Headache for the CIO: Shadow IT is soaring as LoBs seek greater autonomy

Cloud computing has become the de facto standard for organizations around the globe. In a recent study, McAfee concluded that 93 percent of organizations utilize cloud services in some shape or form. More than 80 percent even embrace a “cloud-first” strategy, in which applications are prioritized that can be procured as a service or deployed in the cloud over those deployed on-premises. Those prioritizing off-premises believe that their IT budgets will be 80 percent cloud services in less than 12 months, while those without such a stringent strategy think it will be closer to 20 months.

However, on the flip side of the “cloudification” trend, lines of business (LoB) are seeking greater autonomy and increasingly making their own technology purchasing decisions without involving the IT department. These “shadow IT” projects are being initiated and financed from the functional area budget without the knowledge, involvement, or support of corporate IT.

Shadow IT is further expanding

Shadow IT is now a well-established phenomenon, the offspring of the broader “consumerization” and “commoditization” of IT. Themes such as BYOD have empowered users to bring along their own devices and applications to the workplace. The cloudification accelerates the trend of commoditizing IT by making it as accessible and consumable as electrical power out of a socket. Storage and computing resources are fairly generic and interchangeable, and providers primarily compete on price. At the blink of an eye, users can commission new services with no friction or any need to worry about the underlying infrastructure. Just a few clicks and off they go.

Moreover, business units are being pressured to go digital, embrace new methodologies, and strive for greater agility. Frankly, people need to get their job done and “official” IT is often still perceived as being a party killer, not being responsive enough, or lacking the necessary tools and capabilities. This is not necessarily correct, but that’s sometimes the perception and reputation, which in turn encourages people to set up an adequate environment on their own. Is this going to change any time soon? Well, the forecasts say otherwise.

In 2017, LoB buyers will spend more than twice as much on software than IT buyers

Gartner predicts that through 2017, 38 percent of technology purchases will be managed, defined and controlled by business leaders. According to IDC’s research, overall LoB spending will reach US$609 billion in 2017, a 5.9 percent growth over 2016. The Spending Guide, which quantifies the purchasing power of LoB technology buyers by examining the source of funding for a variety of IT purchases, also projects LoB spending to achieve a compound annual growth rate (CAGR) of 5.9 percent between 2015-2020. In contrast, technology spending by IT buyers is projected to equal a five-year CAGR of 2.3 percent. By 2020, LoB technology investments will be almost on a par with that of the IT department. Interestingly, the higher the services are on the upper end of the IT stack, the more lines of business are the ones making the call. Due to the rapid adoption of third-platform technology, LoBs are relying far less on enterprise IT to fund their technology purchases. In fact, LoB buyers will spend more than twice as much on software applications in 2017 (US$150.7 billion) than IT buyers (US$64.7 billion).

A growing liability beneath the surface: Security flaws

IT departments are taking a variety of precautions to safeguard shadow services in use, which, however, seems to be an uphill battle. According to the McAfee study, denying access to unauthorized services is the prime choice, but only 27 percent of organizations are enforcing this action. Most tend to support the department’s choice of service with measures such as identity and access management, data loss prevention (DLP) and encryption, or working jointly with the users to find an acceptable solution. Surprisingly, 22 percent have experienced a data breach with their cloud services, but only 24 percent are using DLP and encryption to protect the data, with almost no correlation between the two.

However, this is just the tip of the iceberg. Gartner estimates that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources. To cope with the growing concern, many IT departments are taking corrective actions in an effort to mitigate risks, which includes deploying tools to gain visibility and moving toward more active methods of monitoring. McAfee’s research suggests that next-generation firewalls have replaced database activity monitoring as the most common method being used, increasing from 41 to 49 percent compared with the previous year. Utilization of web gateways grew from 37 to 41 percent, and use of cloud access security brokers (CASBs) increased slightly from 32 to 33 percent. Simultaneously, more passive methods of detecting shadow IT activity, such as working with finance or checking license usages, dropped significantly. Overall, only 1 percent of organizations are not monitoring shadow IT usage, down from 5 percent last year.

Going forward

While shadow IT can lead to greater flexibility and speed, and might stimulate the IT department to become more competitive, it also has the potential to create redundancies and become a loose cannon.

Managing and protecting the unknown is simply not possible. To begin with, CIOs can utilize discovery and data protection tools to gain visibility and assess the estate. In a more progressive and collaborative approach, CIOs and their business unit peers should seek close alignment, allowing both to articulate their needs and jointly come up with a win-win proposition that embodies good corporate citizenship. This, for example, may include the blacklisting or whitelisting of services – banning those that violate policies and promoting others that aren’t of concern. Setting up a virtual corporate marketplace is another option that gives users choices to select from, automatically triggers the deployment at the user’s request, and keeps track of what’s happening. A recommendation engine can be powerful too, helping users to navigate and find the service best mirroring their requirements, while simultaneously ensuring that certain standards are being met. In other words, let users control the budget, but give guidance in terms of what’s available on the marketplace and what’s not.

CIOs should listen to their user communities and act as an advisor, enabler, broker, and orchestrator of business services. Rather than reactively responding to shadow IT, smart CIOs will apply a more proactive strategy by constantly striving for competitiveness of the IT department, building a cloud ecosystem with pre-approved vendors, managing SLAs, and continuously enhancing the service catalogue, so that users understand their benefits when working with corporate IT and don’t even feel tempted to be “unfaithful.”

Savvy LoB leaders, on the other hand, understand that setting security standards and enforcing policies are far from being just a necessary evil. Since a data breach can cause severe long-term damages, these are crucial components to protect the organization against rising cyber threats. This is even truer in the digital era in which business models are based upon one common denominator: trust.