Shadow IT, in which companies allow staff to choose their digital tools, is an opportunity and a threat. And like consumerization in the enterprise, it is almost impossible for a company to stop when employees have problems to solve and a wide variety of readily-accessible apps and tools just a credit card and a mouse click away.

And as Karen Adame, CIO of KeyedIn Solutions, explains, shadow IT can help your employees get stuff done, but it is something that management should not only accept but also guide and coordinate. Located in Minneapolis, Minn., KeyedIn provides cloud-based integrated business software systems and IT consulting for specialized vertical markets.

The worst result and biggest waste of resources, in her view, is when people go off and do their own thing, and don’t collaborate. Referring to conflicting spreadsheets, Adame said that “you now have two different versions of the truth, and there is nothing worse in any company when you have two different versions of the truth.”

During an interview with TechRepublic in the fall of 2014, Adame discussed the list that she and her KeyedIn colleagues developed entitled “Five mistakes CIOs make in Shadow IT.” The list, along with our discussion of the five points, is below.

  1. Allowing shadow IT systems to impede workflow
  2. Failing to ensure proper training to secure information and prevent data loss
  3. Not providing the right tools to enable efficient data management
  4. Failing to control spreadsheet versions and ensure analytical consistency
  5. Not getting the full return on IT investments

(Note: Some interview answers have been modified for clarity.)

TechRepublic: When you think of shadow IT, do you see it as a threat, an opportunity, or both?

Karen Adame: It’s really both. It can be a threat when people go about it in the wrong way, potentially leaving information open, or putting in processes that are not very well thought out and you get bad information. But it’s also an opportunity, because people are not being held up trying to funnel everything through one person and hit a lot of roadblocks. It’s a way for people to get things done, that they need to get done, so it’s a little bit of both. It’s an opportunity as long as it is done right!

TechRepublic: What are the experiences that you had that led to making the list, “Five mistakes CIOs make in Shadow IT?”

Karen Adame: It comes from prior experiences. In my past life, I worked for a very large company, and we didn’t have any real opportunities for anything like shadow IT. That really brought us to a halt a lot of times. For example, we had our own internal CRM system, and we wanted to add a field to it, which ended up being a six-month process.

As I moved away from that kind of environment, into the way we are structured at KeyedIn, all of our systems are in the cloud — our financial, CRM, everything is in the cloud. So it kind of went from one extreme to the other, and I came in with the BYOD mentality, saying how can we do this, and how can our employees be empowered to do what they need to do, but still be in a safe world?

So as we look at what we have been doing, what we see our customers doing, what we’ve done in our past lives… [that] is really how we came up with all of the different items in the list.

TechRepublic: Number one in your list is “allowing Shadow IT systems to impede workflow.”

Karen Adame: That’s where we get to people all wanting to do things differently. Within our environment, we use SharePoint, and I am constantly pushing people to not email documents around, but to push them up to SharePoint, so that everyone can look at the same thing. What happens is that we see people are off doing their own little things, and then when you try to bring it all together, we spend 10 times longer trying to reconcile whatever the data was, or the process. If all the constituents on specific workflows got together, and had their little shadow IT but did it together, it would probably work better, compared to what happens when everyone does their own thing.

TechRepublic: Number two is “failing to ensure proper training to secure information and prevent data loss.”

Karen Adame: It is really critical. Certainly everybody is intent on data security and data management. I think a lot of people who are outside the IT world don’t realize how much potential risk they are putting company data and other data in. They think it is all secure, when it is really not. It is really about making sure that they all understand. We often get the question, why does my password have to be so complicated? But the thing is we have customer information in there and proprietary company information in there. And it is the same thing when people start using spreadsheets, and external systems to create processes, or to track information. They are not thinking about the fact that it needs to be secure.

If I am emailing out an HR payroll list, whether I’m emailing it to the CEO or to someone else, it doesn’t matter, I probably want to put a password on that spreadsheet, so that if someone else gets in their email, they can’t open it. People don’t really think about a lot of those things, and it is important that people understand there is a reason and a logic.

We are not just doing it because we want to annoy you — we are really trying to protect all of our data. Customer data is really the most critical information that we can store and manage.

TechRepublic: Number three is “not providing the right tools to enable efficient data management.”

Karen Adame: It depends on what tools you give people access to. There are a lot of companies, for example, that may provide Microsoft Access as a tool and build a database out of it, but they are not really managing it well. So we are not finding the right tools for people to do some of these little shadow IT things that make sense.

Any time you are accessing data and moving it around, you are opening up your self to all of those security issues, so we want to make sure that everything we have is secure, but still want to provide all the tools to our employees to build the things that they need.

For example, we use KeyedIn Projects for our project management, for our customer billing, and our consulting projects. Here we have a good tool that we can provide to our employees, and can also use it to manage development projects, and internal and financial projects. So this is a tool that is going to enable our employees to do what they need to do and get it done, and it is a secured environment. And that’s an example of a tool that I can access on my iPad later on. So we try to provide internally all the tools that people need, whether it is something like that, or whether it is our implementation of our CRM system, or our internal development platform.

TechRepublic: Number four is “failing to control spreadsheet versions and ensure analytical consistency.”

Karen Adame: That probably should be number one!

Having spreadsheets out there that people are using, that are not the same spreadsheets other people are using for their analytics is a problem. Say somebody emails a spreadsheet to me, and I make some changes on it, and then person A now sends their version to person C, and you end up asking after all these versions, what is the truth? You really fall into a lot of problems with that, and it comes back to what we talked about the data efficiency and training for that. You now have two different versions of the truth, and there is nothing worse in any company when you have two different versions of the truth.

TechRepublic: And lastly, number five is “not getting the full return on IT investments.”

Karen Adame: Obviously, every company is spending a lot of time, energy, and money investing in different IT channels. And again, it could be anything from the financial software that they choose, to CRM, or other tools. It is really making sure that we are leveraging the tools that we have, and whether we need to make some improvements to them. I would much rather make an improvement to the tool for the entire company than have someone run off and do something on their own, because they don’t like what we’ve got. And in the end, that always costs more money, and the whole lack of integration of the tools — it’s just a black hole that money falls into for a number of different reasons. If we are going to invest in these different tools, then let’s use them, or let’s avoid investing in them in the first place.

Disclosure: TechRepublic and ZDNet are CBS Interactive properties.