This week, shadow IT was the hot topic in the CIO Twitter world. From the Gartner CIO Leadership forum, Point B CIO David Wu showed a visualization of shadow IT spending across verticals. With an array of enterprise cloud apps available for various business functions, business units do not hesitate to pull the trigger on subscriptions to unsanctioned cloud services, if the cloud service provider charges anything. The average spending on shadow IT hovers around 20% of total IT spend. Finance took the lead as the largest source of shadow IT in nearly every industry. Given the sensitive data handled by Finance and other departments, organizations cannot afford to ignore this cloud usage. While blocking is not necessarily the correct answer, IT leaders can direct users to more secure alternative services and implement security and compliance policies on the backend that don’t impact usability.
Ben Haines, formerly CIO of Box and now on the IT team at Yahoo, pointed out a trend contributing to the prevalence of unsanctioned IT spending: up and coming enterprise cloud services can be more powerful and user-friendly than legacy offerings. As Haines suggests, employees have a higher standard for software tools given the sheer number of alternative services available.
Shorenstein CIO Stuart Appley took the conversation one step further by insisting that the enterprise needs shadow IT to succeed. The article reports a divide in perspectives on IT’s role in the enterprise between business unit users and members of central IT staff. In the event that IT is slow to enable productivity-increasing cloud services, lines of business may take the lead in cloud adoption.
By now you may be wondering what IT can do to keep up with the proliferation of cloud services. Creative Artists Agency CIO Michael Keithley shared an article on smart CIOs aligning business and IT in the age of the cloud. The key for proactive leaders is to prevent IT from appearing as a “black box” to users by setting structured channels for communication. In particular, education around risky services is much more effective than just blocking access.
Let’s close with some security. Stephen Landry of Seton Hall shared a take down of “good enough” security, arguing that companies need to raise the bar when it comes to securing data. A key takeaway is that compliance does not equal security, and vice versa. The solution is making risk transparent and mapping security measures to corporate goals.