This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Build a shadow IT strategy all departments will love

To minimize shadow IT risks in the enterprise, some IT pros find that adhering to the old adage, 'if you can't beat 'em, join 'em' is the best approach.

It's a phenomenon that's at least as old as the PC: business departments and end users deciding to bust loose from the constraints of corporate IT to do their own thing. Today, thanks in part to the wide range of offerings available through the cloud, that phenomenon -- now called shadow IT -- is experiencing a major comeback.

And while building a shadow IT strategy can be as challenging now as it was 35 years ago, one increasingly common approach is for organizations to accept it, rather than fight it.

"If you can't beat 'em, join 'em," said Joe Fuller, vice president and CIO of Dominion Enterprises, a marketing company based in Norfolk, VA. His company, which produces print advertising magazines such as Auto Trader, now operates 26 listings sites, including and That, in turn, means operating two data centers where most of those sites are hosted.

"We don't try to battle shadow IT; we try to embrace it," Fuller said. His department provides direct connections to Amazon Web Services (AWS) and Microsoft Azure from its data center in nearby Ashburn, VA. Dominion's internal hosting rates mimic AWS rates. "When we send our bill for hosting to our internal business customers, we include a recap of their cloud billing, too, so the business leaders can see what they are spending inside and outside the company," Fuller said.

Fuller is also training the company's systems and network engineers on AWS and Azure so they can be a resource to the development teams that use those services outside IT's hosting environment.

Four key steps to building a shadow IT strategy

Shadow IT was a constant problem for about a decade at the University of Michigan in Ann Arbor, said Tim Rolston, a former IT director there. So his group eventually became adept at managing and integrating shadow IT with official IT offerings. Based on that experience, Rolston recommends a four-step approach to building a shadow IT strategy.

1. Create an adoption path. Most users deploy shadow IT systems to fill a need that official IT systems have not addressed. Rolston calls such shadow IT systems "gap solutions."

"When you identify a successful gap solution running in your environment, embrace it, fund it and absorb it into your service catalog if it provides sufficient value," Rolston said.

2. Consider making adjustments to existing services. Sometimes, shadow apps simply work better for users than the equivalent offering in your IT service catalog. Therefore, "you should consider altering your [own] service to specifically address the concern prompting the shadow service," Rolston said. If you can, include the shadow IT end users to make them feel like a part of this process, and encourage adoption of the adjusted IT offerings.

We don't try to battle shadow IT; we try to embrace it.
Joe Fullervice president and CIO of Dominion Enterprises

Next, communicate to the entire user base that you're making a change to your service -- and why. "Give full credit to the folks who made the shadow system," he said. "This will encourage other folks to approach you with their needs, as opposed to creating [more] shadow systems."

3. Don't "squish" shadow IT if you can't provide a better service for end users. It's possible that you simply aren't able to provide a better offering than what a small-scale shadow IT system can provide. If that's the case, let the shadow apps continue to run, and offer whatever support or funding you can afford to give.

If you can't afford to support it, be upfront about it, Rolston said. "This will prevent the shadow IT offerings in your organization from going deeper underground and making their identification almost impossible," Rolston said.

4. Give "homegrown IT" awards. Organizations should give an award or recognition to end users with the best homegrown IT systems, or those with the best suggestions for improving existing IT services. "This will encourage folks to approach you with their homegrown systems or concerns before they go 'shadow,'" he said.

While the four steps above may not be appropriate for every organization, they "helped our users see that we were on the same team, as opposed to adopting an 'us versus them' mentality," Rolston added.

Improve to eradicate shadow IT risks

The presence of shadow IT can be a good indicator that the IT organization isn't meeting the objectives of the business. So, the focus shouldn't be on managing shadow IT or getting rid of it, but on making it unnecessary, said Ben Piper, an author and IT consultant at Ben Piper Consulting in Atlanta, GA.

When creating a shadow IT strategy, IT teams should seek out the business objective behind every request. When they get a request to install a new piece of software, ask, "Why?" to uncover the true business need. "Too often, IT thinks of itself as a service provider and neglects its consulting role in the business. An IT manager should be able to explain every item of IT spend in terms of business objectives met -- not services provided," Piper said.

Finally, remember that shadow IT risks have always existed, and will continue to exist, said Andrew Storms, VP of security services for New Context, a security consultancy in San Francisco. That means one of the best things IT can do when building a shadow IT strategy is communicate. "Get out of the cubes and go and speak with your users; creating and fostering that human bond goes a long way to understanding your users' needs and challenges," he said.

Next Steps

Seven cloud security risks to avoid

Minimize shadow IT risks in hybrid cloud

Create an identity-based security model for cloud

Dig Deeper on Cloud computing security