Companies are using up to 15x more cloud services to store critical company data than CIOs were aware of or had authorized according to a study conducted by Cisco. This statistic helps conceptualize the pervasiveness of shadow IT. Simply put, shadow IT is a reality of doing business.
With a smartphone full of apps in every pocket, a cloud application a few mouse clicks away, and employees caring more about getting the job done than pleasing IT, it’s to be expected that ‘unapproved’ apps will be used quite often. Is that inherently a bad thing? What’s a CIO to do when confronted with the challenge of addressing shadow IT while maintaining productivity and security? To answer these questions, it’s best to consider both the pros and cons of shadow IT.
Shadow IT, by definition, is technology not regulated, provisioned, or formally approved by an organization’s IT team. Given that, there are often concerns about security, effectiveness, and reliability when discussing shadow IT and the use of unauthorized apps. Statistics indicate that these concerns are valid. According to a study by Frost & Sullivan, ‘You can expect that upwards of 35 percent of all SaaS apps in your company are purchased without oversight’.
In a world where malware can take down systems in the blink of an eye, one wrong move can put an organization outside of PCI, HIPPA, or Sarbanes’Oxley, that can be a scary thought. A well intentioned-user can end up doing more harm than good and at the end of the day IT, and more specifically the CIO, will be on the hook.
Beyond those potentially business-crippling consequences, there are some sneakier costs associated with shadow IT. In this Michaels, Ross, & Cole blog post they discussed some hidden costs including overpaying for licenses and investing time and money into the wrong solution. It’s bad enough when the budget takes a hit for software that doesn’t meet corporate standards, but even worse when the software does nothing to solve a business problem.
That loss of time is something you can never get back. Given all the risks and potential hidden costs associated with shadow IT, it seems like a forgone conclusion IT teams everywhere should be auditing their networks and saying, ‘let’s become more strict and stop the use of anything unapproved, no excuses, no exceptions’ right? Not exactly.
The aforementioned Stratecast | Frost and Sullivan study was referring to applications being used by members of the organization trying to get their job done. They were using shadow IT for a reason. A reason that may have solved a problem the ‘approved’ corporate program could not. One of the more common motivators for a user of shadow IT to choose an ‘ unapproved’ app is because it is more efficient and effective than what the IT department has chosen, and chances are pretty good that the employee hired to play a specific role may know a bit more about the tools of their trade than IT.
In a previous post, we talked about these ‘superusers’ and how IT teams can leverage their choices to make decisions that benefit everyone. In a nutshell, modern IT teams should determine what shadow IT applications are being used and why. This doesn’t just apply to ‘super-users,” but they are a great microcosm of the bigger picture.
From the perspective of a user, and arguably an objective observer, apps should be judged by their utility to the company, not by their presence on a list of approved apps. Denying talented people access to the best tools possible as a knee-jerk reaction just isn’t good for business or morale.
Shadow IT has its pros and cons, but what can be done to address the issue? It seems like on one side, IT teams have an incentive to be risk-averse, while users have an incentive to get the job done and step outside of the box to do it if needed. This creates situations where users of shadow IT aren’t quick to ask for approval, especially if the approval process hampers productivity and runs the risk of losing access to an app they need to get a job done. Such circumstances can create a combative relationship that isn’t beneficial to anyone.
IT teams can address this by creating an environment that breeds trust and cooperation. Finding a way to leverage monitoring, surveys, and good old-fashioned open dialogue to work with users is important. The objective should be to get approved apps implemented where shadow IT just isn’t going to be secure, sustainable, or dependable enough for corporate use and learn where the organization as a whole can benefit from ‘authorizing’ a new app.
Both sides will need to be open minded and willing to find compromises that are best for business. Taking this balanced approach will create a culture much more conducive to productivity and cooperation than simply outright banning anything currently unapproved or turning a blind eye to the situation altogether. Listen to your ‘superusers’ and see if you can come together to bring good apps out of the shadows. As Tracy Cashman, Senior Vice President and Partner at WinterWyman Executive Search said,’ more progressive CIOs know that, given today’s technology and the increasing savvy of the business, it’s in their best interest to embrace shadow IT.”