Shadow IT: It's Much Worse Than You Think
Most CIOs are aware that Shadow IT occurs within their organization. As it turns out, the problem may be much more prevalent then they ever imagined. A new Cisco report shows that the number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted. That means that the risk and added costs attributed to Shadow IT are also significantly underestimated. So what is a CIO to do?
I recently had the opportunity to discuss the topic of Shadow IT with Bob Dimicco, global leader and founder of Cisco's Cloud Consumption and Broker Services Practice. Dimicco and his team surveyed IT customers to gauge their estimates of how much shadow IT is happening within their organizations. Then, they compiled data from customer projects that portrays an explosion of Shadow IT in the enterprise. It also illustrates the obvious disconnect between what IT believes is happening and the factual evidence. The data used was collected directly off production networks over the past 18 months. It was collected from participating Cisco enterprise customers in the US, Europe, Canada and Australia operating across a wide range of business verticals.
According to Cisco: "IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow. One year ago, the multiple was seven times, six months ago it was 10 times, today it is 15 times and given the exponential growth of cloud we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company."
[ Confused about cloud computing price structures? Read Cloud Computing: 8 Hidden Costs. ]
In every geographical region and across all industries, the results were strikingly similar. According to Dimicco: "When we got started, we were wondering, is there going to be one or two industries where this was going to be most prevalent? No, it's prevalent across all industries and this is consistent with the major countries in which we worked with customers."
Lest you think the data might be inaccurately skewed through the inclusion of personal apps or websites used by employees on the corporate network, think again. "When we do this sort of analysis based on traffic, we always eliminate websites," said Dimicco. "If someone's going to Yahoo, or someone's going to iTunes, those things are eliminated." Much of the Shadow IT Cisco discovered included Compute services such as Infrastructure-as-a-Service (IaaS) from AWS and Google, as well as multiple storage and backup service providers. On the Software-as-a-Service (SaaS) front, marketing and sales applications such as Salesforce.com dominated.
Why is this important? Shadow IT can increase your organization's risk of data loss. It also significantly increases overall IT operations cost. So what is a CIO to do?
Dimicco and his team developed a five-step, multi-year plan to move Shadow IT out of the shadows and bring it back under the oversight of IT through a Hybrid IT model. Essentially, the Hybrid IT model is an expansive list of IT-approved cloud services that employees use as they choose.
Before an IT department can even begin thinking about a Hybrid IT model, step one is to discover and identify which unauthorized cloud services are being used inside an organization. Cisco is (naturally) proposing its Cloud Consumption Services to assist in the discovery process. In fact, the company used the tool to compile the results for its Shadow IT report. According to the company, the tool can provide ongoing results to quickly identify new services favored by employees so they can be vetted and eventually added to the approved Hybrid IT services menu.
However you ultimately decide to handle the situation, know that the likelihood that Shadow IT can be completely eradicated from enterprise organizations is extremely slim. Rather, the goal for CIOs and IT departments should be to significantly reduce the need for employees to circumvent IT in order to perform their work duties. Ultimately, this will mean that IT departments will have to dramatically expand their portfolio of approved applications and cloud services they offer their end users. Just how many will that be for your organization? You'll never know until you get true visibility into how much Shadow IT is going on.