Earlier this month, Cisco announced the results of a new study on shadow IT — software or apps downloaded and used inside an organization without explicit organizational approval. Some of the results were alarming. According to Cisco, most CIOs greatly underestimate the numbers of unauthorized apps and services on their network.
For example, the typical firm has 15 to 22 times more cloud applications running in the workplace than have been authorized by the IT department, Cisco estimated. On average, CIOs said there were likely about 51 cloud services running within their organizations. The actual number? About 730, Cisco found.
The proliferation of shadow IT is not surprising. The broad range of technologies and apps available today means people can generally get anything they want anytime they want it. Why go through the pain of getting something approved by the IT department? And why struggle with outdated tech to perform a job when there are great new tools available and ready to download at the press of a button?
“IT has lost control here, because organizations, lines of business are saying I can go to the Web and get an application or a service within minutes and start being productive,” said Bob Dimicco, global leader and founder of Cisco's Cloud Consumption Service practice.
Shadow IT dangers
The downside: Shadow IT can cause a number of issues within an organization. First and foremost are security dangers. If CIOs aren’t aware of a technology being used within their organizations, how can they control it? Outside applications and software are often not subjected to the kinds of security scrutiny in-house software and applications would go through. As a result, an employee could accidentally open the company up to data theft, among other threats.
Secondly, because CIOs don’t control shadow IT, it’s likely that services and software for common processes will be duplicated within an organization. Not only is this wasteful, but it can also erode efficiencies.
If you can't beat 'em...
Some experts think CIOs should try to block shadow IT, while others believe that’s just not realistic anymore. Instead, CIOs need to figure out how best to manage shadow IT. What are some strategies CIOs might use to manage it?
First, experts suggest conducting an inventory to identify exactly what’s being used. That means monitoring the network to see what new devices appear. Next, analyze any shadow IT that's found. Prioritize apps or software that pose the biggest risk to the organization and deal with those first.
Once any initial dangers have been mitigated, establish and communicate guidelines for shadow IT. Employees are rarely looking to buck the system or cause problems — they either don’t know what they are doing is wrong, or they can’t get the app they need to perform their jobs effectively, so they seek it out on their own.
Dimicco advises that CIOs listen to what employees need and work with them to find solutions. Cisco, for example, has set up a catalog of approved cloud services that users can select from, he said. That way, employees get more choices, yet those services are known by the CIO and have gone through at least some sort of vetting process to ensure they don’t pose a danger to the organization.