Is shadow IT dangerous or can it be utilised?

13 Sep 2024

Image: © Calado/Stock.adobe.com

Red Hat’s Jason Madigan and James Mernin explain why shadow IT may be risky but it also comes with benefits.

IT is a vital part of modern business, but its not always clean and organised – employees can sometimes take things into their own hands to get work done.

While this drive can be praised, it also presents dangers to organisations, leading to scattered IT services that the main IT teams are unaware of. These can include unauthorised software, services, devices and more.

The use of IT-related services without the knowledge of the IT or security group is known as shadow IT – a problem that grew significantly during the Covid-19 pandemic and the rise of remote working that followed. It presents various dangers for businesses, such as gaps in cybersecurity and difficulties in fixing breaches.

But how can businesses address shadow IT? To learn more about this issue, we spoke to Jason Madigan and James Mernin of Red Hat. Madigan is a senior principal software engineer and Mernin is software engineering director and site lead at Red Hat’s base in Waterford.

What causes shadow IT?

Both of these experts have different insights into the causes of shadow IT. Mernin says shadow IT systems can emerge from the perception of “overly rigid and process-heavy governance measures put in place by the centralised IT department”. He says employees can view these measures as standing in the way of meeting “the ever-increasing demands for faster innovation and shorter software delivery”.

In Madigan’s experience, employees end up turning to shadow IT because “their concerns and priorities differ from those of their IT organisation”.

“IT departments focus on stability, compliance and risk mitigation, aiming to maintain control and security,” he said. “In contrast, employees, particularly those in roles like software engineering or product management, prioritise speed, innovation and delivering value quickly.

“While they share concerns about stability and security, these are often lower on their priority list when minimising time to value is critical.”

What are the risks?

Unfortunately, there are various risks when it comes to shadow IT if left unchecked. Mernin said security breaches are at the top of the list when it comes to risks “for good reason”.

“Shadow IT systems with poorly implemented (or no) security posture expose organisations to unauthorised access to corporate IT systems which could, in turn, lead to the loss or theft of highly sensitive customer data or personal data of staff members,” Mernin said.

“Not only would this risk losing the organisation’s hard-fought data compliance certifications, precluding their ability to compete in certain customer markets, but the reputational damage alone could easily trigger the complete demise of the organisation altogether.”

Even without security breaches, Mernin said shadow IT presents financial problems, as centralised IT departments are “often able to leverage sizable enterprise discounts with hardware or cloud vendors”.

“Shadow IT systems cost the organisation more than they need to,” he said. “Similarly, misconfigured software could be less performant or not scale well, which could result in a breach of customer service level agreements, causing the organisation to have to issue costly service credits.”

How to deal with shadow IT

But while there are various issues with shadow IT, Madigan doesn’t believe that it is always a bad thing in an organisation. He believes it has its roots in “a desire for innovation and experimentation”.

“This agility is crucial for proving concepts, whether for internal projects or bringing new products to market,” Madigan said. “By embracing the creative potential of shadow IT, organisations can foster a culture of innovation while also learning from these experiments to improve their formal IT practices.

“In my experience, shadow IT is often a leading edge in terms of finding new tooling that’s useful to companies to procure.”

To deal with shadow IT, Madigan said some companies focus on “audits or shining big spotlights”, but he thinks this is the wrong approach and that organisations should be “open and curious”.

“IT should engage directly with their teams to understand what new tools and technologies they’ve been experimenting with,” he said. “By asking why certain tools were adopted, what benefits they provided and how easy they were to use, IT can gain valuable insights.

“A guiding principle at Red Hat has been that development teams’ autonomy is beneficial not only for them but also for IT and platform engineering teams. By understanding these preferences and working collaboratively, IT can integrate valuable shadow IT tools into the official toolchain, balancing innovation with security.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com