Teams today rely on a growing mix of digital tools, from standard business software to niche platforms and generative AI apps. This shift has brought flexibility and speed, but it’s also created new challenges for IT.
One of the biggest issues is the rise of shadow IT. Employees often plug in new tools without going through proper channels, using apps the IT department may never have even heard about. This presents a dilemma for the CISO. Clamping down on shadow IT risks dents company-wide productivity, but allowing too much freedom invites danger on the cybersecurity front.
That being said, security and productivity don’t necessarily have to pull in opposite directions. After all, most employees using shadow IT aren’t trying to cause problems but instead are trying to overcome challenges related to their own efficiency. According to a recent study, up to 80% of staff surveyed said they’d resorted to using unsanctioned software out of convenience – presumably because the tools their company had leased in the first place were slowing them down.
Rather than blocking tools outright, CISOs and CIOs should instead be finding out what kinds of unsanctioned tools staff are using, and why. Gaining visibility into these patterns will, in time, help the IT department make smarter decisions about which apps to support, consolidate, or retire, as well as align more effectively with the priorities of their colleagues.
Set guardrails that flex
But not all departments will work in the same way. The software used by a data analyst, for example, won’t be the same as that used by marketing. Executives, too, might need wider access than new joiners. Blanket restrictions can frustrate teams and lead to more end-runs around policy.
Instead, CIOs and CISOs should be crafting access rules that reflect different roles or departments. Product teams might need a broader toolset, while others may require more limits. This allows you to manage risk without standing in the way of progress.
Equally important is how you communicate policy. If someone tries to access an unapproved app, a clear message explaining the risks, such as data protection or compliance issues, along with a link to the preferred alternative, can make a big difference. These kinds of nudges help reinforce good habits without being punitive or overly technical.
This is particularly relevant in the context of AI. Around 73% of knowledge workers are already using AI tools in their day-to-day work, but only 39% of organisations have formal governance in place. Uploading sensitive information to a public chatbot might seem harmless, but it can violate regulations like GDPR or HIPAA. Instead of blanket bans, giving employees clear guidance supports both innovation and safety.
Don’t ignore the cost angle
There’s also a financial case for managing SaaS more tightly. Left unchecked, SaaS sprawl can quietly eat into budgets. Teams might be paying for overlapping tools, forgotten subscriptions, or licences that never get used. When apps are spread across several platforms, it’s harder to track usage or spot waste.
By getting a clear view of what’s in use and consolidating where it makes sense, organisations can often cut spend without impacting productivity. It’s not about restricting access. It’s about making sure every tool adds value.
Productivity and protection can go hand in hand
The idea that you must choose between keeping things secure and keeping people productive is redundant. A well-managed SaaS environment should do both. For CIOs and CISOs, that starts with obtaining a firm understanding of the software teams across their company are actually using, why they’re using it, and where the risks really lie.
Employees want to do their best work. IT’s role is to help them do that safely, efficiently, and in line with company policy. When IT is seen as a partner rather than a blocker, the whole organisation benefits.
With the right systems and mindset in place, IT doesn’t have to be the department of ‘no.’ It can be the team that helps everyone say yes to better tools, stronger safeguards, and smarter decisions.
Greg Keller is the co-founder and chief technology officer at JumpCloud
Read more: How transparent booking systems build SME success
