For years, the unvetted and unauthorized technology known as shadow IT has been the scourge of federal IT shops. But more agencies now believe the often surreptitious technology can help in nontraditional ways.

“It’s not necessarily malicious or sinister,” says Al Bowden, CISO at the State Department. “Often, it results from a perfect storm of legitimate circumstances.”

With that in mind, Bowden’s staff have increased their monitoring of unsanctioned hardware and software. They also are working more closely with the entire department to identify technology gaps in hopes of eliminating shadow IT.

The State Department’s nuanced approach is a model for agencies struggling with the issue, according to IT consultants and security experts at the National Institute of Standards and Technology (NIST). This philosophy, they say, can reduce security risks and provide insight into how to improve day-to-day operations.

Adopting this ideology occasionally requires some soul-searching.

“IT leaders sometimes must look in the mirror and ask if we’re being responsive enough to the organization,” Bowden says. “Is there more we should be doing to help end users better understand the governance process that’s in place to address their needs?”

Before they can reap the hidden rewards of shadow IT, CIOs first must understand the dangers it presents. Security tops that list.
What Are the Root Causes of Shadow IT?

“Shadow IT creates blind spots, which means organizations incur risks without the knowledge of the CIO or CISO,” says Matthew Scholl, chief of the computer security division at NIST.

The gaps can appear in hardware or software. Kevin Cox, the manager for the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, says agencies are using tools, such as hardware and software asset management, to discover uncataloged devices. This year, IT leaders found, on average, 44 percent more devices on agency networks than expected.