Twenty years ago, shadow IT was barely a blip on most CIOs radars (in fact CIOs were pretty new at the time and the CISO role had barely been invented). Most LANs weren’t connected to the internet and, if they were, there was little fear of hackers infiltrating the corporate network.
When shadow IT did occur, it was the purview of super-users who had the blessing of a VP to go around IT and set up the infrastructure and applications the VP needed to produce the results their boss was demanding.
The other most common way shadow IT would occur was when someone like an engineer, researcher, or scientist would do an end-around IT to get the tech they wanted because IT (or their boss) said they couldn’t have it.
The common thread in both of these examples is those engaging in shadow IT were technologically-savvy individuals who had the means and ability to procure, provision, orchestrate, manage, and run their own technology stacks or, at the very least, troubleshoot application issues on their own.
20 years on
Today, that is no longer the case. With the advent of IaaS, PaaS, and SaaS the only thing required to go around IT is the will to do it. According to AV firm McAfee and other research, this is particularly true for content collaboration and messaging tools like email, project management, file sharing, and the like. Freemium offerings from most of the cloud SaaS vendors make it all too easy for the average business user to workaround any barrier IT puts in their way.
The common thread between today’s example and those of the past is IT’s ignorance. Then as now, if IT doesn’t know about it, it isn’t shadow IT, it’s rogue IT. The difference between the 2 is more than semantics—particularly in light of the surge in COVID-19-driven cloud adoption.
According to Rob Zahn, CIO at AAA of Ohio, what was already changing fast pre-pandemic was IT’s willingness to allow business users to find and use their preferred applications. The pandemic simply accelerated this paradigm shift.
“Let us hear what the project is, trust us,” he said of IT’s role in approving department-level tech projects. “We’ve got so much work on our plate. We’ll listen… give you a couple words of advice and, if it looks like it’s truly nothing that IT has got to get involved with, [we’ll sign off].”
If IT knows what their business counterparts are up to but doesn’t have to be involved in the day-to-day management of the technology, then it is shadow IT: a known technology stack run outside of IT’s direct supervision. Everything else is rogue IT.
There are 3 distinct flavors of IT today. You have the tech IT orchestrates, provisions, and manages (traditional IT). And then there’s Shadow IT and rogue IT. Each of these impacts the business differently in terms of cost, management time and effort, and risk.
Rogue IT poses the most risk to the organization in terms of security and compliance. Shadow IT isn’t far behind and can be quite costly if mismanaged. Even IT screws up so there’s no panacea there. But they at least know what got screwed up and, usually, how to fix it.
The changing IT mindset
There are a lot of reasons for IT’s willingness to embrace cloud-based applications today. For one, IT is perpetually short-staffed and underfunded relative to the demands placed upon it by digital transformation. Another is cloud providers’ offerings are on par or just as feature rich as their on-prem, client-server cousins. In many cases, SaaS providers have continually set the bar for their particular product category. Salesforce.com comes to mind. Hubspot.com is another.
For IT to field its own applications that compete favorably in cost, features, and functionality with SaaS is a waste of time and resources. IT is better off helping the organization benefit from technology, not owning and running it.
Then there are the many custom, mission-critical applications that IT is (and should be) responsible for to keep them busy. These applications can’t be easily replaced or moved to a cloud, so it’s IT’s responsibility to ensure they remain fully functional and viable for as long as possible.
IT’s critical role in managing shadow IT
IT really shines when it works alongside the business to ensure it has the technological resources it needs to do 2 primary things: grow top-line revenues while reducing bottom-line costs. With today’s technologies (mobile, SaaS, cloud, 5G, etc.), both are achievable at the same time.
As savvy as business users think they are at procuring and managing technology, ITs role has never been more important. Only they have the expertise to truly understand the security and compliance risks of today’s cloud offerings. This is because simple configuration errors in seemingly straightforward apps can expose reams of sensitive data to anyone who is looking.
Given today’s regulatory environment these misconfigurations open up organizations to all manner of fines and lawsuits. (The EU’s General Data Protection Rule (GDPR) and California’s Consumer Privacy Act (CCPA) come to mind. There are a host of copy-cat laws in the works, as well.)
Another issue that only IT has the expertise to manage is permissions (a.k.a, entitlements or privileges) granted to users in cloud environments. According to an IAM vendor I spoke with recently, AWS gives cloud users up to 7,000 different entitlements. This makes them “shadow admins” and a major threat to the security of an organization’s applications, network, and data if they don’t know what they’re doing.
As in days past, the irony facing IT today is they will eventually have to manage most of the shadow IT and rogue IT that finds its way into the organization, so it’s best to get as far out in front of it as they can.
AAA’s Zahn suggests dusting off the old sneakernet. Aside from constantly scanning their network for new apps and new vulnerabilities, CIOs need to talk to their peers. Find out what they are up to. What tech do they currently run? What tech do they want to run? What projects are in the works and how IT can better support them? In this way, IT will come to be seen as a partner instead of a barrier.