{"id":9125,"date":"2022-12-08T07:11:19","date_gmt":"2022-12-08T15:11:19","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9125"},"modified":"2026-02-02T13:43:26","modified_gmt":"2026-02-02T21:43:26","slug":"start-reducing-your-organizations-shadow-it-risk-in-3-steps","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/start-reducing-your-organizations-shadow-it-risk-in-3-steps\/","title":{"rendered":"Start reducing your organization\u2019s Shadow IT risk in 3 steps"},"content":{"rendered":"

\"MicrosoftWe periodically update our stories, but we can’t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.<\/em><\/p>\n

You\u2019ve heard a lot about Shadow IT risk, but what is it and what should you do about it?<\/p>\n

Shadow IT is the set of applications, services, and infrastructure that are developed and managed outside of defined engineering standards. Experts predict somewhere between one-third to one-half of successful cyberattacks this year will be on Shadow resources (data via Gartner, Spin Technologies). With the average cost of a breach at $4.2 million in the US, it is critical to address Shadow IT risk.<\/p>\n

While this sounds scary, it\u2019s also important to remember that most Shadow solutions are created with good intentions, and in some cases, there\u2019s legitimate business need for a separately built solution.<\/p>\n

Often, teams want to build or buy their own solutions because they can engineer them more affordably or faster themselves, or they have more control over decision making to meet specific needs. These benefits are immediately tangible to teams and often appear to be the right approach. However, the homemade solutions become a risk to the company if teams don\u2019t comply with company standards.<\/p>\n

Building a team at Microsoft<\/h2>\n

Shadow IT can exist in any department or group across the company. At Microsoft, we focused our efforts on addressing Shadow IT within business functions\u2014groups that sit outside of traditional engineering organizations\u2014such as Marketing, Sales, and Human Resources, since they need the most technical support.<\/p>\n

In 2020, we created a centralized team to address Shadow IT across the company with a focus on Security and Engineering Fundamentals. After two years, we added a workstream for Accessibility as well. While this work is ongoing as we continue to raise the bar on our compliance standards, we\u2019ve made significant progress in all of these areas and learned many lessons along the way.<\/p>\n

How to approach Shadow IT in 3 steps<\/h2>\n

It\u2019s time to get to work, but where should you start? Here are three of the most important steps to take.<\/p>\n

Set up the right team<\/h3>\n

Create and fund a Shadow team within your security department that is fully responsible and accountable for driving forward your plan every day. This team should be sponsored by the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) and supported by both the IT and Finance departments. Ensure that the central Shadow team has dedicated resources to assist with inventory, driving engineering tooling adoption, and the ability to provide engineering guidance.<\/p>\n

\"Graphic
Create a structure for your centralized Shadow IT team.<\/figcaption><\/figure>\n

Once the Shadow team is set up, appoint a Directly Responsible Individual (DRI) within each department across the company who will be accountable for their respective division\u2019s security compliance. The DRI will become your security champion and primary point of contact. The Shadow team and the DRIs will work together to empower teams to self-manage their own assets.<\/p>\n

Set up standardized reporting<\/h3>\n

Create a measurement system with a scorecard to provide metric-based, actionable progress reports to teams and leadership. Focus your reports and discussions on the level of risk instead of compliance. This allows you to prioritize work and look past non-compliant areas that have exceptions. It\u2019s also important to note that red metrics on a scorecard are valuable indications of where you have gaps and how to prioritize resources. Once a red metric gets to green, it should be replaced with a new metric or a broader scope so that you can continuously improve your security posture.<\/p>\n

Communicating status to the right stakeholders is key. At the beginning of your journey, conduct reviews with executives frequently to build momentum and reinforce accountability. Over time, teams will be empowered to continue this work as a regular part of their business rhythm.<\/p>\n

Drive culture change<\/h3>\n

Foster a culture of security among all employees and vendors who own Shadow assets and services through trainings and customized support. Throughout the ongoing Shadow journey, encourage teams to break down compliance tasks into small, actionable tasks each quarter.<\/p>\n

By initially addressing the low hanging fruit, you\u2019ll set teams up for early wins and success. Once they achieve these initial goals, they should set new, bigger goals. This means they\u2019ll reset their metrics and KPIs back to a red state, continually expanding their scope and impact over time. At Microsoft, we celebrated teams who \u201cembraced the red.\u201d This allows for candid conversations about what\u2019s causing the red and what support teams need to get to green.<\/p>\n

To drive culture change successfully, it\u2019s important to have support from the top down and bottom up. Senior leadership should reinforce your messaging. Meanwhile, your centralized Shadow team should provide customized support and specific guidance to each department about the resources, funding, and skill requirements they\u2019ll need. Finally, remember to show empathy and appreciation for the work that is taking place. This often adds additional scope and creates a big learning opportunity for many employees and leaders.<\/p>\n

\"Key<\/figure>\n

Once you’re ready to reduce your organization\u2019s risk from Shadow IT, you can start putting plans in place to build and fund your centralized Shadow team, create a reporting system to measure and communicate progress, and drive culture change among leaders and employees.<\/p>\n

At first, your Shadow team will focus on the biggest engineering and security priorities. As your program gains traction, you will be able to empower departments to start managing this line of work on their own.<\/p>\n

To learn more about our ongoing journey on this topic and gain insights that can help you in your own efforts, read our article about how we manage Shadow IT<\/a>. There\u2019s no time like the present to get started!<\/p>\n

\"Related<\/figure>\n