Shadow IT – IT systems and solutions used inside companies without company approval – is here to stay, and that’s a good thing. It means the business world is embracing new technologies at a rapid clip. Your job now is to figure out how to keep up and add value to the process.
Despite the fact that I cover IT trends constantly, I have a confession for you: I think Shadow IT risks are overblown. I’m starting to tune out IT pros when they whine about it, and I’m not alone.
I’m not minimizing the risks of adopting untested, poorly secured cloud services and mobile apps. I understand that there are real risks here. But, you know what? Tools are emerging to automate the process of discovering those risky apps, and the best of these tools will also help you secure them.
Sales and marketing departments are the number-one driving force
I was recently invited to speak at ExactTarget’s Connection Conference on exactly this topic. ExactTarget is a marketing automation company, which was recently acquired by salesforce.com. The point of my talk was that the collision of marketing and IT can go in one of two directions.
The first path leads to one of those gigantic Interstate highway pileups I see so frequently on local L.A. newscasts. The second follows a path of collaboration, with two equally strong business departments helping each other reach a destination where each arrives better off than when they originally departed on the journey.
Which option would you prefer? Seems like a no-brainer, but these sorts of changes are never that simple.
After my talk, I was approached by several attendees, most of whom admitted they couldn’t put these technology genies back in the bottle, yet who were equally uncertain about how to move forward in a way that won’t compound the problem.
A couple others weren’t so risk-averse. “I’d argue that Shadow IT is not a problem; it’s progress,” said Ian Murdock, VP Platform, ExactTarget. “It’s kind of like software Darwinism. The services and applications that are adopted widely are the ones that IT will have to figure out how to support – whether they like it or not. On the other hand, the ones that IT legitimately cannot sign off on – because they are too insecure, too poorly designed or simply an invitation for an audit – will die off.”
Granted, Murdock has a dog in this fight, being part of a marketing automation organization, yet his advice makes sense. He argues that IT departments are missing the fact that the Consumerization of IT, Shadow IT, BYOD, call it what you will, is an opportunity. IT wastes too much time on cumbersome manual processes that typically end with the same result: telling someone “no.”
With so many tedious tasks becoming automated – everything from email marketing to software risk scoring to social media marketing – why wouldn’t IT want to evolve into something stronger, smarter and more perfectly adapted to an environment where a ten-year-old can adopt bleeding-edge cloud technologies from an iPad?
“Remember how Linux became practically ubiquitous?” Murdock asked. “Very few business leaders said, ‘Hey, we have to adopt Linux.’ Instead, they learned that they could throw Linux on an old PC and turn it into a low-cost server. Adoption solved a problem and cost next to nothing. They would have been crazy not to embrace Linux.”
Remember, these “shadow” technologies are adopted so people can do their jobs, and usually do them cheaply and efficiently. Add to that the fact that IT is viewed as a cost center, rather than a profit generator, and you can see why IT moves so much more cautiously than marketing or sales when adopting new technologies. If a shadow technology leads to a major data breach, IP theft or some other catastrophe, the sales or marketing team will have the excuse of “we didn’t know any better.” IT will not, even if they didn’t know about the adoption in the first place.
“A sales guy will never get fired for using salesforce.com, but he very well could be fired for missing his quarterly numbers,” said Yorgen Edholm, CEO of Accellion, a provider of secure mobile and cloud collaboration and file-sharing services.
Shadow IT & cloud adoption by the numbers
* 35% of IT spending will take place outside of IT by 2015, growing to 90% by the end of the decade.
* CMOs will spend more on IT than CIOs by 2017.
* 44.4% of IT professionals say they will be moving applications to the cloud within the next year.
* 44.9% of IT professionals are already running some applications in the cloud.
* Comparing departments, marketing/advertising/communications are the big adopters, with 43% admitting to using shadow IT services (this study polled European office workers)
Sources: Gartner, Gartner Research VP Laura McLellan, Qumu & Toluna , VMware & Vanson Bourne
NSA Surveillance and Shadow IT
There is one complicating factor, at least regarding U.S.-based cloud services. The NSA surveillance revelations leaked by Eric Snowden could cause regulatory problems for European companies using cloud services based in the U.S.
I’ll write more on the Snowden issue later this month, but for now let’s me just say that since the NSA was spying on everyone – foes, allies, U.S. citizens, the editorial staff at Cat Fancy magazine (okay, I’m joking with that last one; well, I think I’m joking) – I doubt blacklisting U.S. cloud service providers would do much good. However, it’s at least a factor to consider.
Edholm noted that smaller European companies don’t worry so much about the NSA issue, but larger enterprises that have regulators constantly breathing down their necks may not be willing to take the risk of adopting cloud services from U.S. providers.
Equinix tackles the problem through automation
George Do, Director of Global Information Security for Equinix, has set out to solve the Shadow IT problem by becoming an early adopter of a new technology himself.
Equinix was an early tester of startup Skyhigh Network’s cloud security services. “I’m not sure we were the very first tester, but we were certainly one of the first,” Do said.
Skyhigh Networks’ cloud security service automatically discovers which cloud services various departments and employees are using. “We just forward them device logs, and they figure it out for us. It’s all automated, and their system automatically generates risk scores,” he said.
For instance, if your sales team has adopted salesforce.com, you’ll see a pretty low risk score. Various security issues have already been addressed, although you may still need to block certain types of activities, such as downloading contracts onto a mobile device, that are too risky to allow.
After discovery, the Skyhigh Networks platform enforces various security policies, and includes features such as automatic data leak prevention.
What happens, though, when some service eagerly adopted is too insecure to accept?
“This happens less often than you’d think, and the risky services tend to be from Mom-and-Pop shops. In those cases, it’s simply a matter of informing people that there’s a better tool out there, one suited for enterprise activities,” Do said.
In the future, IT’s power could actually grow because of this trend. For example, if IT learns that users love a certain tool, but it’s insecure, they could have leverage over the vendor. They may even have equal leverage over the competing vendor who provided the IT-preferred tool, especially if IT can show that employees don’t like it because of, say, ease of use issues.
IT could become the hammer that pounds vendors into shape. If you’re a cloud provider worried about losing a big customer like Equinix, I imagine you’d be pretty motivated to address their concerns, especially with a bright red risk score staring you in the face.
Jeff Vance is a technology journalist based in Santa Monica, Calif. Connect with him on Twitter @JWVance.