What is Shadow IT?

The explosion of Software-as-a-Service (SaaS) in recent years dramatically changed how organizations acquire software, with organizations adopting an average of six new SaaS applications each month.

By design, the cloud-based nature and low cost of SaaS applications make it easier for teams and individual employees to obtain new tools to boost productivity, enhance collaboration, and optimize training—often expensed through accounts payable or a company credit card.

But unregulated employee spending on SaaS also comes with a downside, most notably as a source of shadow IT. While the name sounds ominous, the shadow IT definition is fairly straightforward. It simply refers to acquiring software and services outside the ownership or control of centralized IT organizations.

Shadow IT examples include everything from SaaS applications sourced by business units to individual licenses adopted (and then expensed) by employees. When left uncontested, shadow IT can lead to wasted spend on unnecessary or redundant SaaS applications, inability to rightsize licenses, security and compliance issues, and more.

Shadow IT Risks

Allowing individual employees to purchase SaaS tools isn’t inherently problematic. Issues arise, however, due to a lack of centralized governance by IT teams, who normally control IT budgets and spending, and vet security protocols.

According to Zylo’s 2023 SaaS Management Index, today’s IT departments control just 31% of all SaaS spending in the typical company—but directly manage only 18% of SaaS applications. With this data, it’s easy to see how shadow IT increasingly becomes problematic for organizations of all sizes.

Some of the key shadow IT risks include:

• Increased costs: Unmanaged purchases and unknown spending on SaaS applications can quickly spiral out of control. According to Zylo data, about one-sixth of all employees purchase SaaS applications via credit cards and expense reimbursement at an average cost of about $600 per SaaS tool.
• Decreased value for existing software investments: De-evaluation occurs when employees independently purchase SaaS applications that directly compete with company-managed software. For example, many employees purchased Zoom Pro accounts during the start of the COVID pandemic at a cost of $15 per month, even when their organizations already paid for and managed a separate video conferencing solution.
• Increased likelihood of cybersecurity risks: Potential security risks multiply when software applications bypass IT’s standard vetting and security review. From personally identifiable information (PII) to intellectual property, SaaS applications contain a wealth of business-related data. Considering the average data breach costs organizations more than $9.44 million dollars, shadow IT poses a significant risk.
• Increased risk of violating privacy regulations: For industries regulated by laws pertaining to privacy, consumer data, or health information, shadow IT in SaaS tools represents potential violations. Regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), mandate wide-ranging implications for the use of, storing, and transferring of consumer data and privacy.

How to Combat Shadow IT

Similar to SaaS management best practices, organizations can find all shadow IT instances by following a SaaS discovery process. Then, they can limit Shadow IT by actively monitoring it.

Most organizations underestimate the number of applications operating within their technology stack. Zylo data shows the average large organization maintains more than 600 applications.

Multiple methods exist for discovering and inventorying shadow applications and their attributes, including:

• Manual spreadsheet inventory: While cost-effective, manual inventory can be problematic for larger organizations, due to the length of time it takes to collect the information, the high likelihood of inaccuracies in reporting, and the lack of continuous monitoring needed to keep an up-to-date inventory.
• Single Sign-On (SSO): SSO tools offer a highly effective method for discovering SaaS applications. However, only IT-managed tools get added to SSO platforms, meaning shadow IT often remains unmanaged.
• Web browser plugins: While practical and effective, employees may bypass these plugins by searching in a private window or incognito mode, hindering discovery of Shadow IT.
• Cloud Access Security Broker (CASB): CASBs monitor data that passes between an organization and cloud-based data centers. Employees often inadvertently circumvent CASBs by accessing applications from a personal device, keeping IT in the shadows.
• Financial analysis: Perhaps the most straightforward method—examining financial records, including accounts payable and expense reimbursement records—can uncover shadow IT across all business units, teams, and individual purchases.

By following the money, regardless of the procurement process, organizations can identify a comprehensive view of their shadow IT spend. Many businesses now utilize SaaS management tools, such as Zylo’s Discovery Engine, and SaaS management platform to provide a near 100-percent accuracy for SaaS detection and categorization.

Pros and Cons

As a software category, SaaS is now the largest market segment of public cloud services. In fact, Gartner predicts global SaaS spend will grow up to $195 billion – up from $167 billion in 2022.

A key reason for this explosive growth is the fact that the majority of SaaS application purchases no longer originate in IT budgets, but in lines of business (LOB) budgets. In fact, International Data Corporation projects that 70% of all application purchases are now sourced from business budgets. This trend of decentralized purchasing is likely to continue, and direct IT management of SaaS applications will likely decrease, leading to more decentralized IT environments and increased shadow IT.

Aside from the notable risks—wasted spend, data breaches, redundant purchases, privacy violations—shadow IT offers some benefits.

With shadow IT only expected to increase as SaaS continues to grow as a cloud software market segment, savvy organizations must innovate and find new ways to transform the challenges of shadow IT into new opportunities.

See how the world’s most innovative companies deploy SaaS management to control costs and risks from shadow IT using Zylo’s SaaS Management Platform.