Shadow IT, or the event where technology related activities or developments are conducted outside of and without the knowledge of the enterprise IT team, is one of the phenomenon that has gained prominence in recent years.
Shadow IT results from a mix of factors, such as:
- Lack of co-ordination between the IT / software development and the other (non IT) business teams
- Lack of confidence in the IT team’s capability or turnaround time for deploying solutions
- Obligation or compulsion from clients / stakeholders to deliver a solution quick and customized
- Innovative streak among business teams
- Business team members with dual talents in technology
Such factors, or others, lead to a manifestation of designing products or solutions, or sometimes deploying off-the-shelf products by the non IT teams directly, without involving the IT teams. Shadow IT often receives management support and even encouragement, as it is a channel for innovation within the organization and may even the burgeoning pool of unidentified talent and solution prototype. A lot of good ideas can lead to some smart automation solutions without involving the long-drawn ‘IT department’ procedures.
However, Shadow IT has its share of risks. Since the IT teams are not involved, often the products / solutions that are implemented don’t follow through defined SDLC cycle (where in-house developed) or a due diligence security testing (off-the-shelf purchases). The business teams’ focus is on functionality, their knowledge on risks, back door threats, licensing, IP protection and other security requirements is often not adequate. Organizational processes on controls, documentation, reliability and scalability are often ignored. Creators of Shadow IT systems may leave the organization with proprietary data or leaving behind complicated systems, which the remainder of staff cannot manage in the absence of technical knowledge or documentation.
In the current environment of rampant security breaches and malware attacks, the scale between a quick, innovative solution and a proper internal process of validation-testing-implementation should be weighed thoroughly. Certain parameters such as documentation, testing, periodic checks, backups, virus and malware protection and documented sign-offs should be made mandatory for every product / solution implemented in an organization.
New technologies are being created in response to this threat, both to negate data security risk and improve the digital customer experience.