Why CIOs Shouldn’t Block Rogue Cloud Apps

Employees at a pharmaceutical company went rogue using a cloud service provider to crunch clinical trials data, only for the CISO to discover later that the company was out of compliance because HIPAA data was potentially finding its way into some of the loads — and so he blocked HIPAA data from uploading.

“I’m sure they’re not the only ones,” says Jaime Barnett, vice president of marketing at Netskope, a cloud apps analytics company, who related the incident.

Business users at another company signed on with a cloud service provider without IT’s knowledge and made the mistake of assigning one of their own as the sole admin — a single point of failure, in the parlance of the tech set. It’s something IT would never have done nor allowed. When the admin abruptly left the company, business users were forced to scramble.

Rogue Apps Can Bite the Business (and Users) in the …

“Some things that come back to bite the business also come back to bite the users,” says Sanjay Castelino, vice president of marketing at Spiceworks, a network for IT professionals, who related this incident.

If you think these horror stories are a rallying cry for CIOs to seek out and destroy rogue projects, it’s not. These stories came out of this week’s CITE Conference and Expo in San Francisco, specifically at a breakout session entitled “Let Your Users Go Rogue Without Going Off the Range,” where panelists made up mostly of marketing executives argued for CIOs to help rogue projects be more successful.

[Related: Even ‘Rogue’ Clouds Can Be Secured, Experts Say]

In the age of cloud services and mobile apps, rogue projects are flourishing. Enterprises have an average 461 cloud apps running in their organizations — nine to 10 times IT’s estimate — according to Netskope’s cloud report, which looked at billions of transactions across hundreds of thousands of users.

A whopping 85 percent of these apps aren’t enterprise-ready even though many are business critical. Apps span everything from CRM to business intelligence to software development.

CIOs wanting to block these rogue cloud apps face an uphill battle.

“Blocking doesn’t work, blocking breaks business process,” Barnett says. “Ninety percent of usage is in blocked apps.”

Why Cloud Vendors Should Befriend the CIO

Part of the problem is that the CIO is brought late in the decision process, if at all. Many cloud service providers at the CITE Conference admitted to courting end users directly, thus bypassing the IT department’s slew of security requirements, service-level agreements and other technical hurdles.

But cloud service providers and app makers can benefit greatly from a CIO, such as ushering the rogue tech throughout a company. Speaking to CITE Conference attendees, Bret Taylor, CEO and co-founder of Quip, a mobile word processing app with built-in collaboration capabilities, says engineers at a company were using Quip without the CIO’s knowledge. After the discovery, the CIO called Taylor, wanting to talk.

“Quip went to 100 percent of the company in two weeks,” Taylor says.

In addition to cloud service providers, line-of-business managers hesitate bringing in the CIO out of fear of being blocked. If CIOs can remove this fear, Barnett says Netskope’s research shows business users are willing to work with the CIO to set and enforce policies. After all, they don’t want to suffer the blowback from a rogue tech project that puts the company at risk.

[Related: CIOs Must Become Technology Consultants]

To this end, CIOs need to become more like internal consultants to the business, advising business leaders how to adopt a cloud service while still maintaining compliance and security. CIOs can act as a kind of cloud services broker playing a role in admin accounts, contract negotiations, user access rights and other technical details.

Spiceworks Castelino says CIOs can be pivotal in assessing and laying out the risk for each option and then letting the business user decide the course of action. While this wouldn’t necessarily take liability off of the IT department, he says, the CIO can ward off trouble as a respected partner in the decision-making process.

“IT can be like a company’s general counsel,” Castelino says.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com