CDO Challenges – Shadow IT

This instalment of CDO Challenges examines addressing the issue of shadow IT within data offices and the wider organisation and how it can affect operations.

What do they want? 

First, you need to address what it is that business decision makers are looking for. Examine the business objectives – particularly if your businesses objectives are not aligned with the data objectives – and see if there are any common goals that you can utilise to demonstrate the value of data. For example, if one of the targets is about efficiency, see if there is a data-driven project you can create that can show how data can improve efficiency. A prime example of this in the real world would be if a supply chain business wanted to save money on fuel costs; the data office can highlight how it can project the most efficient and effective routes for vehicles to use, plus examining the fluctuating costs of fuel to buy it from the cheapest source at any given time.  

It is also worth evaluating what specialisms the decision makers at your business have. Was someone previously in finance, IT or operations? If so, see if you can tailor your data projects to involve facets of these departments and you will be more likely to catch their interest. The difficulty with this approach is finding something that works without shoehorning it in haphazardly. If it does not work naturally or does not make sense, do not force it. You can win their attention in other ways. Quality is what is needed, not quantity or gimmicks.  

Keep it relevant 

When you have an idea that you want to present to the decision makers, edit it down, edit it some more and then get someone else to check if it would be relevant. You want to show yourself as efficient and effective as possible and that you know exactly what the business leaders want to be informed about.  

In the modern workplace, it is easy to lose an entire workday to back-to-back meetings. Therefore, it is imperative that you as a CDO are utilising the time of the decision makers as well as your own. You want to get to the stage where every time you meet with the decision makers that they know they are going to be impressed and intrigued by whatever it is you have to say.  

It can be tempting to add in additional information or suggest new ideas because they are interesting to you and the data team, but this may miss the point or the aims of the department you are collaborating with. Make sure you keep the needs of the department front of mind when developing a presentation to promote data: the needs of the operations team will not be the same as those for sales. 

Check in with departments 

It is imperative that you make some time to connect with other departments – leaders and members – to ensure you can accurately understand their projects and aspirations. Furthermore, it helps them better understand data and, in time, develop their data knowledge and confidence

Not only does checking in improve your knowledge of other department aims, but it also improves your standing within the wider organisation. It has been mentioned multiple times by DataIQ members that getting non-data departments to understand the scope and abilities of the data team are hurdles that keep arising. Enhancing the status of data is frequently touted as a key aim for CDOs and this is one prime way to achieve that goal. 

Ultimately, the work you put in here will place the data team in better standing across all departments and to the business decision makers, as well as providing you with invaluable insights into what different players in the organisation need. 

Why do people do it? 

This raises the question of why staff members would bother to create a system outside of the organisational structure to get certain tasks completed. Shadow IT is unique with technology insofar as it is largely unintentional and comes about without any ill intent as opposed to malware or ransomware attacks, but it can still be hugely damaging.  

The first major reason for shadow IT is often people not being able to get the results they need to progress their projects and day-to-day tasks. This is more common in businesses with small and developing data teams where the ability to generate a diverse range of data sets might be limited. The driving factor behind this reason is people actively want to do their job and improve the outcomes, but they find themselves limited by the tools available.  

The second is unhappiness with the way the current system operates. With strict IT rules and administration, there can often feel like bottlenecks or reduced output because of the checks and balances that need to be done. It is remarkably common to have to contact an IT provider to allow an assigned administrator to sign in, tick a single box and then leave in order to update a piece of computer software. This is frustrating, tedious, slow and can make the staff member feel untrustworthy as this should be a very simple task. Of course, the reason for needed specific administrators to do even small tasks is security and to ensure compliance, which both vastly outweigh the inconvenience experienced by the staff member. 

Finally, the growth of cloud-based systems and increased remote working during the pandemic has increased the difficulty of monitoring the types of shadow IT being used. It can be much easier for a staff member to save something into their own personal cloud system rather than dragging it into a specific business-provided solution which may involve additional clicks and tedious steps. Fortunately, the growth of cloud applications and accessibility has been strong, but a strong data culture is needed to maintain high standards and for staff to understand why shadow IT is bad.  


Simply put, shadow IT is bad for compliance. The ways shadow IT exist are often developed outside of the rules and controls of the business, which can easily lead to serious data breach scenarios. The impact of data breaches can be vast, impacting not only the direct data, but also the reputation of the organisation which can be damaged irreparably.  

When shadow IT is running, it will lead to data quality issues as it will often not conform to policies and best practices. Furthermore, data loss is a serious risk with shadow IT. When an employee has been using shadow cloud-based systems and then leaves the organisation, that data suddenly becomes unavailable and can be completely lost if the account is no longer supported or paid for.  

Compliance is one of the most pressing matters for businesses growing their data capabilities and enhancing their culture, so having an issue such as shadow IT can be hugely detrimental and frustrating. Shadow IT frequently breaks compliance with regulations, industry standards and laws – such as general data protection regulation (GDPR) – which can lead to fines, legal complications and reputational losses. For example, shadow IT means a business cannot know the software used by employees and monitor authorised workers accessing and handling sensitive data, which can break GDPR.  


Data is all about driving efficiency and getting as much from a result as possible, which is why there is a hypocrisy to shadow IT as it is often utilised to create efficiencies when it actually causes more problems. At its most simple explanation, shadow IT is inefficient because it means storing data in different and unaccountable silos within an organisation. Shadow IT applications usually do not integrate easily with sanctioned IT infrastructure which causes unnecessary workflow obstructions that rely on shared information or assets. If a team has been using one method outside of the organisationally approved systems for multiple years, the transfer of that data into the main system once it is discovered can be arduous and costly.  

A business needs to be able to plan for capacity, system architecture, security and performance and this is made impossible by shadow IT as it limits the knowledge of data flows. This in turn makes analysis and reporting less accurate and more complex which can result in lost time and finances.  

What can be done? 

There are some basic steps you can take when addressing shadow IT for the first time: 

  • Develop a clear and flexible corporate policy and guidelines that addresses security, compliance and best standards. 
  • Education for employees on what shadow IT is and how it affects operations. 
  • Provide tools to staff that avoid the need for shadow IT. 
  • Examine cloud-based solutions to find the best and most secure option for your business. 
  • Utilise shadow IT discovery tools to monitor for certain types of breach. 

Some of these solutions will take time to implement and others come with a price tag which can always be a tricky conversation to get past the decision makers in the business. However, the overall aim is to protect the business and eliminate threats such as shadow IT, and this is worth the small cost to get the ball rolling.  

Upcoming Events

No event found!
Print Friendly, PDF & Email