"/> "/>
Cyber security

Are You In the Dark about Shadow IT?

by Ryan Shadle and Brian Turley

Today it’s easier than ever for business units to bypass IT procurement to get the solutions and services they need. But this increasingly widespread practice comes with many risks, from hidden costs to compromised data security. Here’s what to do about it.

The good news about the era of cloud-based business solutions is that today it is easier than ever for business units or departments to get the functionality they need almost instantaneously—through a cloud provider, such as Amazon Web Services, Google Cloud Platform or Microsoft Azure, or from a SaaS provider, such as Salesforce.com, Workday or NetSuite. Define a particular business or IT need, hand over a credit card number and presto! Your IT solution is up and running.

The bad news about the era of cloud-based business solutions is that today it is easier than ever for business units or departments to get the functionality they need almost instantaneously—without the experience or oversight of a centralized IT procurement department.

It’s called “Shadow IT”—technology solutions lurking around an organization and hidden away somewhere, perhaps in a marketing budget. Is this prevalent in the business world today? Yes. Consider a December 2013 survey by cloud IT operations specialist 2nd Watch, in which 93 percent of business units said they are leveraging the cloud for services they need to conduct business—and 61 percent reported bypassing the IT function completely to do so.

When we ask clients how much Shadow IT spending occurs throughout the company, they usually don’t know. They are certain, however, that what they do see of Shadow IT is only the tip of the proverbial iceberg. In fact, we conservatively estimate that a typical large company has hundreds of unregulated cloud, SaaS and other solutions in use—perhaps 10 times that of its known cloud usage.

Why all the activity in the shadows? Business units that go off on their own with a cloud solution are not trying to be subversive; they just don’t want to wait.

Companies are bumping up against the issue of IT departments that were designed for an earlier era of computing, an era based on long waits before requests were finally implemented. In many cases, IT departments simply are not structured for the speed of business today. At the same time, demands on IT resources are increasing each year even as budgets remain flat. The result: Shadow IT.

Although nimble, cloud-based solutions are good, and the intentions of Shadow IT users might not be bad, the consequences certainly could be ugly if IT procurement is bypassed. And we’re not talking about merely paying higher prices for services. Anyone running a departmental cloud-based solution must be certain that the department is in compliance with company policies regarding intellectual property protection as well as country-specific regulations about data privacy.

Why does IT compliance matter? A big reason is it helps ensure that a company’s data is protected. The Heartbleed Open SSL bug is a recent example of a major security vulnerability that may have affected hundreds of thousands of websites, potentially giving hackers access to login credentials and other data. When a threat such as Heartbleed strikes, the IT organization must determine the company’s risk. The existence of Shadow IT is one reason why accounting for all systems is next to impossible.

Between easy access to software-as-a-service and the growing popularity of bringing personal devices to work, it’s imperative for IT procurement to be seen not as a hurdle but as a partner to the business. Here are five ways to make that happen:

Be an educator, not an enforcer. The point is not to “catch” policy offenders but rather to educate the organization about a range of considerations. Emphasize the positive. For example, explain the potential for the business to leverage economies of scale, which would reduce the overall cost of the IT solution. Share with employees what they should know about the service-level agreements and legal language they will encounter when they are making their own purchases. This kind of positive educational experience has a greater possibility of cascading throughout the organization than bludgeoning the business with reminders of compliance.

Communicate about preferred suppliers. Proactively sharing information with the organization about preferred suppliers empowers individual business units to purchase certain technology solutions directly from prequalified companies while leveraging pre-negotiated prices. Even as you share preferred options with the business, keep the door open for exceptions: Let people know that if they are considering a solution not on the preferred supplier list, they should talk to you first so you can advise them on their upcoming purchase.

Help the business get out ahead. Another advantage of a preferred supplier list is that you can leverage it to help the organization implement newer technologies. 

For example, many parts of the business want to develop mobile apps. You can accelerate the pace by establishing strong relationships with mobile suppliers—and then adding those vendors to the preferred supplier list. You support the business as it embraces innovative technology while saving the company money.

Demonstrate the value you add. IT procurement doesn’t have to be perceived merely as a gatekeeper. How are you helping the enterprise use IT to meet business goals? Consider a major technology purchase, such as laptops for an entire department. Rather than merely negotiate prices, IT procurement can provide guidance on numerous purchasing decisions—standard warranty agreements, for instance, and even hardware specifications—based on client need and company use.

Compete on easy. One of the reasons Shadow IT exists is vendors make it very easy to get business services on demand. So IT needs to be easy too. Share the preferred supplier information with the company but, as mentioned above, also be willing to discuss exceptions. Ensure a business unit is in accord with policies and with best practices in pricing, but also encourage employees to reach out to IT when it comes to procuring nimble solutions. Ultimately, the goal is to have the organization consider IT procurement a trusted resource that can help achieve business objectives quickly and innovatively, while saving money and protecting the company from risk.

About the Authors

Ryan Shadle is the North American IT-Telecom lead for Accenture Operations Procurement BPO. Brian Turley is the global IT-Telecom global lead for Accenture Operations Procurement BPO.

Republished courtesy of Accenture. For more, visit Accenture.com.


Board composition +
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. Koblentz
Battle For the Boardroom
Ludo Van der Heyden and Chris Howells
Night of the Living Board
Matt Palmquist
Strategy & innovation +
The "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)
Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor Kehoe
Board supervision +
Best Practices: Non Profit Governance
McDermott Will & Emery
Value-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel Azevedo
The Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi Hoitash
Culture +
Corporate Culture, Not Lip Service, Counts
Luigi Guiso, Paola Sapienza and Luigi Zingales
Building a Forward-looking Board
Christian Casal and Christian Caspar
Team building +
Collaborate Better
Leigh Thompson
Outgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian Tayan
Five Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge Becerra
Compliance +
Leadership +
10 Principles of Leading Change Management
DeAnne Aguire and Micah Alpern
The Double-Edged Sword of CEO Activism
David F. Larcker, Stephen A. Miles, Brian Tayan, and Kim Wright-Violich
Decoding Leadership: What Really Matters
Claudio Feser, Fernanda Mayol, and Ramesh Srinivasan
Risk management +
Exec. evaluation & comp +
Surviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. Hart
Leapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David Baron
Cyber security +
Why Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris Rezek
Are You In the Dark about Shadow IT?
Ryan Shadle and Brian Turley
Corporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)
Featured +
Planning Ahead – The Board’s Role in Crisis Management
M. Hill Jeffries, Kyle G. Healy, Marshall M. Chalmers
Agitators and Reformers: How to Respond to Activist Investors
Josh Hinkel, Henrik Poppe, Martin Toner and Chuck Whitten

Your library is currently empty. Browse the Boardspan Library to get started.

We use cookies to personalize content and to provide you with an improved user experience. By continuing to use this site you consent to the use of cookies.
Please visit our cookie policy for further details.