Shadow IT is the usage of unauthorized tech by employees; usually cloud applications and services.

A progression of the Bring Your Own Device (BYOD) debate, I have not said that the applications or services themselves are inherently insecure. Nor that usage is for malicious purposes. Quite the opposite is mostly true.

Insecurity and risk enter the equation because by being unauthorized shadow IT remains invisible to security controls. This can lead to the creation of an unmanaged attack surface, and blind spots in your company security implementation are never going to be a good thing.

Or are they?

There are upsides to shadow IT usage for just about any organisation, in that it can 'shine a light' on applications and services that can aid productivity and might otherwise not be considered by the business.

Equally, they can shine that light on a policy restriction that gets in the way of user productivity, and so the savvy employee finds a way to work around it. And adding something to that corporate policy that prohibits such usage isn't, when you think about it, likely to be effective.

If you want to truly embrace digital transformation and all the business benefits that can bring, then bringing shadow IT into the fold is part and parcel of it. Getting the balance between convenience and control is key, and true visibility the goal.

As I said to begin with, it's not the apps or services themselves that is the problem; it's them not being visible to existing security measures. There's no reason why they shouldn't be audited in the usual way for your organisation and brought under the secure umbrella of corporate security policy and control...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1 Year
Discussion Span
Last Post by Subraa_1

As a developer of apps for embedded devices, testers on the production line and field diagnostics I've run afoul of IT groups that were for the most part not willing to invest the time to embrace the product development side of the business.

IT seems OK for run of the mill office work, the company web site, billing systems and such but the product developers are aliens or "the enemy within."

So they don't support us. That's fine by us. They also don't want the job but are ready to throw stumbling blocks in your path.

Is IT outdated today for companies that create apps and more?


Is IT outdated today for companies that create apps and more?

I have the same query @profitt

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.