Read more about SaaS optimization: How to Stop Being a Target of Vendor Upsizing

How to Eliminate Shadow IT—And How to Control it if You Can’t

7 min read Mansoor Ahmed

Let’s be honest. If you’re reading about “eliminating shadow IT” or “controlling shadow IT,” you already know you have a problem.

On the off chance that you stumbled on here without knowing too much about “shadow IT”, you’re in luck! Here’s a simple explainer for you.

That said, there is a big difference between knowing the risks and costs associated with shadow IT, and having a plan for getting it under control.

What follows are some suggestions for tackling your organization’s shadow applications head-on…and for ensuring that this risk in minimised in the future.

Elimination? Or Control?

Eliminating shadow IT entirely might be an unrealistic goal for some larger organizations. This hold true because users will always be tempted to bring their own devices and software into the environment. Users will often do so without the IT department’s knowledge or consent. But… maybe that’s an OK thing.

After all, one of the largest sources of shadow IT are “unauthorized” SaaS applications that users have signed up for on their own. Clearly, those users perceive some need that those apps can fill. 

IT professionals agree that employees are more productive when using their preferred technologies. They also agree that companies need to leverage employee suggestions more often to deploy technologies. Unfortunately, that isn’t the norm. Hence the rise of shadow applications.

It’s often not the apps themselves that are problematic. The real problem is that these apps are not monitored/ managed appropriately. So perhaps the solution is not to attempt a full-on elimination of shadow IT applications. Perhaps the solution is to provide better control and insight so that IT departments. This will allow them to manage applications better, and have a clearer picture of their use and their costs.

"Shadow apps themselves are not normally problematic. The problem is that they aren't appropriately monitored or managed." Click To Tweet

Once shadow IT applications are detected, the IT department has to make a decision: 1) Move and/or cancel, or 2) negotiate.

First, Get a Feel for the Scope of the Problem

By definition, shadow IT is at the fringes of visibility. Because the software purchase (or subscription) was not initiated or vetted by the IT department, there is no proverbial paper trail to identify the software, or its usage.

Of course, IT has ways of finding it. They do this by looking at patterns of network usage, for example, or by prying into browser histories. They can also mandate communications from departments or employees who purchase software. These are manual approaches, though, and take a lot of time…not to mention burdensome cooperation from employees and departments. 

Fortunately, those manual situations are not necessary. Application discovery is one of the key features for best-in-class SaaS management tools, and it can remove the burden from IT teams and other employees. Perhaps more importantly, it removes guesswork and human error from holistic app discovery.

Automating Shadow App Discovery

Top thinks to look for when assessing shadow IT

By using automated application discovery, an IT department can get a much more accurate “head count” when it comes to subscriptions and licenses. The desired end result is a single dashboard that provides a cohesive source of truth with regards to the organization’s application usage. This should include not only information about which applications are present in the environment, but also:

  • The number of licenses or instances,
  • When each user/license access the software,
  • Key features usage frequency
  • Monthly spend on each application

Conducting a Shadow IT Audit

Of course, these efforts should all be part of a proper shadow IT audit. But in addition to finding specific applications, it also pays to look at the number in aggregate. For example, you should find answers to questions like:

  • What is your total department spending on shadow IT?
  • How frequently are unauthorized purchases being made?

How you handle that software will depend on what was purchased, and why. For example, if users are purchasing software you already have licenses for, you have a communication problem on your hands. But if they are purchasing a subscription to some competitor of your software, you have a preference problem. If they are buying software that is not equivalent to anything IT offers, you have a communication gap to fix!

Move, Cancel, or Negotiate Existing Shadow IT Assets

Step one was identifying shadow IT. The next step involves taking action on the specific application.

This decision should be taken on an application-to-application basis. Some shadow IT might be safe to continue using, with appropriate monitoring. Other applications may need outright cancellation. Here, then, are some options to consider for your applications:

Move data that needs to be moved

Post identifying shadow IT applications, you must also assess what organizational data is being stored and/or shared externally. If data is being shared/stored externally, assess whether this is a compliance or security risk.

If yes, the affected data will likely need to be transferred to appropriately authorized applications. 

A simple example of this would be an employee storing information in their personal One Drive, Dropbox, or Google Drive account. Not only does this potentially expose certain data, but those files really should be in corporate accounts—and before that employee leaves. 

Other apps, too, might want to integrate with applications that IT has already secured. But that integration then creates possible data breaches, since the “safe” app is now connected to an unvetted one. This happens often, for example, with third-party CRM systems and protected medical information (PMI) covered by HIPAA.

Get users on existing licenses and contracts

It happens all the time. A company has an existing account with a piece of SaaS software—Mailchimp, for example, or maybe a Trello board—but then individuals and departments, for whatever reason, buy their own licenses (or simply use an existing account from somewhere else). This redundancy can be cleaned up by transferring users to existing licenses that were sanctioned properly. Doing this might require exporting/importing user data, updating passwords, and possibly even upgrading your software package.

If an official solution does not exist, negotiate the contract

If your company does not have a comparable software solution for a shadow IT application, and that application fills a user need, your organization just might have to keep it. But even granting that the app is useful, it’s highly unlikely that your users negotiated the best terms. The application might not be “right-sized,” and it is likely the purchaser simply agreed to the clickthrough terms…which are seldom the most favorable for the buyer.

It may be well worth contacting the company to re-negotiate terms. This will be especially effective (and useful!) if you have future plans for rolling out the application more widely within your organization. An enterprise-sized organization can leverage its pull to get a contract significantly better than the agreement offered to individuals.

It may be worthwhile to engage an attorney/procurement specialist, even for software for a few employees. This is because click-through terms are largely enforceable in most jurisdictions.

"An enterprise-sized organization can leverage its pull to get a contract significantly better than the agreement offered to individuals." Click To Tweet

That said, if an official solution does exist…you can still negotiate

When you do have an official IT-sanctioned solution, it’s worth taking another look at your contract. You could even consider negotiating one if you do not have one.

Transferring a group of users to your sanctioned solution might well increase the number of licenses you need, as well as the features you now require. Indeed, much shadow IT exists because users simply need features that they thought did not exist with the official solution. For example, some SaaS applications (Salesforce is a popular one) offer 24/7 support for their enterprise customers only. A regional office might purchase an enterprise package, feeling they need that support and assuming that it would be otherwise unavailable through the company’s current solution.

Following a shadow IT audit is the perfect time to (re)negotiate those SaaS contracts. This is a win-win: Employees can continue to enjoy the same software and features, costs and services are controlled, and the software is now monitored appropriately.

Don’t forget to cancel subscriptions

"This is obvious, but it helps to have the reminder: Cancel those unused subscriptions." Click To Tweet

This is obvious, but it helps to have the reminder: Cancel those unused subscriptions. Otherwise, they might continue to run up your bill even though your users are now using something else. While some software is very good about the cancellation procedures, you will need to be much more careful with others;  cancelling SaaS software is not always easy or direct, and some companies are happy to continue taking your money for “shelfware.” Be intentional about cancelling software, and do it sooner rather than later.

Provide ongoing support during the transition

Getting employees from shadow IT applications to fully sanctioned ones is not simply a matter of creating some accounts and doing a lift-and-shift on the data. You will need to do some “people management” as well. For example, are your employees appropriately trained on company software? Are they aware of all the features available? Do they understand the risk that shadow IT presents to the organization? Are there any worries or hesitations they have? These are all things you will need to assess as you combat shadow IT.

Eliminating Shadow IT in the Future

Again, as an IT leader, you might not be able to eliminate the use of all Shadow IT—indeed, some SaaS applications wiggled their way into your organization precisely because your users found some utility in them.

That said, you can be proactive in preventing such hidden gems from cropping up in the first place. This will require some ongoing effort:

Provide proper training for vetted applications

Users sometimes turn to their own applications because they are comfortable, whereas the ones that are sanctioned by the IT department are unfamiliar or complex. Make sure that you are providing the appropriate level of training to users so that they feel less need to turn to outside applications.

Forge connections with leaders to ascertain needs

Some shadow IT applications come about simply because users were unaware of the software (or features) already available. Other times, the lack is not just perceived, but real. You can get out ahead of shadow IT purchases by ensuring that your team is providing the technology solutions that everybody needs, before they go out hunting on their own.

Make everyone aware of the problems with shadow IT

There’s no lack of content outlining the various risks that come with shadow IT: Compliance issues, cyber-security issues, spiralling costs, lack of visibility, etc. Users should be made aware of these risks. They need to pause when their first reaction is to sign up for a new application. Even better if they then contact your department for help.

Invest in SaaS discovery and management

When you want to identify and control shadow IT, you do not have to do it alone. Modern SaaS management tools are purpose-built to address today’s security challenges and facilitate effective IT spending. Bring shadow apps into the light with holistic app discovery, shadow IT tagging, and streamlined renewal management. Contact Quolum to learn more about our SaaS management tool and receive access.

Frequently Asked Questions

Quolum's SaaS Card makes paying for recurring SaaS and Cloud purchases easy. We are a corporate expense card, hyper-optimized for buying SaaS and Cloud purchases online.
Quolum is used by Finance and Procurement teams to make the process of software purchasing super easy. Our current features make the product attractive for companies and departments that have less than 100 employees.
Signup takes 2-minutes. In most cases, you'll have the Quolum SaaS Card in 60-seconds and start paying for SaaS and Cloud products right away. We do not run any personal or business credit checks.