6 Steps to Take Back Control of SaaS Shadow IT

SaaS is accelerating the growth of shadow IT. Don’t fear this challenge — manage the change, empower your business partners, and be the hero of SaaS management.

Anything in a shadow looks mysterious — shadow IT is no different. Rather than dwelling on what IT solutions could be out there, technology leaders should flip on a light and see for themselves what’s lurking in the (IT) shadows. And the challenge is getting tougher: Software as a Service (SaaS) spend is projected to reach $145 billion by the end of 2022, making it one of the most explosive growth areas in organizations’ operational budgets. But while SaaS spend must support business goals, SaaS growth now primarily comes outside corporate IT.

SaaS is now the main driver of shadow IT, and IT leadership needs to manage it.

What is shadow IT?

Shadow IT is a term for business-led technology purchases unapproved by the IT department outside of standard procurement channels. For example, the marketing team adopts its file-storage solution without consulting with IT on why the corporate-approved OneDrive isn’t suitable for its purposes. When business partners go it alone for their IT needs, they aren’t always diligent about vetting the security and financial aspects of their choices — leaving potential problems for the IT team to address.

Shadow IT has always existed, but now easy downloads and free trials of cloud-based applications are the major drivers of SaaS shadow IT (or shadow SaaS). Low monthly costs processed through corporate expense systems rather than IT approvals are another barrier removed by SaaS shadow IT.

What are the risks of shadow IT?

Without visibility into all SaaS capabilities (both inside and outside of IT), you cannot rationalize capabilities to preferred vendors or leverage volume discounts. Take project management software. Your engineering teams may leverage Monday.com while marketing uses Trello. Siloed software adoption complicates cross-functional collaboration and cuts out the option of volume discounts by only going with one solution (“We don’t need Trello and Monday.com. Pick one, and let’s consolidate.”).

With shadow IT, the business selects the solutions they want — without delay. This self-determined approach empowers users to take ownership of their digital transformation. In a recent survey, 45% of employees who use their preferred technologies felt more engaged with their work. But this self-determination comes with the following risks:

  • Cost. Adopting a freemium SaaS solution may look like a no-brainer when there are few users with limited needs. However, as users increase and requirements get more complicated, the business may need to sign up for a premium subscription. A free SaaS solution looks less appealing once you start having to pay for it.
  • Data security. Knowing, and securing, entry points into a network is key to locking down data. Shadow IT increases the surface area of potential attacks with multiple new connections — most of which are invisible to IT teams.
  • Compliance. A shadow IT SaaS solution takes your data — and potentially your customers’ — and stores it outside your immediate control. You carry the risk of regulatory non-compliance (e.g., HIPAA, GDPR) without having any control over the data practices of the SaaS application vendor.
  • Inefficiency. Few business processes exist in a silo. Data stored with a SaaS provider still needs to be accessible to others within your organization. Consider a creative department: they have their in-house design team that must share files with third parties. That same team needs to collaborate with an external agency on big projects. Sharing security permissions with an external agency may be a small lift. Still, it requires the incremental adding (and subtracting) of permissions as more teams, and vendors get involved with the project. The design team starts by being creative on an ad campaign and ends up being “creative” with access permissions. Designers didn’t go to art school so that one day they could manage user permissions.

Taking back control of SaaS shadow IT

There is little to be gained from trying to eliminate SaaS shadow IT entirely; your business partners have already decided that SaaS will be part of their technology stack. After all, what has driven end-users to shadow IT? The desire to be as efficient as possible. They will seek the path of least resistance to solve their problems.

Procurement or IT should not disrupt business efficiency and instead help to fully enable teams with the tools they need — and of their choosing — to get their jobs done. Embrace the reality of shadow SaaS and ensure it is secure, data compliant, and cost-efficient.

Here are six steps to take back control of SaaS shadow IT:

1. Learn why your business partners are leveraging shadow IT

Shadow IT is usually a reaction to a perceived or actual deficiency in corporate IT solutions. Find out which it is. This isn’t about faux-listening before giving the hard sell on IT-approved application X or Y; understand why they chose to go down the shadow IT route in the first place. Build trust by listening.  They just may have found a better solution.

2. Demonstrate SaaS spend management best practices

A business leader does not pick an application or service on a whim. Few people will go out on a limb for a solution they haven’t previously had success with. But there may be blind spots in the decision process if they are not looking at the broader impact.

Business leaders who want to be good financial stewards cannot ignore the technology leader who manages IT-approved SaaS spend by cutting waste and consolidating duplicative applications. For many organizations, shadow SaaS bypasses established SaaS platform management practices.

Business partners need to know the consequences of staying in the shadows, whether operationally (e.g., data sovereignty or system inefficiency) or financially (e.g., costs may rise prohibitively with increased usage).

3. Adopt automated SaaS discovery

According to a report from BetterCloud, 45% of routine SaaS operations at SaaS-powered workplaces are already automated. SaaS discovery should be one of those automated operations in your organization — you can’t manage what you can’t see. Collecting information from your organization’s single sign-on (SSO) system will gain visibility into registered applications with SSO, but shadow SaaS may have bypassed SSO. However, your expense system records SaaS, and some organizations manually identify apps from it.

A better approach is automated application and shadow IT discovery with multiple API connectors, SSO system integrations, and general ledger analysis to track potential shadow SaaS.

4. Communicate the actual cost of shadow IT

SaaS ownership is rarely assigned once purchased — even less so for shadow SaaS. This matters when the resulting lack of responsibility leads to as many as 30% of application licenses going unused. Financial systems do not show the actual cost of shadow SaaS when it shows app spend or cost per user unburdened with the cost of unused licenses. Visibility into the total cost of a SaaS solution — identified by department, software type, user, or budget owner — drives more accountability for each purchased license.

5. Decriminalize shadow IT

With 22,000 SaaS companies globally, the world of shadow SaaS is only getting more complicated. Shadow IT audits should include a list of sanctioned, authorized (not listed as IT-approved, but tolerated), or prohibited SaaS solutions — these audits shouldn’t be static. As needs change or security issues are exposed, work with business leaders to expand the number of permissible SaaS solutions and limit prohibited ones. Try to be accommodating. Reach for compromise when you can. Remove the “Department of No” moniker that corporate IT is typically labeled.

6. Adopt a shadow IT review

Conduct a quarterly or monthly review of shadow IT as part of application portfolio reviews. This surfaces the business capabilities of all SaaS solutions in one review and showcases all sanctioned and authorized solutions in one venue — regardless of whether it is “officially” shadow IT or not. By normalizing a business capability and showcasing its value, it will become clear which SaaS applications need to be fast-tracked to sanctioned status.

The review should enable users to interact with financial data accessed by your SaaS management platform, providing you with extensible reporting and analytics around both actual approved SaaS and shadow IT spend. The ability to quickly determine unsanctioned applications should be addressed as well via a prescriptive application discovery methodology. Finally, machine learning algorithms can be deployed to dynamically determine which discovered shadow IT apps can or should be sanctioned, over time, by the IT department can be deployed to dynamically determine which discovered Shadow IT apps can or should be sanctioned, over time, by the IT department.

When business partners end-run around corporate IT

Don’t try to eradicate shadow IT; learn how to manage it. A purpose-built solution to take control of your SaaS portfolio is one path to take. In many ways, shadow IT is a boon for IT folks. We don’t have to work out which capability to provision (the business has already shown us what they want); we simply need to ensure that it’s cost-effective and safe.

Article Contents



Additional Resources