Back in 2011, industry experts warned of an increase in unauthorised IT systems within organisations as IT departments failed to keep pace with employees’ technology demands and the consumerisation of IT. Four years later, shadow IT continues to rise. In a recent survey, PricewaterhouseCoopers found that between 15 and 30 per cent of IT expenditure is taking place outside the official IT budget. By 2020, Gartner predicts that this figure will grow to 35 per cent. What does this mean for CIOs?
The uninformed CIO
Unfortunately, CIOs are underestimating the extent of shadow IT within their organisations. According to a Cisco study, the number of unauthorised cloud applications being used in the typical enterprise is 15 to 22 times more than CIOs estimated, the majority of these apps falling into the SaaS and IaaS categories. Even in heavily regulated industries such as healthcare and financial services, Cisco found between 17 and 20 times more cloud apps running than had been authorised by the IT department.
This means that the risk and added costs attributed to shadow IT are also significantly underestimated. Such levels of pervasive shadow IT can create new security holes unknown to IT staff, exposing corporate data to outside services and leaving the enterprise vulnerable to brute force attacks. What’s more, shadow IT introduces considerable waste into the enterprise, as employees in different business lines procure duplicative services for common processes like storage and collaboration. This greatly increases the costs of IT operations overall.
And it doesn’t get any better for CIOs. New research from analyst firm Frost and Sullivan found that shadow IT is not the result of ‘rogue employees looking to rebel’, but rather the IT department’s inability to deliver technology that users actually need. Frost and Sullivan reported that 49 per cent of line of business employees are more familiar and comfortable with their unapproved application, and are therefore able to do their job more efficiently. Another 38 per cent of employees blamed ‘slow or cumbersome IT approval processes’ for the need to purchase the service elsewhere.
Controlling the uncontrollable
The likelihood that shadow IT can be completely eradicated from the enterprise is extremely slim. CIOs need to accept the fact that they can’t prevent the incursion of mobile applications and devices, and instead shift their focus and resources to risk management. However, this requires the IT department to give up some control – a tough ask for CIOs reared in a world where IT held unrivalled influence over infrastructure and applications. But as we discussed in a previous blog post, enterprise IT can no longer effectively operate as a ‘dictatorship’ in the hyper-connected era. CIOs must lead a new kind of IT department – one that acts as an internal service provider and a connector between the business and technology.
This requires the IT department to expand its portfolio of approved applications and cloud services it offers end users. Bob Dimicco, global leader and founder of Cisco’s Cloud Consumption Service practice, suggests that CIOs start by “identifying what’s being used, and then taking that data and applying it to an informed cloud strategy so that the IT organisation can be a [service] broker”. CIOs should work with other business leaders to set up new governance structures that would help to bridge the gap between the IT department and other lines of business. By meeting their demands for choice, speed and agility, CIOs will be able to reduce the need for employees to circumvent IT in order to perform their work duties.
Out from the shadows
Shadow IT isn’t slowing down anytime soon, and CIOs can’t afford to keep their heads in the sand. The IT department that formally embraces and extends the digital competencies of employees will thrive; the IT department that fights this new IT ‘democracy’ will lose relevance.
To find out how you can identify and manage risks associated with shadow IT in your organisation, download our complimentary whitepaper: ‘Security in a world with no parameters: A business-centric security architecture’.