Shadow IT are IT projects (like cloud services) that are managed outside of, and without the knowledge of, the IT department. At one time Shadow IT was limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department. This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive.

Worldwide Cloud Spending

When employees and departments deploy SaaS applications, such as Office 365, it can also reduce the burden on IT help desks to take calls, according to Ralph Loura, CIO of HP. However, while IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for the corporate data employees upload to cloud services. This puts IT in the uncomfortable position of saying no to employees using cloud apps they use to do their jobs, going as far as to block access to a cloud app using the company’s firewall or web proxy. However, for every app that’s blocked, there’s evidence employees are finding other, lesser-known, potentially riskier services to use in its place.

Shadow IT Happens

Instead of seeing Shadow IT as a threat, Ralph Loura sees it as an opportunity to leverage employees to identify the applications they want to use so that IT can enable the ones that have gained traction and are enterprise-ready.

According to Loura, “We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.” Promoting low-risk services that have reached a tipping point starts with understanding what cloud services employees use, how they use them, and their associated risk.

Expected Shadow IT vs Actual Shadow IT

The average company currently uses 1,083 cloud services in total; 108 known services, 975 unknown services

Unfortunately, legacy management and security products just don't have the visibility to find, understand, or control cloud service usage and risk, leaving IT flying blind.

Enable the entire cloud adoption lifecycle

What if you could:
  • Gain complete visibility into all cloud services in use and an objective risk assessment across data, business, and legal risk
  • Identify security breaches and insider threats, analyze usage patterns to understand demands, and consolidate subscriptions
  • Seamlessly enforce security policies including coarse and granular access control, data loss prevention, and encryption

When IT examines the use of cloud services across the organization, they generally find Shadow IT is 10 times more prevalent than they initially assumed. The average organization today uses over 1,427 different cloud services, derived from anonymized usage from over 30 million users across over 600 enterprises using McAfee CASB. Often IT departments discover many services in use that they have never heard of before. After auditing the risk of each service and its security controls, IT teams can make informed choices about what services to promote or enable. This is more than just an exercise in risk management. The average company uses 57 different file-sharing services, and using these many different services can impede collaboration between employees. Standardizing on enterprise licenses for 2-3 services not only improves collaboration, but it also reduces cost.