Earlier this month, I guest authored an article for ReadITQuick. The post has received a lot of responses and CIOs are constantly asking me about shadow IT. I wanted to share the article with Flexera’s audience because I believe companies of all sizes are grappling with what to do with shadow IT and who is ultimately responsible for its management.
Your CIO has a blind spot.
It’s not where the business and IT usually rub each other the wrong way, around budget, speed or support. It’s not the big-picture initiatives; your CIO knows the importance of technology-driven business transformation and innovation. It’s something much more mundane but with potentially disastrous consequences: good ol’ shadow IT.
The conversation around shadow IT has become borderline cliché. The business is sick of waiting for IT’s time and approval to get and run their applications. SaaS enables them to go out and download what they need, when they need it, so they do. IT tries to herd all the cats, and for the most part, thinks that they’re doing a pretty decent job.
Welcome to the blind spot.
CIOs know that shadow IT is happening, but they often miscalculate the scale at which it now occurs. In fact, CIOs underestimate the number of apps being used across their organization by as many as 900. The average CIO thinks his or her org uses around 30-40 cloud apps, while the reality as of the end of 2016 was more like 928. Those are scary numbers.
Why the disconnect? Two reasons. Less insidiously, IT leaders acknowledge the proliferation of SaaS apps throughout the business, but think they have it under control. There is no shortage of solutions available that supposedly solve the shadow IT problem. IT may put a lock-it-all-down firewall in place, restricting employees’ access to preapproved sites and services and blocking the rest. They may rely on a single sign-on service to guard SaaS vendor authentication, crossing their fingers that their SSO provider will cover all necessary apps and that business users will bring their cloud apps to IT for inclusion in the program. Or they might get fancy with it and go through a cloud access service broker (CASB) to limit access to SaaS applications from the back end.
All of these options work some of the time. But none of them cover every SaaS app, especially given today’s exploding landscape of cloud technologies. More importantly, they all fail to mitigate the human factor. People still want their apps RIGHT NOW, and still don’t want to deal with IT. No matter how many processes and restrictions IT puts into place, users will get around them and the number of enterprise apps will end up far beyond IT’s estimation or awareness.
The second, more cynical reason for the disconnect between what CIOs purport to believe and the reality of SaaS apps in the enterprise is more psychological than technological. If IT acknowledges that it has a problem, it must also acknowledge that it has failed to solve it.
No one wants to admit that there are almost 1,000 rogue apps running wild in their organization. It’s far easier to pretend that they don’t exist, or if they do, that they are someone else’s problem. While the scene is slowly evolving, many IT departments still see themselves as the stewards of firewalls, LANs and on-premise software. SaaS can’t be IT’s issue, because there is nothing to administer, patch, change or monitor. There is just a bill to pay every month, so responsibility must lie with finance or procurement – not IT. For their part, of course, finance and procurement see cloud apps as technology, so outside of paying the bill, definitely not under their purview.
And that’s how we get to 928 cloud applications in the average enterprise.
If the standard IT solutions aren’t the answer to the shadow IT question, what is? First and foremost, business leaders must get the message out: This is a serious situation. It’s time to ask your CIO the tough questions, touchy as they may be. How many SaaS applications are actually running in your company and how, precisely, are they being managed? This will likely step on toes, but the ramifications of not asking the questions reach far beyond bruised egos. Your business cannot afford the security, compliance and financial repercussions of an unmanaged SaaS stack.
Your CIO may have a blind spot, but he or she is right that SaaS isn’t only IT’s responsibility. Business applications need to be actively managed from a business perspective, across multiple departments, to strike the optimal balance between speed and control, agility and security, productivity and protection. It’s a brave new world out there. IT can no longer hold every aspect of every application in its iron grip, but it can take its head out of the sand, look around and collaborate toward a more realistic and effective solution to SaaS-fueled shadow IT.