Discover the Alliancy's latest editorial 👉 Shadow IT and digital resilience: SaaS Management on the ExCom agenda


Managing the SaaS Revolution & the rise of Shadow IT

The introduction of Software-as-a-Service (SaaS) in the late '90s marked the beginning of a paradigm shift. Since then, SaaS applications have proliferated exponentially, and in the process, Shadow IT has thrived unnoticed by IT teams, who often looked the other way.

  • ShadowIT

This article is the first in a series focused on navigating the SaaS Revolution. It highlights the necessity for large organisations to prioritise SaaS management from 2023 to 2027. To access the full content, click here.

The urgent need to act for large organisations

Software-as-a-Service (SaaS) has profoundly changed the IT ecosystem. It is reshaping the way large organisations digitalise, reflecting societal changes driven by the new tech-savvy generations, rapid technological advances and trends towards remote working.

The adoption of SaaS by employees shows no signs of slowing down. It is ‘inevitable’.

As of 2023, global SaaS spending is projected to hit $197 billion, an 18% increase from 2022 (Gartner). KPMG predicts that companies will quintuple their SaaS apps and increase budgets ninefold in the next decade.
By 2031, 80% of business apps will be SaaS-based, up from 13% in 2021.

By 2027, 75% of employees will acquire, modify and create technology outside IT’s visibility. (Gartner 2023)

The reason for SaaS's popularity (and the spread of Shadow IT) lies in its decentralised nature. Employees leverage user-friendly and often free applications to address their daily challenges independently. This enables them to do their jobs better, stimulating innovation, productivity, and efficiency. However, they often bypass IT departments when choosing applications. Statistics reveal that by 2027, 75% of employees will acquire, modify, and create technology outside IT’s visibility (Gartner, 2023).

Shadow IT is inevitable. […] CIOs that don’t see much shadow IT in their organizations are not looking for it or are looking in the wrong place. (Gartner, 2017)

While SaaS growth and IT democratisation hold immense potential, the lack of governance has led to uncontrolled challenges because of Shadow IT. By failing to grasp the extent of their SaaS sprawl promptly, companies lose valuable time in proactively addressing the forthcoming surge in SaaS usage. It has become urgent for organisations to assess the risk associated with their use and implement appropriate security measures.

Shadow IT: the multifaceted risks

IT departments are often only aware of a third of the SaaS applications in use (Gartner Market Guide, 2022), which raises considerable risks and challenges within their organisation. Gartner has revealed that by 2027, those that fail to achieve centralised visibility and manage SaaS life cycles will overspend on SaaS by at least 25% and be 5 times more exposed to cyber risks or data loss.

The risks associated with using SaaS applications can take various forms, such as security concerns, compliance concerns, financial implications, or operational and efficiency challenges.

Figures shadow IT, security, financial

Security Risks

Shadow IT poses severe security threats as these unapproved applications operate beyond organisational security measures, making them targets for cyberattacks and data breaches. Randori’s State of Attack Surface Management 2022 report reveals that nearly 70% of organisations have been compromised by shadow IT in the past year because of a lack of visibility over their IT assets by the IT department. Additionally, IBM’s 2022 findings show that 45% of companies suffered cloud-based data breaches, costing an average of $4.35 million.

Compliance Concerns

Shadow IT exposes organisations to compliance risks since these applications often evade scrutiny. Regulations like GDPR and industry standards like HIPAA and DORA necessitate meticulous compliance, especially for large enterprises subject to rigorous oversight.

In a recent example, in August 2023, the Commodity Futures Trading Commission issued orders for four financial institutions to pay $260 million for the use of non-approved methods of communication (WhatsApp, Signal…) to engage in business-related communications, in violation of firm policy.

Financial Implications

Apart from compliance fines and data breach costs, unknown applications can lead to overspending on unused IT resources. According to Gartner, companies will overspend $750 million on unused IT software features this year alone. This complicates IT budget management, particularly in larger enterprises where 30–40% of the IT budget goes to unknown applications. The result is an underestimation of the technical budget, which hampers the overall negotiation of enterprise-wide contracts, mainly because of certain abusive conditions imposed by SaaS providers (price increases, unclear renewal conditions, etc.).

Lack of operational efficiency

Shadow IT can impact the IS and bring unexpected challenges for IT teams due to its total lack of planning and good IT practices. This forces the technical team to provide unanticipated support, including setting up workflow configurations, identifying risks, managing data, and so on. All tasks that could have been avoided with prior consultation. This results in diverting end-users and IT teams from their core tasks and frustration and tensions between teams: BUs blame IT for not providing the necessary tools and visibility, while IT points fingers at the business for failing to adhere to established guidelines and protocols.

IT departments must address those risks and educate BUs more effectively as they operate in an increasingly complex and regulated environment, particularly in the European market, due to stricter regulations.

Trying to fight Shadow IT will prove counterproductive. Instead, CIOs need to provide appropriate advice and support to enable business-led IT.

Beamy icon colour