- THE NEXT THING NOW
- Posts
- The Evolution of Shadow IT
Shadow IT has long been an issue. CIO’s and Head of IT across the world have cursed its existence.
It has taken many forms over the years. And pertained to a number of different risks.
From the distant past of USB sticks left on trains and corporate files sent to personal email accounts. To cloud storage and file transfer services used to get around firewalls
Some employees really did just want to use their personal laptop rather than whatever machine work had given them.
The bring your own device mobile led era of 10 - 15 years ago just made things more complicated for the poor, exasperated IT Dept.
There has always been those individuals who had their preference for a particular email client or their favourite word processor or web browser.
There was a time when if you had a team of 20 software engineers you could be sure that they would be using one of 15 different IDE’s with different plugins. Often purchased with their own money… just because it was their preference.
Now Individuals can build entire applications with a prompt, no coding experience required at all, joining systems together, move data around. Building workflows and complex applications limited by their own imagination. .... these people have SUPER POWERS!
Entire teams would buy SaaS products off the shelf with their discretionary spend; Marketing we are looking at you…..
… buy a shiny new SaaS product and get really very frustrated with IT when they refuse to support them in the use of it.
And then there are those super keen individuals within teams. In recent, friendly times, we’ve referred to them as citizen developers…. Other NSFW terms were previously used…
Those individuals who would use Excel or Access, combined with just enough scripting, that they had learned over the weekend, to create a personal workflow assistant which made their lives a little bit easier.
… And then before you know it, these helpful hand rolled tools have exploded; grown and morphed out of all control and are running critical business systems.
.. critical business systems which only a single, relatively obscure, individual knows anything about or it how it works.. no dears touch it…. with all the business risk associated with that.
Power Apps and the Power Platform was the latest incarnation of this.
Monolithic monstrosities help together with chewing gum and good will.
The Next Wave
The threat has evolved and the risks are even higher.
… but so are the opportunities!
I saw a survey only last week that suggested half of all knowledge workers are now using some kind of personal AI tools.
... Personal AI ...
This is things like; ChatGTP or DeepSeek or Gemini or whatever your personal chatbot of choice is.
These tools are helping teams to write emails or draft reports. To run automations or whatever else is going on in their work life.
Of course, the problem with using a personal tool, rather than an approved enterprise tool is that it will be on some kind of free tier or personal account. All of that data is being leaked into the model; being leaked into the wider web and ecosystem.
And yes, there's a small chance that such information could come out as part of a response to some other platform user, but more likely, the bigger risk is of a security breach or a data leak at the provider level…
… this is a risk that you are not even monitoring.
The potential that one of the big service providers or state actors, could be compromised…
.. that the personally identifiable data of your prospects or your clients or your employees or some kind of critical piece of information could just be leaked out into the world and you don't even know about it.
You didn’t even know to look there. You were not aware of the attack vector.
But forget security
... this isn't even the biggest thing to worry about.
There are other associated risks.
The activity that was previously witness with a combination of Excel or Access and scripting .. and then later Power Apps…
The fabled and much lauded Citizen Developer. Now has super powers! Now we've got amazing tools like Cursor or Bolt.
Now Individuals can build entire applications with a prompt, no coding experience required at all, joining systems together, move data around. Building workflows and complex applications limited by their own imagination.
These monsters will soon be unleashed.
But there is hope
There is a huge opportunity here.
Opportunity to harness the excitement and ingenuity of your people.
Every organisation on the planet now has a shadow IT problem. In fact, if you don't, you probably should be more worried.
Those individuals are precious and are driving technology and its adoption forward. They are those who will also take a lead in driving your organisation forward.
It's really important that we encourage and harness that enthusiasm.
But we must do so with transparency and with education.
How can we best maximise the opportunity that these tools bring to enable and encourage our fast followers and early adopters within our teams?
How do we really maximise the value that is available, and is coming?
The most important thing is to not ignore it.
This is happening.
Your teams are using these tools.
It doesn’t matter if you've banned them,
It doesn’t matter if you've got some very restrictive policies,
It doesn’t even matter if you've enabled a tool of choice,
.. you can guarantee that these tools are coming so thick and fast that your team members are doing something else, something you don’t know about, something with a tool that you do not know exists.
Everyone will always choose convenience over security.
Many will choose novelty and learning opportunities over the monotony of the norm… and we need this people.
And this means is that there's a whole bunch of activity going on that you're completely unaware of.
Bring it into the open
I would encourage everyone to bring this out into the open and enable your organisations to openly innovate.
To play, to try new things, to create little R&D sessions, to create innovation time, to enable people to explore, and ultimately bring education.
Yes it comes with risk. Without oversight and understanding, lack of education in this space will unleash some abominations on poor IT Teams.
However, helping our teams understand that it's not just corporate IT being evil and wanting to keep control. The risks are real and are only going to increase over time.
Education is definitely possible in this space.
Consider that, after many years, all of us now are pretty internet savvy.
We go online and we're very careful about which websites we give our information to; whether it's our address or a credit card information or a health data or even our email address.
We are all very wary about who gets that data now.
And it's actually the same situation here. Which tools are you using? Which tools are you uploading information too? Which tools are you talking to and sharing ideas with?
It's important to educate our people so that they can make informed decisions. Locking these things down is basically not going to happen.
We want to be in a situation where innovation is encouraged, where our people are excited and our teams are together helping us to grow our organisations.
That is how to survive and thrive during this next wave.