KM Discussion 13: Shadow IT

"Hidden knowledge differs little from ignorance."
- Horace
 

Key Takeaways

  • Sometimes business needs conflict with resource constraints, policies and priorities of IT departments.
  • Shadow IT can emerge when workers believe that their ability to do their job is jeopardized due to the inadequacies of existing systems and setups.
  • Shadow IT is any technology solution used without the approval and formal support of the IT department.
  • In 2019, a research paper was published in the International Journal of Information Systems and Project Management, misalignment between IT and the other business units were responsible for shadow IT 41% of the time. IT system shortcomings also represented 41% of the cited reasons.
  • When shadow IT systems are identified, there are four potential responses:     
         1.) Phase-out 
         2.) Replace 
         3.) Continue as IT managed system 
         4.) Continue as business-managed system
  • Two widely respected organizations – the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) – have developed a process widely considered as a best practice, for evaluating information security risk to systems:     
         1.) Establish the context
         2.) Identify the risk
         3.) Analyze the risk
         4.) Evaluate the risk
         5.) Treat the risk
         6.) Accept the risk
         7.) Monitor the risk

 

References

Crowdstrike, Vanson Bourne, “2019 Crowdstrike Global Security Attitude Survey”. https://www.crowdstrike.com/resources/reports/global-security-attitude-survey-2019/
Fürstenau, D., Rothe, H. & Sandner, M. “Leaving the Shadow: A Configurational Approach to Explain Post-identification Outcomes of Shadow IT Systems”. Bus Inf Syst Eng (2020). https://doi.org/10.1007/s12599-020-00635-2
Klotz, S., Kopper, A., Westner, M., Strahringer, S. International Journal of Information Systems and Project Management, Vol. 7, No. 1, 2019, 1 5-43. DOI: 10.12821/ijispm070102
International Organization for Standardization, “Information technology – Security techniques – Information Security”. ISO/IEC 27005:2018(E)
Raković, L., Sakal, M., Matković, P., Marić, M. (2020). Shadow IT – A
Systematic Literature Review. Information Technology and Control, 49(1), 144-160. https://doi.org//10.5755/j01.itc.49.1.23801
Spierings, Anthony; Kerr, Don; and Houghton, Luke, "What Drives the End User to Build a Feral Information System?" (2012). ACIS 2012 Proceedings. 6. https://aisel.aisnet.org/acis2012/6