Shadow IT Cheat Sheet

Here's what you need to know about shadow IT, why it is lurking inside your organisation and what you should do about it.

Shadow IT. Sounds mysterious, and menacing...

Well, it really depends on who you are. If you're a CIO, shadow IT is a potential headache. But if you're reading this article on your own iPad which is connected to the office network, then you're part of the problem and you probably don't even know it.

I'm feeling guilty already! Tell me more

Shadow IT refers to the use of technology inside an organisation without the formal approval of the IT department. It ranges from the minor, such as unauthorised device usage, to the major: entire enterprise IT systems that can be funded and developed by business units or departments without the knowledge of the central IT team.

Why's it happening now?

Shadow IT has always been an issue – there has always been the odd business unit that has insisted on doing its own thing when it comes to technology. But until recently the cost and complexity of IT has meant that the CIO and the IT department have had a monopoly on tech development.

What's changed now is that IT is no longer as complex or as expensive: anyone with a credit card can buy a cloud service, and enterprise-class smartphones, tablets and laptops are easily to use and cheap to buy.

Also, as technology becomes more pervasive and less mysterious, business execs are getting a better idea about what they want to do and are less willing to wait for the CIO to agree with them. That's a big danger for the CIO and the IT department.

Business units are already taking direct responsibility for IT, cutting out the CIO and the IT department. According to research by Forrester, while most businesses still get their tech from a central corporate IT group, 20 per cent now have a dedicated IT unit in their business unit or department, up from 10 per cent in 2010. Some estimates see as much as a third of all enterprise IT spending taking place outside the IT department in a few years.

What's so bad about shadow IT?

For the CIO, shadow IT can turn into quite a headache, but it can also mean cost and complications for the whole organisation.

For the CIO it means someone in the organisation is spending money on IT, and it's not them, which is never a good sign, especially if it implies the business unit doesn't see the IT department as capable of delivering the IT they need to time or budget.

Alternatively, it may be that nobody at a senior level has signed off the spending at all, and that junior staff are doing it themselves. That's bad enough when it's a sys admin who just wants to get some cloud servers up and running quickly – but it's far worse when it is a sales manager buying a cloud CRM system for just their team.

And apart from the political problems shadow IT can create, it can also lead to some bigger and more painful tech problems.

Like what?

Any unauthorised tech development can lead to security headaches: if individuals or business units are making their own investments then they may well not be following the same rigourous security protocols as the IT department.

That might mean they can move faster than the IT department or do things cheaper - but it could also put organisation's sensitive data – and therefore its reputation – at risk. That could be either by using systems or services that are in themselves insecure, or by inadvertently punching holes in the corporate IT infrastructure that can be exploited by attackers.

Another big risk is duplication. For example a sales chief might be frustrated by waiting for the rollout of a global ERP system and decide to buy into a cloud system instead. Effectively the organisation ends up paying twice for the same capabilities – and corporate data ends up fragmented as well.

Finally, there's every chance that once the business unit has built their own system, they'll want the IT department to manage it. That's going to be a major headache if it's built on technologies the IT team doesn't have the skills to support and that don't fit with the broader enterprise architecture.

So what should the CIO and IT department do about it?

Option one is to use policy to crush shadow IT every time it appears. This strategy is unlikely to work and will just see the CIO typecast as a dictator.

If shadow IT is a big problem inside your organisation you need to look at the root causes. Is it because the IT department is moving too slowly on important projects, or lacking the funds to provide the innovation needed? Is it because central IT is being held hostage by one department while the others are starved of innovation? Is the IT department holding onto corporate data so tightly that business units are forced to create their own?

Reducing project lifecycles and providing the rest of the business with a clear roadmap for future innovation may dampen desire for bespoke shadow projects.

And not all shadow IT is bad – there are plenty of reasons why some tech development should be done outside of the core IT organisation – but it will be to everyone's benefit if this is coordinated and shares a common framework where possible. In these cases the CIO and the IT department can be a trusted advisor rather than an adversary. And that way the CIO might even get some credit without having to do all the work.

Automatically sign up for TechRepublic's CIO Insights newsletter!


Steve Ranger is the UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. Before joining TechRepublic he was the editor of


Same ol' same ol'. The business executives and top management want bleeding edge technology, but don't want to have to pay for it, so they fall for every shyster with a hand full of magic beans. Bare in mind, this cat will quickly lose patience with them as customers as soon as he has to try and support every new whiz-bang gadget that comes down the pike and all the special edge cases of the business start to break his $59.00 a month canned solution.


When the corporate culture is such that IT is considered a cost center and is perennially underfunded by 15 ??? 40% rouge developments naturally occur. Business units get tired of hearing NO from the IT department, they have to try to stay competitive. IT does not have the resources to support their existing programs much less additional new systems or programs so the business units are left to their own devices. If the corporate culture is such that IT is considered a profit center and not just a necessary evil new processes and systems are looked at from a profit and competitiveness perspective and shadow IT naturally becomes a non starter. If the corporate culture is such that IT handles the technical details of networking and capacity while the individual business units are left to their own devices to develop the business processes and applications shadow IT can again become an issue. With the security postures today IT must be a centrally controlled, all powerful group managed at the highest level that has inputs into the business processes and systems for all business units connected to the network or the security house of cards can come crashing down hard and fast. There can be no shadow IT in the secure network!

Looking at the problem from another angle, is there any justification in having a dedicated IT department any more? What value do they bring to the business? In ten years time will they have gone the way of the dodo? (OK, make that 30 years for public sector) Certainly in small organisations BYOD is fast becoming the norm.


All IT resources/services/etc should go through the IT/purchasing area of any organization. This greatly will control the flood of staff going rogue and making purchases without any forethought of support, cost, and value. Shut em' down.


Should the Network/Business Security people now be a separate department from IT, so that anyone setting up a personal network could get it checked out without implicating the IT department? As Security needs to know about the systems in place, they could be the impartial helper in minimising duplication.


Look up the difference between "rogue" and "rouge". It really makes the rest of the post pointless.


I would say having a centralised system that works properly is better than having everyone getting whatever they want which may or may not work with everything else or even deliver on all it's promises. IT department doesn't have to be a huge team of people, it might just be one guy or maybe representatives from different departments coming together to decide (and be responsible for) what software/hardware gets used. In a small business it might be the sales guy, the receptionist and a worker.


Take it as a workaround. So many of my students couldn't spell ' rogue' and it always came out as 'rouge' on exams. I almost consider is as a synonym. Think of it as a bright red acne spot on an unblemished IT system!

Editor's Picks