Most CIOs have an inkling that employees in their enterprise have snuck a few applications past the IT department, but a new study by Cisco indicates that they are vastly underestimating the extent that unauthorized apps and services have infiltrated the network.
Consulting with CIOs and analyzing network traffic in a set of large enterprises in a variety of industries, Cisco determined that the typical firm has on the order of 15 to 22 times more cloud applications running in the workplace than have been authorized by the IT department.
[ Related: Why the Enterprise Cloud Needs Shadow IT to Succeed ]
That level of pervasive shadow IT can create new security threats and introduce considerable waste into the enterprise, as employees in different business lines purchase duplicative services for common processes like storage and collaboration.
"If they can't see these cloud services being consumed, they can't see the risk that's being incurred," says Bob Dimicco, global leader and founder of Cisco's Cloud Consumption Service practice. "[If] you can't see it, you really can't manage it."
And by Cisco's tally, there is quite a bit that CIOs aren't seeing. On average, CIOs surveyed estimated that there were 51 cloud services running within their organization. According to Cisco's analysis, the actual number is 730.
[ Related: How CIOs can reduce shadow IT in government ]
The lion's share of the unauthorized cloud applications that Cisco identified fall into the categories of Software-as-a-Service or Infrastructure-as-a-Service, with platform-level applications a distant third.
And it cuts across sectors. Even in highly regulated industries such as healthcare and financial services, Cisco found between 17 and 20 times more cloud applications running than the IT department estimated.
"The shock to the CIO was the magnitude and the pervasiveness," Dimicco says. "What was news here was, wow, this is happening in every industry, and in every industry the magnitude was much larger than what people expected."
Factors contributing to the rise of shadow IT
Cisco points to a confluence of factors that have led to the rise of shadow IT, which Dimicco boils down to two overarching trends -- "hyper-connectivity" and what he calls "hyper-distributed clouds," where data can reside across an interconnected set of public and private deployments.
"These are creating some unique problems for the CIO," Dimicco says. "[T]he CIO looks at this landscape -- it's very different than what it was a couple years ago."
[ Related: Hillary Clinton is now the face of shadow IT ]
Indeed, Cisco has documented a 21 percent increase in the volume of applications in use in the large enterprises it tracks just from the second half of 2014 to the first half of this year.
How CIOs can deal with shadow IT
So how is the CIO to respond to the surge in shadow IT? Dimicco outlines two broad options, and sees a clear choice.
On the one hand, CIOs can turn a blind eye to the problem and continue to provision cloud services as they have been, which, it seems clear enough, is not meeting the needs of end users.
Alternatively, he suggests that CIOs and other enterprise leaders rethink how their organizations approach IT on a fundamental level, and consider setting up new governance structures that would help bridge the gap between lines of business and the tech department.
"Rather than trying to stop it, I'm going to look at it and say this represents hybrid IT," he says.
"It starts with discovering and identifying what's being used," Dimicco says, "and then taking that data and applying it to an informed cloud strategy so the IT organization can be a broker."
Dimicco notes that some organizations -- including Cisco -- have established something like a cloud governance board to help rein in shadow IT and ensure that end users are getting the applications and services that they need to do their job. CIOs can help that effort by setting up a catalog of approved cloud services that users can select from to speed up the provisioning process.
"It's really clear, employees and lines of business have spoken -- they want choice, they want greater speed and agility," Dimicco says. "IT has lost control here, because organizations, lines of business are saying I can go to the Web and get an application or a service within minutes and start being productive."