While tackling shadow IT isn't the most prominent challenge on a CIO's growing to do list, the widespread growth of the practice in recent years has become hard to ignore.
It wasn't that long ago when research firm Gartner predicted that by 2017, marketing departments would end up spending more on IT than IT departments and since then the use of IT services in other business has exploded to the point that Gartner's prediction is not too far off from being vindicated.
You'd be hard pressed to find a CIO or IT professional who is loving the explosion in IT spend by other business units as it undermines IT departments and even brings into question the need for CIO's. Executives outside the IT department have defended their increased IT spend by accusing CIO's of being too restrictive and rigid.
There's some truth to this complaint as CIO's have traditionally been less than willing to introduce new solutions, particularly those provided by startups. The unwillingness of CIO's to introduce new solutions forced software vendors to target other business units within their organization which has led to the increased use of IT solutions without the CIO's blessing.
The growth of shadow IT in the last five years has concerned CIO's across the board with IT leaders responsible for fewer and fewer IT buying decisions. However, what really keeps CIO's up at night is the security vulnerabilities shadow IT can potentially opens their organization to.
Despite most organizations having strict policies in place forbidding its workforce from using third party applications to handle company data, it's well known these rues are flouted with abandon. You would think this might lead to some type of punitive action taken on employees who flout these rules but since only 8% of organizations can track the use of shadow IT, finding and reprimanding employees is easier said than done to say the least 1.
It's quite scary to think that only a measly 8% of organizations can track the use of shadow IT as it means a staggering 92% of companies are devising security and device management policies in the dark. What's even more terrifying is that should organizations that make up the 92% suffer a breach, their CIO won't know what hit them until it's too late.
This scenario is very likely to become the norm as according to a survey carried out by Intel Security, a worrying 23% "handle security without help" 2. Why this is happening when in most cases these departments are just a phone call away from each other is crazy and is a disaster waiting to happen.
In sum, leadership at these organizations are going to have to figure out fast how to track the use of shadow and find a way to bring IT into the conversation or risk being getting hacked and beefing up their lawyer's retainers.
- M. Korolov, 2015, only 8% of companies can track shadow IT, http://www.cio.com/article/2868113/it-organization/only-8-percent-of-companies-can-track-shadow-it.htm
- C. Worley, 2016, Shadow IT: Mitigating Security Risks, http://www.csoonline.com/article/3083775/security/shadow-it-mitigating-security-risks.html