How to Eliminate Shadow IT—And How to Control it if You Can’t

7 min read Mansoor Ahmed

How to eliminate shadow IT

What follows here are some suggestions for tackling your organization’s shadow applications head-on…and for ensuring that, in the future, those applications don’t take root in the first place.

Let’s be honest: If you’re reading about “eliminating shadow IT” or “controlling shadow IT,” you already know you have a problem. But there is a big difference between knowing the risks and costs associated with shadow IT, and having a plan for getting it under control.

Elimination? Or Control?

Eliminating shadow IT entirely might be an unrealistic goal for some larger organizations, simply because users will always be tempted to bring their own devices and software into the environment— and they will often do so without the IT department’s knowledge or consent. But… maybe that’s an OK thing.

After all, one of the largest sources of shadow IT are “unauthorized” SaaS applications that users have signed up for on their own. Clearly, those users perceive some need that those apps can fill. 

IT professionals agree that employees are more productive when using their preferred technologies, and that companies need to leverage employee suggestions more often to deploy technologies. 

It’s often not the apps themselves that are problematic. The problem is that these apps are not being appropriately monitored and managed. So perhaps the solution is not to attempt a full-on elimination of shadow IT applications. Perhaps the solution is to gain better control and insight so that IT departments can manage applications, getting a clearer picture of their use and their costs.

"Shadow apps themselves are not normally problematic. The problem is that they aren't appropriately monitored or managed." Click To Tweet

Once shadow IT applications are detected, the IT department has to make a decision: 1) Move and/or cancel, or 2) negotiate.

First, Get a Feel for the Scope of the Problem

By definition, shadow IT is at the fringes of visibility. Because the software purchase (or subscription) was not initiated or vetted by the IT department, there is no proverbial paper trail to show where the software is lurking, or how often it is being used.

Of course, IT has ways of finding it—by looking at patterns of network usage, for example, or by prying into browser histories. They can also mandate communications from departments or employees who purchase software. These are manual approaches, though, and take a lot of time…not to mention burdensome cooperation from employees and departments. 

Fortunately, those manual situations are not necessary. Application discovery is one of the key features for best-in-class SaaS management tools, and it can remove the burden from IT teams and other employees. Perhaps more importantly, it removes guesswork and human error from holistic app discovery.

Automating Shadow App Discovery

Top thinks to look for when assessing shadow IT

By using automated application discovery, an IT department can get a much more accurate “head count” when it comes to subscriptions and licenses. The desired end result is a single dashboard that provides a cohesive source of truth with regards to the organization’s application usage. This should include not only information about which applications are present in the environment, but also:

  • The number of licenses or instances,
  • When each user/license access the software,
  • Frequency with which key features are used
  • Monthly spend on each application

Conducting a Shadow IT Audit

Of course, these efforts should all be part of a proper shadow IT audit. But in addition to finding specific applications, it also pays to look at the number in aggregate. For example, you should find answers to questions like:

  • How much are departments spending on shadow IT total?
  • How frequently are unauthorized purchases being made?

How you handle that software will depend on what was purchased, and why. For example, if users are purchasing software you already have licenses for, you have a communication problem on your hands. But if they are purchasing a subscription to some competitor of your software, you have a preference problem. And if they are buying software that is not equivalent to anything IT offers, the problem clearly is that the department is not hearing or meeting users’ needs.

Move, Cancel, or Negotiate Existing Shadow IT Assets

Move, cancel or negotiate

Once shadow IT assets have been discovered, a choice has to be made: How, exactly, will it be dealt with?

This should be done on an application-by-application basis. Some shadow IT might be safe to continue using, as long as it is monitored. But some might need to be cancelled outright. Here, then, are some options to consider for your applications:

Move data that needs to be moved

Once you know what shadow IT is being used, you should also assess what organizational data is being stored and/or shared externally, and whether this causes any issues when it comes to compliance or security. If so, that data will likely need to be moved into appropriately authorized applications. 

A simple example of this would be an employee storing information in their personal One Drive, Dropbox, or Google Drive account. Not only does this potential expose certain data, but those files really should be in corporate accounts—and before that employee leaves. 

Other apps, too, might want to integrate with applications that IT has already secured. But that integration then creates possible data breaches, since the “safe” app is now connected to an unvetted one. This happens often, for example, with third-party CRM systems and protected medical information (PMI) covered by HIPAA.

Get users on existing licenses and contracts

It happens all the time: A company has an existing account with a piece of SaaS software—Mailchimp, for example, or maybe a Trello board—but then individuals and departments, for whatever reason, buy their own licenses (or simply use an existing account from somewhere else). That redundancy needs to be cleaned up by transferring users to existing licenses with the sanctioned account. Doing this might require exporting/importing user data, updating passwords, and possibly even upgrading your software package.

If an official solution does not exist, negotiate the contract

An enterprise-sized organization can leverage its pull to get a contract significantly better than the agreement offered to individuals.

If your company does not have a comparable software solution for a shadow IT application, and that application fills a user need, your organization just might have to keep it. But even granting that the app is useful, chances are good that your users did not bother to negotiate the best terms. The application might not be “right-sized,” and it is likely the purchaser simply agreed to the clickthrough terms…which are seldom the most favorable for the buyer.

It is well worth contacting the company to re-negotiate terms. This will be especially effective (and useful!) if you have future plans for rolling out the application more widely within the organization. An enterprise-sized organization can leverage its pull to get a contract significantly better than the agreement offered to individuals. (Even if the software will only be used by a few employees, it is worth having an attorney and/or procurement take a look, because click-through terms are enforceable.)

That said, if an official solutions does exist…you can still negotiate

When you do have an official IT-sanctioned solution, it’s still worth taking another look at your contract (or negotiating one if you do not have one).

Transferring a group of users to your sanctioned solution might well increase the number of licenses you need, as well as the features you now require. Indeed, much shadow IT exists because users simply need features that they thought did not exist with the official solution. For example, some SaaS applications (Salesforce is a popular one) offer 24/7 support for their enterprise customers only. A regional office might purchase an enterprise package, feeling they need that support and assuming that it would be otherwise unavailable through the company’s current solution.

Following a shadow IT audit is the perfect time to (re)negotiate those SaaS contracts. This is a win-win: Employees can continue to enjoy the same software and features, costs and services are controlled, and the software is now under the watchful eye of the IT department.

Don’t forget to cancel subscriptions

"This is obvious, but it helps to have the reminder: Cancel those unused subscriptions." Click To Tweet

This is obvious, but it helps to have the reminder: Cancel those unused subscriptions. Otherwise, they might continue to run up your bill even though your users are now using something else. While some software is very good about the cancellation procedures, you will need to be much more careful with others;  cancelling SaaS software is not always easy or direct, and some companies are happy to continue taking your money for “shelfware.” Be intentional about cancelling software, and do it sooner rather than later.

Provide ongoing support during the transition

Getting employees from shadow IT applications to fully sanctioned ones is not simply a matter of creating some accounts and doing a lift-and-shift on the data. You will need to do some “people management” as well. For example, are your employees appropriately trained on company software? Are they aware of all the features available? Do they understand the risk that shadow IT presents to the organization? Are there any worries or hesitations they have? These are all things you will need to assess as you combat shadow IT.

Eliminating Shadow IT in the Future

Again, as an IT leader, you might not be able to eliminate the use of all Shadow IT—indeed, some SaaS applications wiggled their way into your organization precisely because your users found some utility in them.

That said, you can be proactive in preventing such hidden gems from cropping up in the first place. This will require some ongoing effort:

Provide proper training for vetted applications

Users sometimes turn to their own applications because they are comfortable, whereas the ones that are sanctioned by the IT department are unfamiliar or complex. Make sure that you are providing the appropriate level of training to users so that they feel less need to turn to outside applications.

Forge connections with leaders to ascertain needs

Some shadow IT applications come about simply because users were unaware of the software (or features) already available. Other times, the lack is not just perceived, but real. You can get out ahead of shadow IT purchases by ensuring that your team is providing the technology solutions that everybody needs, before they go out hunting on their own.

Make everyone aware of the problems with shadow IT

There’s no lack of content outlining the various risks that come with shadow IT: Compliance issues, cyber-security issues, spiralling costs, lack of visibility, etc. Users should be made aware of these risks. They need to pause when their first reaction is to sign up for a new application. Even better if they then contact your department for help.

Invest in SaaS discovery and management

When you want to identify and control shadow IT, you do not have to do it alone. Modern SaaS management tools are purpose-built to address today’s security challenges and facilitate effective IT spending. Bring shadow apps into the light with holistic app discovery, shadow IT tagging, and streamlined renewal management. Contact Quolum to learn more about our SaaS management tool and receive access.

Frequently Asked Questions

Quolum's SaaS Card makes paying for recurring SaaS and Cloud purchases easy. We are a corporate expense card, hyper-optimized for buying SaaS and Cloud purchases online.
Quolum is used by Finance and Procurement teams to make the process of software purchasing super easy. Our current features make the product attractive for companies and departments that have less than 100 employees.
Signup takes 2-minutes. In most cases, you'll have the Quolum SaaS Card in 60-seconds and start paying for SaaS and Cloud products right away. We do not run any personal or business credit checks.