Shadow IT Cheat Sheet

Here's what you need to know about shadow IT, why it is lurking inside your organisation and what you should do about it.

Shadow IT. Sounds mysterious, and menacing...

Well, it really depends on who you are. If you're a CIO, shadow IT is a potential headache. But if you're reading this article on your own iPad which is connected to the office network, then you're part of the problem and you probably don't even know it.

I'm feeling guilty already! Tell me more

Shadow IT refers to the use of technology inside an organisation without the formal approval of the IT department. It ranges from the minor, such as unauthorised device usage, to the major: entire enterprise IT systems that can be funded and developed by business units or departments without the knowledge of the central IT team.

Why's it happening now?

Shadow IT has always been an issue – there has always been the odd business unit that has insisted on doing its own thing when it comes to technology. But until recently the cost and complexity of IT has meant that the CIO and the IT department have had a monopoly on tech development.

What's changed now is that IT is no longer as complex or as expensive: anyone with a credit card can buy a cloud service, and enterprise-class smartphones, tablets and laptops are easily to use and cheap to buy.

Also, as technology becomes more pervasive and less mysterious, business execs are getting a better idea about what they want to do and are less willing to wait for the CIO to agree with them. That's a big danger for the CIO and the IT department.

Business units are already taking direct responsibility for IT, cutting out the CIO and the IT department. According to research by Forrester, while most businesses still get their tech from a central corporate IT group, 20 per cent now have a dedicated IT unit in their business unit or department, up from 10 per cent in 2010. Some estimates see as much as a third of all enterprise IT spending taking place outside the IT department in a few years.

What's so bad about shadow IT?

For the CIO, shadow IT can turn into quite a headache, but it can also mean cost and complications for the whole organisation.

For the CIO it means someone in the organisation is spending money on IT, and it's not them, which is never a good sign, especially if it implies the business unit doesn't see the IT department as capable of delivering the IT they need to time or budget.

Alternatively, it may be that nobody at a senior level has signed off the spending at all, and that junior staff are doing it themselves. That's bad enough when it's a sys admin who just wants to get some cloud servers up and running quickly – but it's far worse when it is a sales manager buying a cloud CRM system for just their team.

And apart from the political problems shadow IT can create, it can also lead to some bigger and more painful tech problems.

Like what?

Any unauthorised tech development can lead to security headaches: if individuals or business units are making their own investments then they may well not be following the same rigourous security protocols as the IT department.

That might mean they can move faster than the IT department or do things cheaper - but it could also put organisation's sensitive data – and therefore its reputation – at risk. That could be either by using systems or services that are in themselves insecure, or by inadvertently punching holes in the corporate IT infrastructure that can be exploited by attackers.

Another big risk is duplication. For example a sales chief might be frustrated by waiting for the rollout of a global ERP system and decide to buy into a cloud system instead. Effectively the organisation ends up paying twice for the same capabilities – and corporate data ends up fragmented as well.

Finally, there's every chance that once the business unit has built their own system, they'll want the IT department to manage it. That's going to be a major headache if it's built on technologies the IT team doesn't have the skills to support and that don't fit with the broader enterprise architecture.

So what should the CIO and IT department do about it?

Option one is to use policy to crush shadow IT every time it appears. This strategy is unlikely to work and will just see the CIO typecast as a dictator.

If shadow IT is a big problem inside your organisation you need to look at the root causes. Is it because the IT department is moving too slowly on important projects, or lacking the funds to provide the innovation needed? Is it because central IT is being held hostage by one department while the others are starved of innovation? Is the IT department holding onto corporate data so tightly that business units are forced to create their own?

Reducing project lifecycles and providing the rest of the business with a clear roadmap for future innovation may dampen desire for bespoke shadow projects.

And not all shadow IT is bad – there are plenty of reasons why some tech development should be done outside of the core IT organisation – but it will be to everyone's benefit if this is coordinated and shares a common framework where possible. In these cases the CIO and the IT department can be a trusted advisor rather than an adversary. And that way the CIO might even get some credit without having to do all the work.

Automatically sign up for TechRepublic's CIO Insights newsletter!


Steve Ranger is the UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. Before joining TechRepublic he was the editor of

Editor's Picks