How much of a threat does shadow IT really pose?

The long, dark shadow of the cloud

Shadow IT has always been in the background. So why has it suddenly been spotlighted as a top strategic challenge for CIOs? Departmental budget holders have often opted to 'do their own thing' and invest in an application behind the backs of the IT department. Perhaps they have disagreed with the direction that IT has taken – or maybe IT hasn't understood the specialist nature of their work.

But the difference now is the scale of the problem. The cloud and the rise of Software as a Service (SaaS) have made applications easy to download, bypassing a company's infrastructure and more importantly, their control. Suddenly, it's so easy.

In a survey sponsored by McAfee, more than 80% admitted to using non-approved SaaS applications in their jobs. It used to be just the managers in companies so large that their maverick moves weren't noticed. Now, it's everybody, including those working for SMEs.

It's easy for the IT department to feel – well – a tiny bit slighted and throw their hands up in horror. But how much of a threat does shadow IT really pose? And is there anything they can do other than taking draconian measures?

Consumerisation of IT

First off, it's useful to scratch beneath the surface of what's happening here. Many small businesses have been cutting overheads and postponing the updating of IT infrastructure over the past difficult years. At the same time, the consumerisation of IT means we are often using more advanced technology in our personal lives than we are at work. As a result the apps we download at home are filling gaps in outdated IT infrastructure at work.

So far from being rebellious, the Shadow IT culprits are often just doing their job. After all they are encouraged to use their initiative and if it's a balance between upsetting a valued client because they haven't delivered something, or the IT manager – guess who they will choose. After all, they've been lectured on security so many times they may well have 'warning fatigue'.

It's hard for IT to admit, but there just may be another side to the coin. Have they listened to what the rest of the business is saying? It doesn't really seem like it, if everyone is downloading their own applications.

Of course it depends on the nature of the business, but it is possible to overstate the case for security. It could even be an excuse for not doing anything. Of course personal data from staff or customers needs to be fiercely protected – for compliance purposes if nothing else. Also, nobody would want a company's intellectual property to be shared with competitors. But, let's be honest here, is the real risk that IT is concerned about losing control – or even their role and status?

It's all to do with the cloud. The IT team are no longer needed to maintain and support the infrastructure, and shadow IT underlines this change. But this is short-sighted. It's unconceivable to think that, in this digital age, businesses don't need specialist technical expertise at the very highest level. Think of it this way; these days IT professionals are wasted merely 'keeping the lights on'.

Subtly does it

So how can the issue be addressed in a more subtle way? Here are a few suggestions:

  • Take an objective approach and take note of what is being used. You will have some valuable information and an accurate indicator of what the business actually needs. This can form the basis of future strategic planning
  • Seek out consultants who specialise in supplying SMEs. They will know the products currently on the market that are tailored for this size of business and that can provide a better experience than consumer-targeted apps. There are widely available alternatives which can be integrated with the company infrastructure
  • Aim to achieve the right balance between security and accessibility according to the nature of your business. Security must be your main concern, but be clear about what you are trying to protect and what would be the consequences of a breach
  • See the situation as a wake-up call on improving internal communications. Could you have explained the risks better? IT departments must become better listeners, but also become more adept at explaining their side of the story
  • Don't resist change. Be prepared for a path of continuous development and ensure that future implementations are business-led, rather than technology-led

Businesses need to guard against losing control of their data and shouldn't encourage the continual download of consumer-style apps that use the public cloud, especially if the data is sensitive in any way. However, nor should they swim against the tide. The best approach is to see the issue as a learning process – and then find a more business-focused and secure alternative.

  • Jamie Marshall is Chief Technology Officer at Calyx