CEO Ticker – Shadow IT Part 2: Why It’s Dangerous

This is the second blog post in a three-post series written for CEOs and Line of Business (LOB) leaders. Post #1 was a CEO’s introduction to shadow IT – what it is, who’s using it, and why. Here, we dive into why shadow IT is dangerous for the enterprise. What you can do about it is post #3.

Line of business users create shadow IT when they go outside the enterprise IT framework for software-as-a-service (SaaS). SaaS is cloud-based applications like Google Apps, Basecamp, and Dropbox. Similarly, platform-as-a-service (PaaS) allows developers to go around hardware procurement/ provisioning and licensing issues.

For both groups, shadow IT is empowering. It allows them quick and easy access to the resources they need to do their jobs. It helps them meet deadlines. It makes them more productive. And more productive employees is a good thing.

In light of those benefits, the rise of shadow IT within the enterprise makes sense. But the very fact that it exists in the shadows makes it dangerous. It is outside of the corporate firewall. It is outside the IT governance framework. Outside the IT budget. Shadow IT is dangerous for two reasons: security threats and management nightmares.

Security Threats

Corporate firewalls and security policies exist for a reason. They’re necessary to protect the enterprise, its employees, and its customers against security threats. Threats that include the theft and destruction of data. And the disruption of service.

Protecting against those threats is smart business. It’s also often mandated by regulatory agencies.

Shadow IT negates those protections by going around the corporate security framework. Which makes the enterprise vulnerable to theft of secure information. When that information is customer data, its theft creates a hugely expensive crisis. With reputational effects that can cripple a business. When the information is enterprise IP, its theft can compromise the company’s competitive advantage.

Going around the corporate security framework also makes the enterprise vulnerable to disruption of service. Whether it’s a truly mission-critical application or a social network, service disruption can exact a heavy toll both in lost revenue during the outage and lingering customer anger.

“When it comes to corporate security, CIOs are right to be concerned about shadow IT.” [1]

Management Nightmares

Beyond the security threats, shadow IT keeps CIOs awake at night for the resources that it can demand. As CloudTweaks explains, when unauthorized applications have one foot in the shadows and one foot in the sunlight, IT personnel are asked to support technologies they have neither tested nor approved. The sheer number of applications alone can be overwhelming. Magnified by all the different devices IT might need to manage.

Calling shadow IT a potential nightmare, Big Data Corp CEO Thoran Rodrigues writes in TechRepublic, “Business users are rarely concerned with creating a long-term IT strategy. This means that they might select solutions that are incompatible with each other to perform different tasks or, even worse, a company might end up with several different solutions that solve the exact same problem…when those solutions don’t talk to each other, it creates data silos that are much harder to [integrate] than anything that could be created in-house.”

Most employees don’t have malicious intentions when they install Dropbox or put customer data into Basecamp. They’re just trying to do their jobs better and faster. But regardless of the intentions, shadow IT is an understandably scary phenomenon. And unlike the shadows on the wall that frightened us as children, the threats created by shadow IT are real. And significant.

What’s an enterprise leader to do? “Get tough” and eliminate all SaaS and PaaS applications? Turn a blind eye? Neither. Stay tuned for post #3, where we’ll talk about what you can do to enable the benefits that shadow IT can offer while mitigating the risks.


DISCLAIMER: This document is for reference purposes only. The information contained herein should not be relied on and neither IO Data Centers, LLC nor any of its affiliates makes any warranties or representations as to its accuracy.