Shadow IT: risky business? Takeaways from the Beltug X-change of 27/03/2018


Shadow IT can inspire innovation, and even lead to new solutions…but it is also a risky venture, occurring outside the control and approval of the organisation. So does it have a role in an efficient, compliant and secure ICT environment? Can it be managed, or is it the implacable nemesis of the responsible ICT department?


Beltug members gathered to learn from four companies about how they deal with the challenges, and the impact that Shadow IT, and their own efforts to cope with it, has on their organisations.


Presentations from the event are available, exclusively for Beltug members (after login):



Shadow IT at ACV-CSC: controlled creativity


Johan Vandewalle, IT Manager at ACV-CSC, started off by explaining that this union has a rather complex organisation.  The ICT department aims to maximise standardisation, preferring to limit applications to a single software per need; it also prefers in general to use Microsoft tools when possible.  A few challenges remain to be tackled, though (see slide 8).


Johan gave a piece of advice: use the upcoming GDPR to your advantage, to make a clean sweep. Take advantage of the momentum to inventory what is happening in your company, and eliminate everything redundant or unnecessary.


So how does ACV-CSC keep Shadow IT under control?  Whenever a department or unit indicates it wants a specific tool, is it first asked to define why and how it wants to use this tool.  Initially, the department can fund the tool itself, but once it is used by multiple departments, the cost can be defrayed centrally. Johan gave the example of printers: regional units can choose their printers, but within a framework defined by the central office. 


Johan also described another approach to controlling Shadow IT, by offering two networks at most locations: one network is strictly managed, the other network (mostly for social media and smartphones) is lightly managed. Smartphones in general are not fully controlled by the central ICT organisation, yet the O365 ACV-CSC environment is duplicated as much as possible, including within the scope of the smartphone (Outlook app for mails, ‘official’ and safe apps like Word for documents, etc.).


When ACV-CSC does want to keep things in check, it uses technical controls such as Bitlocker, etc. (slide 14). And looking towards the future, ACV-CSC tests new environments to control the infrastructure even further, while keeping the freedom and the potential for innovation fairly high.


Johan's main message: involve your businesses in the story as much as possible, let them do their thing, have them talk about their needs.  Maintain a balance between control and liberty.


Shadow IT: keep your friends close and your enemies closer


Keep your friends close, and your enemies closer, Evert Steenhoudt, CISO at Colruyt Group, began. He described how, in the earlier world of mainframes, Pandora's box was nicely closed: IT set the rules and the business couldn't install things outside the box.  Security-wise, there were no concerns. Today, the box is open. For a long time, Colruyt – a massive organisation - didn't really tackle Shadow IT, instead looking the other way: monitoring 30,000 colleagues is no easy thing!  Along the way, Colruyt learned an important lesson: the business doesn't install shadow apps and services just to have them - people really want their business to move forward in the best, most efficient way.


Currently, the attitude at Colruyt has evolved to maximising the opportunities and minimising the risks.

  • Increase of IT landscape complexity
  • Integration of external tools in internal processes
  • Sharing of critical company info
  • Etc. (see slide 13).


Between the two extreme options - block or embrace -  Colruyt chose the middle course: concrete rules and regulations, while keeping the conversation and options open:

  • Free cloud tooling usage where possible
  • Officially adopt where feasible / required
  • Blocking only when necessary.


This approach creates opportunities for Colruyt's IT department: staff autonomy increases, internal development costs decrease, etc.


Combatting Shadow IT by building a strong relationship with business


Paul Loonen, CISO, and Jeroen Demesmaeker, IT Customer Relationship Manager, at Partena Professional, started their presentation with a list of reasons why Shadow IT can arise in an organisation:

  • IT is not functioning at the speed of business
  • IT is not delivering the services needed by business
  • IT is lightyears behind
  • IT is too expensive

And they admit that, even within the IT department, the IT staff uses the less-controlled 'shadow network' to make things happen.


They believe that, in the traditional IT model, the ICT department becomes a business ‘disabler’ when it simply blocks all kinds of tools, discouraging creativity and innovation.  Don’t block for the sake of blocking - ICT can end up with a reputation as a 'bad cop', which is far from constructive.


On the other hand, data and infrastructures have to be safeguarded, so we need controls and protections. 'Good cop, bad cop' is an important part of the strategy for managing shadow IT, Jeroen explained - balancing protection, with collaboration and communication with internal clients


As it evolves into a service with added-value, Shadow IT will decrease, Partena believes.  This attitude influences the evolution of its service desk of the future, e.g. automation in knowledge management, rather than endless trouble shooting.


Another part of the exercise is building a solid relationship with the business, including establishing new roles such as 'IT Business Liaison', 'IT Customer Relationship Manager' and 'IT Correspondent'.

IT at Partena progressed from (merely) accessible to empathic (they reach out themselves, rather than waiting for a question); from reactive to proactive; from a black box to transparency (slide 16).


Love to hate it! The Shadow IT conundrum


Wrapping up the agenda was Pieter Corneillie from the College of Europe, who approached the issue in the academic domain. Typical Shadow IT applications that pop up include bibliographical, contact management and communication tools.  At the College, the 'mind-set' is not to just block or allow apps, but to manage and monitor users' needs and behaviour.  Usability and user-centricity are key.


When talking about storage, it is important to make the users aware that the existing systems are worthy alternatives to others they might want (e.g. OneDrive instead of Dropbox, FileSender instead of WeTransfer). But when it comes to communications tools, it's not always easy to provide alternatives: for example, the integration between Skype and Skype for Business is not yet ideal and sometimes creates business issues.  When searching for alternatives, it is important to do so together with the business users.


And finally, while setting up Virtual Desktops wasn’t intended to decrease Shadow IT, it did help, as did the Microsoft 'Cloud first' strategy.


Like our first speaker, Pieter exploits the GDPR to clean up Shadow IT.  Accountability is a key argument. (You can find Pieter’s recommendations on slide 14.)
















>>> Back to overview