Gartner conducted a survey that revealed by 2017 the Chief Marketing Office will spend more on IT than a Chief Information Officer. Shadow IT or Stealth IT as it’s sometimes referred to is IT technology that has not passed through the IT department. I would also include the Information Security department as well. Familiar examples are BYOD solutions and application on such devices, CRM and Business Intelligence solutions used by marketing and executive areas, and cloud services where anyone with a credit card and spin up an environment and use for whatever they need. Shadow IT has it’s benefits for business enablement but there are far more inherit risks and dangers from this practice.
How does Shadow IT grow? The simple answer is that the proper process is too slow. Too slow to answer the technology needs of the business and too slow to procure the tools to address those needs. However, bypassing a defined and implemented IT and security process introduces unforseen risk and complications.
With a Shadow IT scenario vendors are brought into the organization that have not been vetted, may be a personal choice by a manager rather than the right choice by the organization, and increase the complexity of the tool sets within the business. If more and more tools are brought in outside of a defined, centralized review program makes interoperability impossible. Even though the Shadow IT thinks it’s getting a solution quickly, it may have inadvertently increased future costs exponentially because none of the tools brought in work together and require a broader set of skills to manage.
Like most IT projects, security is often overlooked. When a Shadow IT is bringing tools and solutions the focus is on the technology or the fine-grained functions that a solution does. The major piece that is missing is that Shadow IT does not consider nor is fully aware of all of the business and technology compliance requirements that must be met. If you are in health care or financial the compliance requirements are increased ten fold. These compliance failures could be realized as simply as a log file that contains PII that’s left un-encrypted to a file transport that leaves the organization you weren’t aware of. Shadow IT cares about getting a solution for their needs, not necessarily getting a solution that meets the the business needs that would be identified through a CIO’s process.
Beyond the compliance risks Shadow IT also brings with it a flurry of problems that over time will only cost an organization. Wasted time, spreadsheet management of the solutions, inconsistent approaches to implementation and maintenance, and overall wasted investments as the full ROIs are never realized.
Shadow IT and the de-centralized expansion is only going to grow over the next 4 years, if the analysts are accurate. CIOs need to be aware of this practice if they are going to maintain control within. Shadow IT can be a business enabling movement as long a the balance between speed and process is adapted for the business’ best interests.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.