Although shadow IT isn’t new at all, its character has changed and it is potentially becoming more threatening to the CIO. Cloud services outside control of the CIO may create security and continuity risks. Who will be blamed in case of a serious security breach or continuity issue? I am afraid it’s still the CIO.

How to handle this?

The past

Shadow IT is defined as all IT outside control, budget and often outside view of the central IT department. It has existed already for decades and most probably will always be there.

In the past shadow IT consisted of incidental purchases and installations of hardware or software  without consent of the central IT department. Due to limited decentral IT budgets, the expenditure of shadow IT was relatively small, as was its impact and risks. Owners and users were usually very positive about ‘their own’ shadow IT. It served its purpose well and they considered it their baby. When there was a problem, they didn’t dare to complain – knowing their baby was in its sort, an illegitimate child.

CIOs who tried to forbid or block this old style shadow IT made themselves far from popular. Therefore most CIOs were inclined to tolerate this old style shadow IT and ignored it as long as it didn’t become a serious problem.

What changed?

Since  then, mobile devices such as laptops, smartphones and tablets were introduced. To create maximum flexibility, organizations adopted the BYOD (bring your own device) approach and allowed company software to be installed on user owned devices.

Access to company systems was granted to devices outside control of the CIO department. Security became a serious issue.

Cloud services became available that offer solutions that are fit for purpose, cheap, and easy to purchase and deploy: a credit card and a few clicks was enough. Consent or even awareness of the CIO wasn’t needed. A new species of shadow IT was born.

Figures

83% of IT-users admit using shadow IT. 80% of IT managers believe they have successfully blocked Dropbox. In reality only 16% has. (Survey Skyhigh Networks 2015).

CIOs believe they control 80% of total IT spend. In reality it’s 60% (Forbes 2014).

80% of CIOs don’t know the extent of shadow IT in their organisation, 72% added that they would like to know. 23% of the IT budget is currently spent on cloud services, 7,2 % is spent on shadow cloud, in other words: one third of the total cloud services in use, has been deployed outside control of the central IT organisation (Forrester, 2013).

New risks

Mobile devices are sometimes stolen, lost or left unattended at a bar. When no central security system or policy is applied this may result in unwanted access to company systems. No hacking skills are required.

When a user leaves the organization and corporate IT deprovisions that user in its directory, nothing happens in the shadow IT user directory. If this is not remedied by whoever manages the shadow IT solution, this former employee maintains access to potentially sensitive data (potentially a huge security risk) while the organization is still paying for it.

In the past shadow IT was typically a minor independent initiative within a department. Modern shadow IT cloud systems are widely spread and used across organisations. Business is becoming more and more dependent on the reliability of shadow IT services. Many users are unaware that these services are outside control of the department of the CIO. In case of failure the organisation will point to the CIO. ‘I didn’t know’ or ‘It wasn’t my responsibility’ won’t be accepted as excuse.

Unlike old style shadow IT, cloud systems communicate with clients, suppliers, business partners and/or public media. Incorrect, sensitive, private or other undesirable information could be communicated to clients, competitors, financial analysts and public media, without the CIO knowing it.

Again ‘It was outside my control’ won’t be accepted.

In organizations where innovations are delivered by shadow IT, the relevance of the CIO department and its influence on strategic decisions may be reduced.

How to deal with it?

What should a CIO do to deal with these issues?

1. Don’t ignore shadow IT. Don’t wait for issues to happen. Take action now.
2. Look shadow IT right in the face. Assess the current situation (functions, systems, risks, cost) of your shadow IT ASAP. How? There are skilled consultants and useful software tools around to help you collect relevant information in a short period of time at a limited expense.
3. Don’t try to block shadow IT. Your colleagues will be smart enough to find a way to go around your blockade.
4. Build a cloud strategy. What cloud services does your organisation really need? Which products and services could deliver the required services? Which ones perform sufficiently in terms of security and availability? Make choices based on what people are already using.
5. Build a menu of available services. As long as your menu covers all needs, there is little reason to use something else.
6. Build/extend a security policy that includes safety measures taking into account that mobile devices are stolen, lost or left unattended and that services are deprovisioned when people leave the organisation. Communicate your security policy properly to change people’s attitude and behaviour.

Thanks to Reinoudt van Rijckevorsel, the shadow IT expert who provided much valuable information.