Shadow IT is the part of IT in a company that is carried out outside the control of your IT Department.
Free from the constraints and budget of CIOs, the development of "Shadow IT" makes it possible to facilitate operational business transformation to remain as close as possible to innovation. The business departments set up their own applications faster and with more flexibility than the IT Department.
The ability to develop applications or websites more and more easily by non-technical experts, as well as the proliferation of cloud services, are conducive to the development of “shadow IT”.
Although these practices can lead to faster digital transformation, in the long term "Shadow IT" is a big risk for companies because this practice violates the rules of IT governance: urbanization of the information system, data management, and policy information systems security.
Shadow IT security, risks for organizations
For example, settings not supervised by the IT department can lead to a risk of maintainability of the application, which can lead to risks on business continuity if the application code is no longer understood. Exchanges outside the network can also pose a security risk if they reach unintended recipients.
In addition, if personal data is handled by applications unknown to the IT Department, the company takes a significant legal and financial risk. In a case like this, the General Data Protection Regulation (GDPR) could fine up to €20 million or 4% of annual worldwide turnover.
A growing phenomenon: Shadow SaaS governance
Over the last few years, SaaS solutions have made their way into almost every organization, sometimes even without their knowledge since any employee can subscribe and access applications without restriction via a simple browser. These invisible uses are problematic for CIOs and enterprise architects because they lead to the same risks that Shadow IT can result in.
Shadow SaaS is the use by employees of SaaS solutions without referring to the IT Department. A situation made possible by the intrinsic principle of the SaaS mode, which combines functionalities and infrastructure in a single direct subscription. Shadow SaaS is therefore an element of shadow IT, which remains the most complex to track because it’s outside the IT department and has its own budget.
The SaaS phenomenon is growing via collaborative platforms and organizations will discover that during audits via SaaS management platforms, 60 to 70% of SaaS applications are completely invisible to the IT department.
Role of the CIO and enterprise architects to face Shadow IT and Shadow SaaS
At a time when IT security and data management are at the heart of most organizations' concerns, the development of shadow IT appears to be incompatible with these major issues. The role of the CIO is to control this Shadow IT and SaaS while keeping the innovation that these approaches bring, front and center, moving a company forward while at the same time monitoring risks and threats.
To master this innovation, CIOs and enterprise architects must get closer to the businesses to be considered facilitators and not constraints.
In the case of Shadow SaaS, the risk is shifted to the external service, and the challenges of the architecture will relate to the definition of the business architecture, the functional layers, the rationalization of the existing applications and functionalities, and less on the technology deployment.
The risk of seeing shadow IT and shadow SaaS deployed throughout the company is therefore very real. This risk can only be contained if enterprise architects and IT departments have sufficient visibility to manage all these applications - and thus optimize their uses and costs. IT departments and architects will need to rely on specific tools for SaaS Management and IT transformation planning that also monitors for all possible threats and risks.