From Shadow IT to Business-Led IT: A Strategic Paradigm Shift

Shadow IT—software tools and applications adopted by teams without IT’s formal approval—presents a unique challenge and opportunity for IT and security professionals. While shadow IT can feel like a backdoor undermining our security protocols, employee-initiated SaaS demonstrates the innovative spirit of our workforce seeking to optimize their productivity.  

However, the big question is, how can an organization move from shadow IT risks to a culture of employee empowerment? As stewards of our organization's digital landscape, we must find a balance that allows flexibility without compromising security.  

How We Got Here

At large, we can blame the pandemic and the increasing acceptance of SaaS for the rise of shadow IT. Employees now working remotely found it easy and convenient to start cloud subscriptions independently without consulting with IT. According to research by Productiv, SaaS adoption skyrocketed 62% in the first year (2019-2020) of COVID lockdowns. Then, in 2020-2021, SaaS portfolios grew another 28%. Follow-up research by Productiv revealed that much of the COVID SaaS growth was from unmanaged and shadow apps, with 56% of an organization’s SaaS without governance and SSO.

‍

Now that employees have had a taste of SaaS independence, they’re showing no signs of returning to the old ways of requesting IT reviews and approvals. In fact, employees (or teams) initiating their own SaaS subscriptions has become the norm. Gartner predicts that in the next three years, 75% of employees will acquire, modify, or create SaaS apps without consulting with IT.  

When SaaS goes unmanaged and hidden from IT’s purview, it creates risk. However, when we can control and mitigate the risks, it creates opportunities for enterprise empowerment, AKA “business-led IT.”  

Why Support Business Led IT?

Employees often turn to unsanctioned apps because they meet immediate needs faster than the pace of corporate IT approvals.  Understanding this, you can better align your IT strategies to support these needs securely rather than boxing them out.  

Building Bridges, Not Walls: Empowering with Oversight

The key to harnessing the potential of business-led IT initiatives lies in creating a responsive IT environment that adapts to employee needs. Here’s how:

1. Foster Open Communication

Encourage departments to discuss their tech needs openly. Create channels for employees to request and review software so that they feel supported rather than restricted. Establishing open communication will also help employees ask questions and share cyber missteps without the fear of retribution.

2. Develop a Rapid Response Approval Process

Allow employees to choose the apps they want to use, but streamline your tech review process to reduce the appeal of going rogue with app registration. Quick turnarounds for app evaluations and approvals can reduce your shadow IT risks early in the process.

3. Educate and Inform

Regular training sessions on the risks associated with unauthorized software and new AI features can enlighten teams about potential cyber threats and unintentional leaks of proprietary information. Knowledge empowers employees to make smarter tech choices and be more aware of the consequences of their actions.

4. Leverage Automation

Use software and tools to streamline the process of managing new SaaS requests. This will reduce the time and resources required to review and approve requests that comply with corporate policies or regulatory standards. Employees will also experience less disruption and get feedback quickly on whether their actions affect the company's security posture.  

The New Rules for a Business-Led IT Environment

As Security and IT leaders, it’s also important to rethink your roles and strategies in a business-led IT environment. The goal is to lead with flexibility and foresight while keeping your security objectives front and center. Since SaaS acquisition is shifting to a more agile, employee-driven approach, the “rules” in which IT and SecOps operate must also adapt.

What are the new rules?

1. Embrace decentralized SaaS acquisition.

2. Centralize SaaS security.

3. Automate everything you can.

4. Accept continual change.

Let’s explore each in more detail.

‍

Embrace Decentralized SaaS Acquisition

What this Means: Allow individual departments the flexibility to select and procure their own SaaS solutions. A decentralized approach recognizes the unique needs of each team, supports innovation, and empowers employees to find the best tools to address their specific challenges.

What you Gain: Agility and efficiency. Decentralized SaaS enables your organization to scale and innovate faster, as employees know the best tools for their roles. However, with SaaS decentralization comes additional risks and requires guardrails.  

How to Implement: Set up a framework that outlines clear criteria and boundaries for SaaS acquisition. Be sure to address AI apps and newly launched AI features within existing apps and make your company’s AI policy easily accessible. Include a vetted list of acceptable and secure apps teams can use at their discretion, like Asana, Trello, or Canva,  and a straightforward process for individual departments to submit new software/AI features for IT to review and manage, like Marketo, Zoom, or Chorus. By decentralizing responsibly, you ensure that innovation is not stifled by bureaucracy.

Centralize SaaS Security

What this Means: When decentralizing as much app acquisition as reasonably makes sense, the security of SaaS applications must be centrally managed. Centralization keeps you in the know, empowering you to take action as needed, reducing the risk of breaches and data leaks. Centralization is comprised of 2 primary components:  

1. Ensuring uniform security protocols exist across all software so that you can maintain your security posture.  

2. Involving the right people who can appropriately advise who should have access and at what level. In this new era of shadow SaaS and SaaS sprawl, you need to involve end users (e.g., through justification) and business app owners (e.g., to review access) to effectively scale the management of SaaS procured in a distributed fashion.

What you Gain: Visibility and control. You can better manage your organization’s attack surface, creating a more secure enterprise.

How to Implement: Centralizing SaaS security when SaaS acquisition is decentralized will be challenging without the right technology. You cannot manage what you don’t know about. Shameless plug: that’s why we invented the SaaS Security Control Plane. Using identity as the primary control point provides visibility into all SaaS usage, regardless of how it was initiated. The SaaS Security Control Plane allows IT and security teams to discover previously unknown SaaS usage across an enterprise, prioritize risks based on severity and potential impact on your security posture, secure shadow SaaS and rogue cloud accounts, and facilitate risk mitigation or remediation.

Automate Everything You Can

What It Means: Because SaaS usage has exploded, managing without automation is overwhelming. Your goal is to leverage technology to automate repetitive and manual security tasks, such as password rotation, offboarding shadow SaaS accounts, and OAuth scope reviews, to name a few. Automation increases efficiency and reduces human error, which is a leading cause of security incidents.

What you Gain: Efficiency, speed, and predictability. We all get busy, and in high-volume periods, it’s easy to forget the critical details, delay them, or make errors in our hurriedness. The solution: automate them instead.

How to Implement: After Grip discovers shadow SaaS and evaluates each app for risk, use the data to take the appropriate action. These actions and workflows are wide-ranging, from offboarding, justification, notification, recommending SSO/MFA, etc. Ideally, these actions should be automated as much as possible, and Grip can streamline your processes:

1. Built-in workflows to revoke access to shadow SaaS (e.g., via password rotation) and seek justification of new apps.

2. Integrations with existing security/identity/workflow tools to tie into existing automation of business flows.

Accept Continual Change

What It Means: The only constant in technology is change. Embracing this fact is crucial for staying relevant and secure.  Shadow IT will continue to grow, but acknowledging, accepting, and adjusting to accommodate how SaaS is acquired today enables you to transform a risk source into a competitive advantage. In other words, make SaaS security lemonade from shadow SaaS lemons, moving from a vulnerable state created by unmanaged and unsecured SaaS to a business-led IT organization.

What you Gain: Enterprise enablement. IT and SecOps have become facilitators of corporate objectives and trusted business advisors.  

How to Implement: Foster a continuous learning and improvement culture within the IT and SecOps teams. Regular training, attending industry conferences, and staying abreast of new research and workforce trends are essential. By staying adaptable, you’ll not only keep up with changes but can also anticipate and prepare for future challenges.

Fostering Innovation

Shadow SaaS challenges traditional IT and SaaS processes but also opens the door to a more dynamic and competitive enterprise. By adapting your SaaS policies to empower your workforce, you foster a culture of innovation within secure boundaries. Remember, the goal isn’t to control every choice but to enable safe, smart, and efficient technology decisions across the company while retaining visibility into what’s being used and where your potential risks lie.

For more on how to move your organization from the risks that shadow IT creates to a business led IT environment, we invite you to book time with our team. Discuss your challenges and see how Grip works. We promise, it's well worth your time. Book time now.

‍