tried to get things done.

In one study by HP, 76% of IT teams admitted that security lost priority in favor of business continuity during the pandemic, while 91% said they felt pressured to compromise security. As more people started using their personal devices to work from home, downloads of unsanctioned apps increased.

But Shadow IT existed way before the 2020 pandemic. Corporate users have long ago developed a habit of adopting cloud apps and services to assist them in their work, sometimes bypassing IT security policies if they found them to be too restrictive or attempting against productivity.

Shadow IT arises due to several reasons:

• The evolution of cloud computing and the accelerated digital transformation
• The increased usage of applications for sharing data in environments that were previously owned by IT
• Restrictive IT requirements and lack of flexibility in meeting user needs

Business units often assume the cloud service provider will take care of security, when in fact it’s the organization’s responsibility. But security can’t protect what they can’t see.

How to build a better Shadow IT policy

Reducing the Shadow IT risk starts with building a company-wide policy that’s not perceived as restrictive but protective of the network. Incorporating new apps isn’t necessarily detrimental to the organization, but they must be addressed appropriately. It’s important that everyone in your organization knows this.

Your Shadow IT policy should include the following sections:

• Objective
• Intended audience
• Ownership
• Monitoring and enforcement methodology
• Accountability and employee responsibility
• Allowable scenarios or exceptions

The goal of this policy is twofold: To educate users so they don’t need to turn to Shadow IT; and to be prepared to act if they do.

Shadow IT exists in nearly every organization, so you need to be able to discover, list, and classify Shadow IT assets. Consider the following categories:

1. Sanctioned
2. Authorized (not sanctioned, low danger)
3. Prohibited (not sanctioned, high danger)

This list should be continuously updated as part of routine security reviews. The next step is to decide what to do with each piece of unsanctioned and prohibited Shadow IT. Before making any decisions, try to understand the use case and the reasons why an employee decided to incorporate that technology.

Some useful questions for this discovery process include:

• What business need does this Shadow IT asset satisfy?
• Does any of our approved tools cover that need?
• Is there any other solution IT could provide that would satisfy that need?
• What risks does the Shadow IT asset create?
• What resources does it require?

Depending on how necessary the asset turns out to be, the IT team will move it to the Authorized list, replace it with an existing function, or discontinue its use.

Additional tips to reduce Shadow IT

In addition to a comprehensive policy, the following tips can help combat the undisclosed use of technology and software within your organization.