Strategies to Illuminate Shadow IT and Support Digital Transformation
Making Room for Business Managed Applications
In the previous article in our shadow IT series, we explored the benefits of digital transformation, and the risks of shadow IT that come along with it. Digital transformation includes the decentralized provisioning of software (also known as Business Managed Applications).
The premise of supporting Business Managed Applications (BMAs) is that other department know what software they need better than IT does, and they can select the right tools faster. Digital transformation initiatives are a top priority for many CIOs. In fact, up to 41% of employees are acquiring, modifying, or using technology that their IT department isn’t privy to, and Gartner expects this number to increase to 75% by 2027.
When employees feel that they have the space to test and use apps that support their roles, productivity, creativity and engagement go up. In fact, 97% of IT professionals believe that employees are more productive when they’re allowed to use their preferred tech.
On the other hand, when employees feel that they have no freedom to choose what software they work with, trust and engagement go down. Nearly 9 out of 10 IT professionals have received pushback when they tried to dictate tech stacks. People may also feel frustrated and demotivated by long app approval processes, leading them to tap out and stop asking for what they want and need.
Strategies to Illuminate Shadow IT and Support Digital Transformation
Research indicates that advocating for the total eradication of shadow IT is neither effective nor productive. Despite an organization’s best efforts, it’s unlikely that shadow IT will cease to play a role in modern IT environments. However, there are ways to support digital transformation, reign in the chaos that shadow IT can cause, and restore order to IT infrastructures.
1. Use a SAM Platform Designed to Support SaaS
To understand the extent of actual software installations and usage across business units, to optimize spend, and to ensure secure and compliant IT environments, companies need visibility through trustworthy software and hardware data more than ever. While shadow IT can also consist of on-premise installations, most of it is SaaS. A recent study by Captive Shield found that more than half of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications, while 7% of organizations have no monitoring at all in place. 86% of IT professionals report that they badly want a tool to help automate and streamline their SaaS management.
Struggling with shadow IT but refusing to adopt a SAM platform is like being afraid of the dark but refusing to accept a flashlight. Many companies use various decentralized SaaS tools and try to coordinate their data to create a unified picture of SaaS infrastructures. However, for optimal results in illuminating shadow applications, cutting wasted spend, and maintaining high security standards, an expertly designed solution to solve the problem is necessary.
When it comes to shadow IT (which most often happens to be a web application) most legacy SAM tools are not equal to the task. They were built in the era of on-premise installations, and that’s what they’re best at. While on-premise management remains an important focus for businesses, it provides a dangerously partial view of modern IT environments. Some traditional providers have attempted to meet the SaaS need in the SAM market. However, the poor SaaS software recognition that their technology achieves leaves businesses blind to significant sectors of their IT environments. Difficult to maintain and requiring significant time and human resources to deploy, these outdated technologies have been unable to adapt to the modern moment: SaaS-dominated tech stacks and decentralized infrastructures.
Xensam is at the forefront of the next-generation approach to Software Asset Management that addresses the visibility crisis of both SaaS and on-premise applications. Our vision is to make it easy for all business users to gain actionable insights into their hybrid software environment, allowing them to save money, boost productivity and reduce risk. By leveraging the most advanced automation and AI technologies, we enable the optimization of all software applications, not just legacy apps, and empower empowers business IT leaders to make critical, data-driven decisions on software cost, utilization, licensing, security, and compliance to drive new efficiencies, reduce risk, and optimize business operations.
With unprecedented SaaS discovery of more than 70,000 SaaS applications and 25,000 SaaS vendors, Xensam’s technology is designed for the forward-thinking organization. Armed with this kind of technology, companies don’t just have a flashlight to illuminate shadow IT, they have stadium lights. Our advanced technology flags all used applications (whether the IT team approved them or not) and provides data on who is using these apps and how much, down to the minute with Active Usage. With Xensam, there’s nothing to fear in the shadows.
2. Define IT Governance Policies on Shadow IT
Definitive SaaS governance policies is key. In many cases, the risks of shadow IT flourish simply because organizational policy towards it is unclear. There are significant benefits defining a company-wide stance towards SaaS and decentralized provisioning of applications. 80% of organizations with an IT governance framework report improved decision-making, and 60% of organizations cite increased efficiency as a key benefit of IT governance implementation. Moreover, when IT governance is unified through concrete policies agreed upon by all relevant stakeholders, a decentralized IT environment becomes less of a threat. When IT governance is clear, it also supports employee education, creates a united front and minimizes confusion on company best practices.
All relevant stakeholders should collaborate to create a unified company stance on what is allowed and what isn’t, including which employees are authorized to select their own department-specific Business Managed Applications, criteria for vetting secure SaaS vendors, cost management best practice, policies on when, how and to whom new software usage must be reported, and clearly defined consequences for non-compliance.
3. Collaborate and Communicate Openly and Often
Once IT governance is centralized, open communication and collaboration are key. Despite the fact that nearly all IT professionals view shadow IT as a significant risk factor only half of employees share this view, and this is likely due to lack of education.
Upwards of 75% of companies do not train their employees on the risks of shadow IT. Regular education about the dangers of shadow IT and the importance of following proper protocols when it comes to software procurement is a must. Research by Gartner indicates that educated employees are 2.5 times more likely to avoid cyber risk. A little awareness can go a long way in preventing major spend and serious data breaches through unmanaged SaaS applications.
However, there’s an important caveat that needs to be addressed here. Employee training helps, but it can only go so far. It’s easy to point the finger at IT departments and say that they didn’t communicate policy well enough, but the reality is that employees often engage in risky behavior despite security training. A shocking 90% of employees still engage in unsecure practices despite being educated on risks, and they know when they’re doing it! In a 2023 survey by Gartner, 69% of employees reported intentionally bypassing cybersecurity within the last 12 months.
ChatGPT: A Cautionary Tale on Transparency
ChatGPT is a perfect example of a shadowy SaaS application that companies are grappling with today. Despite the risk of leaking sensitive company data via third-party applications, 7 in 10 workers who use AI tools like ChatGPT do so without consent from their organization. Furthermore, research by Auvik found that 67% of ChatGPT logins are from personal accounts, making it even harder to track. This secrecy is likely motivated by the fact that employees use it for work shortcuts.
According to data from Cyberhaven, 11% of all data input into ChatGPT by employees is sensitive. In 2023, Samsung discovered that employees had been inputting company source code and transcripts from internal meetings. To solve this issue, Samsung banned the SaaS product altogether alongside other big players like Apple, Amazon, Spotify, JPMorgan Chase, and GoldmanSachs.
Before instituting the ban, JPMorgan Chase reported that they were totally unable to determine “how many employees were using the chatbot or for what functions they were using it.” Because of Xensam’s industry-leading web application recognition, users are not only able to detect ChatGPT usage down to the minute, but they’re also able to distinguish between paid and free usage of the tool.
This is an apt cautionary tale, demonstrating just how dangerous the lack of transparency around SaaS app usage can be. At the end of the day, safe use of SaaS apps all comes down to visibility.
4. Up Your EOL and Off-Board Game
The detection of new shadow IT usage is a huge step towards risk mitigation, but many companies also incur significant risk when they don’t monitor the end-of-life (EOL) dates for their applications, and it’s even tougher to monitor these important dates on unseen software. EOL risks are only relevant for on-premise applications, as all SaaS users can be immediately locked out if a SaaS vendor ends sale and use of their products.
An EOL date is the date from which a software vendor will no longer market or sell their product, both directly and through third-party partners. This also usually means that the vendor will no longer provide support. updates, patches, or fixes for the software. This creates obvious vulnerabilities. Not only is the software potentially incompatible with newer technologies, slowing innovation, but it also opens the door to significant security risks as unpatched flaws become permanent weaknesses that malicious attacks can exploit.
What often happens is that a piece of on-premise software will reach its EOL, and a company will perform a half-hearted, unmanaged uninstallation process. The file executable or some other part of it remains in their system, and it’s never truly removed from their IT infrastructure. In this way, it falls into the shadows, becomes part of a business’s unmanaged IT environment, and opens them up to the risks mentioned above.
“With Xensam we find vulnerable installations, and what device or folder they’ve been hiding in. We’re picking up things that haven’t been detected before.”
While not a strict EOL concern, employee off-boarding also presents significant data privacy risks. 31% of employees still have access to the SaaS applications of their previous employer, meaning that they still have unauthorized and unmanaged access to the, on average, 5.5 million assets stored inside those SaaS apps. These are more like shadow users than the classic shadow IT, but they pose similar threats: data exposure, unmanaged security practices, and lack of oversight.
Whether it’s the strict EOL date, or the end of an employee's lifecycle within an app, upping your EOL and off-boarding game is key to mitigating the risk of everything lurking in the shadows.
The right SAM platform will provide not only EOL information as part of the software normalization function, but in-platform notifications when EOL dates are upcoming too. Xensam offers customizable notifications for the uninstallation of software that fails to meet usage thresholds, making EOL management, user off-boarding and uninstallation that much easier.
Conclusion
Digital transformation offers significant organizational benefits across the board, including greater employee engagement and retention, increased productivity and innovation, and increased revenue from streamlined processes. To fully embrace digital transformation initiatives, its necessary for companies to get a handle on the risks of shadow IT. Decentralized software provisioning is a feature of modern IT environments and fighting it won’t make it disappear. If companies deploy a comprehensive SAM tool designed to recognize SaaS apps and build up clear and unified policies on shadow IT and BMAs, everyone wins. IT gets complete visibility, and employees get to use the software they need. Eradication is not the answer – visibility is.
Do you want to see Xensam's industry-leading features in action?
Book a demo >>
With the broad-spectrum visibility that Xensam delivers, this organization has saved £40,000 on unused licenses and right-sized th
Tech stack consolidation increases operational efficiency across IT environments. Learn how to reap the organizational benefits of
Network with and learn from best-in-class SAM & IT professionals.