What is Shadow IT?

Shadow IT refers to information technology (IT) projects that are managed outside of, and without the knowledge of, the IT department.

Download Shadow IT Security Checklist

Shadow IT are IT projects (like cloud services) that are managed outside of, and without the knowledge of, the IT department. At one time Shadow IT was limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department. This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive.


When employees and departments deploy SaaS applications, such as Office 365, it can also reduce the burden on IT help desks to take calls according to Ralph Loura, CIO of HP. However, while IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for the corporate data employees upload to cloud services. This puts IT in the uncomfortable position of saying no to employees using cloud apps they use to do their jobs, going as far as to block access to a cloud app using the company’s firewall or web proxy. However, for every app that’s blocked, there’s evidence employees are finding other, lesser-known, potentially riskier services to use in its place.


Download the Shadow IT Security Checklist

Download to learn the key requirements to properly control and secure Shadow IT usage

Download Now

Instead of seeing Shadow IT as a threat, Ralph Loura sees it as an opportunity to leverage employees to identify the applications they want to use so that IT can enable the ones that have gained traction and are enterprise-ready.

According to Loura, “We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.” Promoting low risk services that have reached a tipping point starts with understanding what cloud services employees use, how they use them, and their associated risk.


When IT examines the use of cloud services across the organization, they generally find Shadow IT is 10 times more prevalent than they initially assumed. The average organization today uses over 1,427 different cloud services, derived from anonymized usage from over 30 million users across over 600 enterprises using McAfee CASB. Often IT departments discover many services in use that they have never heard of before. After auditing the risk of each service and its security controls, IT teams can make informed choices about what services to promote or enable. This is more than just an exercise in risk management. The average company uses 57 different file sharing services, and using this many different services can impede collaboration between employees. Standardizing on enterprise licenses for 2-3 services not only improves collaboration, it also reduces cost.