Bring shadow IT into the light: Discover, assess, approve and educate

By Hector Hernandez

Most CIOs know that shadow IT refers to public cloud applications and services used internally without IT department knowledge or approval. However, many don't know about, or greatly underestimate, the prevalence of shadow IT in their own organizations. A study conducted by IBM Security found that one in three Fortune 1000 employees save and share company data to third-party cloud-based applications that are not explicitly approved by their organizations. And, data from Skyhigh Networks indicates shadow system usage is at least 10 times the size of known cloud usage.

It's easy to understand why shadow IT is growing. Public cloud solutions — including software-as-a-service applications or infrastructure-as-a-service solutions for application development and deployment — let employees quickly help themselves to the capabilities they need, without waiting for IT to deploy a solution internally.

Avoiding the wait is significant. Employees can start to use a shadow solution in as little as a few minutes, whereas the CIO-approved timetable for deploying a solution is measured in months — sometimes many, many months.

However, employees aren't the only ones driving this growth. Increasingly, tech-savvy CMOs and line-of-business (LOB) managers are proposing strategic, revenue-generating projects that specify adoption of cloud-based services — and are getting tacit or explicit approval from CFOs to circumvent the CIOs and provisioning their teams with the services required to get their jobs done.

Stuck in the middle

All of this puts the CIO in a high-stakes, damned-if-you-do, damned-if-you-don't situation. Putting the kibosh on shadow IT hamstrings the company's ability to respond to opportunities. Yet playing along exposes the business to serious security risks, growing IT sprawl and potential cost overruns — all of which are a CIO's responsibility to control or avoid.

What CIOs need is a way to let teams benefit from the speed and efficiency of helping themselves to cloud services, while simultaneously minimizing the risks that come from a lack of visibility into those services. In a nutshell, CIOs need to govern IT, not block it.

Out of the shadows

Governance allows CIOs to get visibility into and control over shadow IT. A good governance framework should include the following aspects:

  • Discovery of public cloud services in use, for what and by whom: Discovery tools can trace and identify services that may be contributing to network overuse or cost overruns, or enable proactive discovery of them before they cause problems.
  • Assessment of services for security risks: Data breaches resulting from shadow services can lead to loss of revenue, damage to brand and reputation, regulatory penalties and more. CIOs need to determine the risks associated with each service in use and replace high-risk services with safer alternatives.
  • Cataloging of approved services: Once public cloud services are approved, CIOs can add them to their IT catalogs, either individually or as part of specific solution blueprints, so that users can access and deploy them with a few clicks. In other words, CIOs should make approved, governed services as easy to use as unapproved, ungoverned services.
  • Education on the benefits of governance: Unapproved IT usage happens because LOB management and employees, who are just trying to do their jobs as efficiently, quickly and inexpensively as possible, don't fully understand the potential risks of using unapproved solutions and don't know that approved solutions exist. Any effective governance program must continually educate and update employees on the existence and benefits of the safe solutions that are included in the catalog and the risks of solutions that aren't.

Ultimately, the right governance can transform shadow IT into a safe, transparent, cost-effective and instantly-accessible arsenal of cloud capabilities your teams can use to respond rapidly to new opportunities — and use to disrupt your industry.