• United States




Shadow IT: it’s not what you think

Dec 05, 20178 mins
IT StrategyTechnology Industry

Shadow IT is nothing to be afraid of.

keyboard shadow
Credit: Thinkstock

I recently spoke to a crowd of professionals about “Shadow IT,” and I couldn’t stop picturing the “Shadow Monster” from Strangers Things. You know the big scary antagonist in the latest season of the Netflix cult show. As I finished my talk I couldn’t help but laugh – because “Shadow IT” is nothing to be afraid of.

So what is shadow IT?

It’s a term used to describe information technology systems and solutions used inside organizations without explicit organizational approval. 

Despite its negative, chaotic connotation, shadow IT offers some of the most exciting opportunities for startups and investors looking to power next generation business applications. The opportunity behind shadow IT is an increasingly growing market that impacts every digital transforming organization in the world.

Bottom line: shadow IT is here to stay.

Analyzing the causes of the rise of shadow IT has been a passion of mine for years. It’s a particularly interesting trend as we continue to move down the road of digital transformation in a security conscious macro environment. All industries are rapidly evolving (or dying) due to hyper-competition, low barrier to entry, and customer defection as a result of careless handling of data breaches.

But why now? 

Shadow IT has reached a critical mass. In fact, a recent Gartner study states that over 50 percent of enterprise application consumption is happening over uncontrolled and unaccounted for sources. I see this in my world, where it seems like every team I talk to about is expensing 10, 20, sometimes even 30 SaaS services on their VP’s credit card! I don’t blame them. These teams are on the front lines waging a continuous battle where the customer gets what they want or they move on. Teams can no longer rely on slow procurement processes from central IT. We live in an “evolve or die world” – there are no points for second place. 

Mainstream adoption of SaaS is driving the bus.

SaaS models are the primary delivery mechanism for line of business applications and have been a key factor in the emergence of shadow IT. While the more established SaaS platforms have developed the necessary integration, security and compliance capabilities to be considered IT-ready, many SaaS applications haven’t achieved that level of enterprise sophistication. As a result, central IT departments typically struggle to support those capabilities using their existing frameworks and teams inside business units end up implementing their own IT stacks, further distancing themselves from central IT. 

Let’s face it, the cloud has won.

The explosion of cloud computing infrastructures led by Amazon has allowed teams to implement custom solutions without requiring servers from IT departments. While most IT departments have developed the expertise to manage cloud infrastructures, the knowledge about application development best practices using platform as a service (PaaS) architectures still remains new to those groups. DevOps is still a trade-craft. As a result, teams rarely rely on IT departments for the implementations of custom cloud apps. Instead, they build or hire external teams to assists with those efforts because their customer demands cannot wait for the central organization to “figure it out.” 

Customers consume services on their mobile devices. 

Together, with the rise of cloud development, mobile computing has been one of the transformative movements in the recent history of software. With IT departments lacking the skills to develop world-class mobile apps, teams turned to digital agencies or incubated special operations teams to develop mobile apps for their partners and customers. Mobile app development is another one of the factors that causes Shadow IT silos within larger companies. 

Teams need modern technologies and IT talent. 

The emergence of technology trends such as mobile, cloud, big data, and IoT have drastically disrupted the skill sets required to build modern software apps. As a result, organizations have developed internal teams or partnered with third party agencies in order to build modern software applications because central IT managers and talent are not evolving fast enough.

Enterprises have also seen a proliferation of mainstream cloud and mobile products being adopted within different teams. This phenomenon known as the “consumerization of the enterprise” is a reflection of teams adopting consumer products to perform business activities. How many employees are using personal SaaS products to take meeting notes at work? Probably most. Since a large majority of mainstream consumer products are not supported by IT organizations, many teams have developed their own mechanisms for implementing and supporting those consumer solutions within their environment.

The “we can’t support that” culture is self-defeating. 

Change is scary. Central IT departments tend to challenge solutions that use new tech because they are difficult to support. As a result, a large number of the software solutions developed by IT organizations lack the innovation and flexibility of new technology stacks. To deal with that challenge, teams have developed small teams with the right knowledge and expertise to support modern software solutions.

“Because of all of these issues, shadow IT has become a permanent piece of every modern organization; like the pyramids in Egypt that still stand – forever in time.”

I always explain it like this to customers: think of shadow IT not as a problem, but as an opportunity. Shadow IT unlocks new opportunities for long-term strategy because it catalyzes the entrepreneurial talent and spirit hidden deep in the company and brings teams and customer requirements front and center.

Shadow IT was the catalyst for the adoption of the things which make our world what it is today: cloud, mobile and big data technologies. It is forcing central IT groups to change; to rapidly build up necessary skill sets and to create new solutions to support the new wave of business solutions.

As a result, we are just now seeing very innovative solutions from central IT groups in key areas:

  • Compliance and security: The emergence of shadow IT has flipped the security space upside down, and has challenged IT groups with a new set of scenarios they weren’t exposed to before. As a result, the most forward thinking IT groups have implemented new, simple and lighter security models that interoperate well in the mobile and cloud world.

I hear about this all the time when discussing source code security and shifting left. By bringing central IT and teams together into a single platform to manage software code, compliance is met and speed retained. Everyone wins.

  • Integrations: Shadow IT has blown up the number of integration combinations available in the enterprise. As a result, some of the most advanced IT groups have rapidly adapted innovative technologies like integration platform as a service (iPaaS) such as Mulesoft, to better support line of business requirements. Use of single-sign-on (SSO) and central authentication (CA) mechanisms is growing and helping to solve long standing issues in the enterprise – all catalyzed due to shadow IT.

Integrations matter. A central platform that securely connects to all of your team’s integrations but meets stringent security compliance standards makes a world of sense. From a data security perspective if all your projects and integrations are visible behind a single pane of glass it is much easier to meet auditors needs.

  • Ops Analytics: The adoption of ultra-modern tech by teams has challenged some of the legacy enterprise monitoring platforms. As a result, IT groups have adopted the new generation of application performance monitoring solutions that are designed to operate in a mobile-first, cloud-first world.

From New Relic for performance monitoring to the vast area of tools in the security incident and event management (SIEM) space with the likes of Threat Stack, operational analytics has boomed, giving enterprises efficiency and insights miles ahead of what was present even five years ago.

  • Mobility: There is no doubt that the rise of shadow IT has forced organizations to develop the necessary skill sets to support and implement mobile apps. Considering that mobile-first is becoming the new standard for enterprise solutions, that can hardly be seen as a bad thing.

Security has always been struggling to keep up with BYOD and the uncontrolled consumer device environment. In my conversations I see the rapid pivot to mobile-first as having created strong innovation around solving those mobile security challenges in the enterprise-ensuring all employees are more secure at work.

I work with customers every day to map out the “why, what and how” of managing and adapting to the world of shadow IT – it’s not about competing but collaborating.

Leaders should ask their CIOs these questions:

Why are our team’s choosing alternatives?

  • Measurable business benefits of change
  • Business case for change

What is needed to be internally competitive?

  • Technology change
  • Organizational change
  • People, skills and process change

How do we stay ahead?

  • Building a strategy and road map for the future
  • Implementing the right people/skills and process
  • Measuring success

In the end, internal teams will always choose the services that best meet their needs and cause them the least amount of pain, be it financial or operational. Working to become your company’s internal preferred service provider for security, Speed will likely take time and resources, but in the long run, it can mean the difference between a role as a strategic partner to the business or the eventual extinction of the IT department as an antiquated cost center.


Jacek Materna is a technology evangelist and cyber security expert with more than 15 years experience. As CTO of Assembla, Jacek leads the strategic vision for the company’s technology practice.

In this role Jacek consults frequently with customers to better understand needs and concerns regarding the future of Version Control and how Assembla can best help meet those needs.

Prior to Assembla, Jacek was the SVP of Engineering at Securelogix, where he led product development for the VoIP and SIP Security software business. Earlier in his career, Jacek founded a number of technology businesses in and around VoIP security. Jacek holds patents in the space and writes frequently on topics such as enterprise cloud version control, compliance, data security, game development and cloud software development.

Jacek regularly advises South Texas incubators helping to grow the next generation of security and compliance companies.

The opinions expressed in this blog are those of Jacek Materna and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.