Where does shadow IT come from?

Shadow IT is no longer a problem to solve—it’s a reality of modern work that must be accepted and redirected.

Talking to some, you’d get the impression that “shadow IT” is the result of an army of witless, egotistical a-holes who have invaded our ranks and lurk in the far corners of our companies. Employees hellbent on undermining IT and security teams with their own insidious agenda. Renegade adopters gleefully forsaking established protocol. But the reality is far different. Shadow IT is just a dated term for the modern reality of how technology is adopted into an organization. Shadow IT is no longer something that can be quashed, tamed, or controlled—it’s simply a new reality that needs to be accepted and redirected.

Today, employee-led IT adoption is the status quo for any modern organization. It’s the result of the last 20 years of consumer indoctrination by the internet. As consumers, we’re all quite comfortable with trading our personal information for helpful tools and services—Google, Facebook, YouTube, Yelp, Pinterest, and Twitter have trained us well. Modern SaaS go-to-market strategies embrace this comfort level. Need a new spreadsheet tool with fancy multi-colored cells? Just sign up for the free tier! Need a contact organization app? No worries, just upload your contact data and we will dedupe! Every interaction starts with minimal friction and a delightful individual interaction. This has been called the “consumerization of IT” in many forums over the years: the main focus is to get the technology in the hands of end users as quickly as possible and make that experience as streamlined as possible. 

Employees are now conditioned to seek new technology when presented with a new problem. But what happens after your employee signs up for that free taste? One of two plays is executed: either make the value the single user derives from the app so incredible that there is no realistic path backwards, or drive adoption across the organization so widespread that there is no realistic path backwards. Either of these paths puts anyone trying to manage SaaS sprawl in a tough spot: do I follow policy or get my job done faster? With the exception of very highly regulated or sensitive industries, getting your job done faster wins almost every time. The lure of efficiency is appealing up and down the chain of command, making enforcement difficult unless the consequences are extreme.

We are now in a situation where: 1. Highly task-specific software is readily available; 2. The go-to-market strategy for most of this software targets employees directly; and 3. Employees have 20 years of training by the “consumer” internet that makes them extremely comfortable adopting these services. Overall, that’s some heavy headwind driving adoption of technology by your employees. And the underlying conditions driving this behavior are not going to change. So, what can we do?

The traditional approach to managing the use of SaaS services has relied on what I trivially call “separating the good internet from the bad.” Life would be easy if our employees could only access the things we want them to and were prevented from accessing the rest. This approach is best viewed at a macro scale to start to recognize its impossibility at an organizational level. Some countries have taken the extreme measure of attempting to censor the entire internet, preventing citizens from accessing news from other countries and information related to certain topics. This has required not only continuous investment for decades, but also complete state control of internet access. Mapping this approach to your organization presents an impossible task: how do you control access to the internet for every employee, at all times? Many have resorted to the idea of “company” devices with built-in network routing to provide for this type of control, but the simple reality is that any employee with a connectivity issue (or an access issue) is quick to flip off the corporate VPN. Our ability to manage this level of control is near impossible in the age of working on the road from every kind of device.

Even more detrimental is the breach of trust the employee feels in this scenario. Control is a concept that we have culturally rejected. Whether it be for benevolent or malicious reasons, we are wired to push back and revolt when we feel caged in (just watch the Matrix trilogy for proof). In the end, the distrust exhibited by this attempt at control is likely to be reflected back at you.

The only path forward is to evolve our IT governance model to embrace the new SaaS adoption model. We need a meaningful way for the centralized security team to get involved when the first user adopts a new app. Proactively engaging that first user when they create their account to understand the scope, use, and intent for the new app gives us an incredible opportunity to guide the future of that app within the organization. Is it business critical? Send along for a full vendor assessment. Will it store employee data? Corporate IP? Make sure legal takes a look at the privacy policy. Ensuring these sequences not only addresses critical risk factors, it invites employees into the process, so that they better understand security concerns and complexities. Overall, it creates the kind of communication and goodwill that allows an organization to thrive. 

Like it or not, employee-led IT adoption is here to stay. The choice that organizations now have is simple: use old tactics and allow their SaaS attack surface to lurk in the shadows, or embrace a modern approach and bring shadow IT into the light of day.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors