The risks and rewards of shadow IT
Last August, Cisco released a study that found companies use up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorized.
Specifically, Cisco found that IT departments estimate their companies are using an average of 51 cloud services, when the reality is those organizations are using around 730 cloud services.
Known as shadow IT, these unauthorized technology systems and solutions are employed in an organization without explicit approval from a company’s tech leadership.
"Shadow IT was born out of the need to deliver value faster to the business," said Ajeet Singh, CEO at ThoughtSpot. "It started with business leaders accelerating the software acquisition process thanks to simpler delivery and deployment models. But today, the impact has grown as we’ve seen more and more value created from self-service products designed for front-line business users."
Many view shadow IT as a risky undertaking. For example, Dropbox or Google Drive can make it easy for people to share files from wherever they are, on any device. But as a result, explained Steve McGregory, director of Application and Threat Intelligence at Ixia, company digital assets are being stored on non-IT controlled systems.
"Therefore, IT has lost the ability to protect these assets," said McGregory.
"By its very nature, shadow IT exists to circumvent IT governance and security controls by employees believing they’re doing something beneficial for the company," said Rick Orloff, vice president and chief security officer at Code42. "The painful truth is that shadow IT is one of the leading causes of insider data threats across any organization."
There can be significant dangers associated with shadow IT, including poor IT governance, unnecessary exposure to security breaches and significant privacy risks.
For example, "a marketing organization could end up exporting their entire internal customer list to a cloud-based marketing automation platform that doesn’t encrypt sensitive data," said Thomas Phelps IV, vice president of corporate strategy and CIO at Laserfiche.
Of course not all shadow IT use is intentional.
"Many non-IT people have no idea that they are running a shadow IT activity, much less consider all of the safeguards they should have in place," said McGregory. "Shadow IT can be unintentional, like using your own software application on company servers, or it can be as intentional as setting up unapproved applications that a business unit wants to run to support their operation."
"Either way," McGregory said, "they can open vulnerabilities to a network and enterprise with a lack of IT oversight."
Shadow IT does not discriminate
Experts agree that shadow IT can exist across all types of companies, large or small. But the smaller the organization, the more likely they are to live by shadow IT.
"Small companies tend to have fewer lock-downs, policies and restrictions," said McGregory. "This enables shadow IT to take on a more significant role."
While large companies have more restrictions, with multiple sites, distributed IT and siloed business operations, users can easily find ways around established IT policies.
Therefore, larger corporations tend to have the greatest risk, said Orloff. "That’s because there are more departments with budgets to deploy technology on their network, or subnet."
Most businesses likely do not know the extent of shadow IT until they perform audits or gain insight into what’s going on in their network.
Curbing shadow IT use
CIOs should keep three things in mind when dealing with shadow IT, said McGregory—vigilance, awareness and training.
"Even in large companies, IT tends to be distributed to service local groups. Having teams keeping their eyes and ears open to systems and behaviors that look out of the ordinary is a good place to start. Training is key to ensuring IT and non-IT people know what they can and cannot do," said McGregory.
CIOs can also audit their network, people and devices to learn what’s going on in their company.
"In order to reduce shadow IT, CIOs and their IT teams need to fully understand what resources employees need to be effective in their jobs and stop looking for reasons to say no," said Orloff. "It’s important for CIOs to focus on the technologies employees need to be productive, as well as understanding what technologies IT and security teams can deploy that give them the visibility into where data lives, when and where it moves, and who may have moved it—all while having the confidence that their data is continuously protected and recoverable in real-time."
Bill Berutti, president of the Cloud, Data Center, and Performance Businesses at BMC, suggests that instead of being threatened by shadow IT, CIOs should learn from it.
"By working closely with business stakeholders, CIOs and IT teams can understand what solutions employees are using and provide advice on using them securely," said Berutti. "This approach enables the best of both worlds—highly productive employees that have the innovative IT tools they need to best do their job in a highly secure manner."
Accepting shadow IT in the workplace
Loathed or loved, shadow IT is not going away anytime soon.
A recent Gartner report suggests that "CIOs and leaders of IT shared-service organizations must actively engage with, support and shepherd what is currently referred to as ‘shadow IT,’ rather than ignoring it, denying it or trying to suppress it."
So,if you can’t beat them, join them.
"CIOs need to forge strong business relationships so they have a seat at the table when decisions to acquire new software—and especially cloud services—are made by business stakeholders," said Phelps. "This way, CIOs can help drive appropriate IT governance, including appropriate vendor due diligence and contract management processes."
Already, the notion of shadow IT appears to be losing relevance in today’s digital era. Apps and services that were once seen as rogue are now viewed as innovative tech, which can contribute to a corporation’s capability to deliver new revenue streams, open new markets and increase employee productivity, said Berutti.
Zach Holmquist, CTO and co-founder of EventBoard, predicts shadow IT may eventually change the traditional IT model, as companies begin to take a bottom up approach to IT within the workplace.
"The traditional role of IT and facilities will begin to change as they shift to work alongside employees to craft a more personalized and mobile workplace," said Holmquist. "Companies like Slack, Evernote and BlueJeans will become more visible in the work space, offering up a certain simplicity and accessibility not offered by typical enterprise software."