Shadow IT is the usage of unauthorized tech by employees; usually cloud applications and services.
A progression of the Bring Your Own Device (BYOD) debate, I have not said that the applications or services themselves are inherently insecure. Nor that usage is for malicious purposes. Quite the opposite is mostly true.
Insecurity and risk enter the equation because by being unauthorized shadow IT remains invisible to security controls. This can lead to the creation of an unmanaged attack surface, and blind spots in your company security implementation are never going to be a good thing.
Or are they?
There are upsides to shadow IT usage for just about any organisation, in that it can 'shine a light' on applications and services that can aid productivity and might otherwise not be considered by the business.
Equally, they can shine that light on a policy restriction that gets in the way of user productivity, and so the savvy employee finds a way to work around it. And adding something to that corporate policy that prohibits such usage isn't, when you think about it, likely to be effective.
If you want to truly embrace digital transformation and all the business benefits that can bring, then bringing shadow IT into the fold is part and parcel of it. Getting the balance between convenience and control is key, and true visibility the goal.
As I said to begin with, it's not the apps or services themselves that is the problem; it's them not being visible to existing security measures. There's no reason why they shouldn't be audited in the usual way for your organisation and brought under the secure umbrella of corporate security policy and control...