Bringing shadow IT into the light

In this era of cloud-based business solutions, it is easier than ever for companies to get the functionality they need almost immediately through a cloud provider. A growing number of organisations are moving to cloud-based services for the multiple advantages they offer, with research from Accenture indicating that a typical large organisation has hundreds of unregulated cloud, SaaS and other solutions in use – in some cases 10 times that of its known cloud usage.  

Unfortunately, this shift in company infrastructure has not offset the need for proper governance and management required to avoid the potential risks. And the risks are many. Intel recently revealed 65 per cent of IT professionals believe shadow IT—information-technology systems and solutions built and used inside organisations without organisational approval—is interfering with their efforts to keep their organisation’s cloud infrastructure safe and secure. Furthermore, according to research from Gartner, by 2020 one in three successful cyberattacks on organisations will be a direct result of shadow IT.  

Organisations must be responsible for identifying and managing risks such as operational integrity, security and cost management. This task is imperative for IT teams who will inevitably be held responsible for any problems with cyber-attacks, even if they had no involvement with, or even awareness of, what was going on in the shadows.  

Fortunately, IT leaders are working to legitimise these pure cloud efforts, allowing IT departments to gain greater visibility of the risks and benefits associated with a more agile approach. The primary objective for IT executives should be to improve the organisation’s IT integrity by enforcing security and compliance protocols and establishing ground rules that reduce organisational risk. As a first step, IT leaders need to identify all the projects and applications that are running in the shadows.

New apps need to be assessed to determine how to govern them, and whether an organisation’s evolving environment has the processes and workflows to support them. For newer projects in production, capabilities such as cost management, governance, policy enforcement, service enablement and process redesign will alternatively require a different operating mantra with different roles, enhanced processes, and new tooling.  

IT departments can provide a platform-like approach that supports business requirements while minimising risks to an organisation related to shadow IT. Cloud Management Platform (CMP) has proven its value as it embodies best practice and enables automation, standardisation and self-service for companies. A CMP encompasses a broad set of capabilities and services as a single entity that help organisations to reduce the complexity of the technology landscape, allowing IT departments to manage costs and risks associated with shadow IT.    

As part of an organisation’s journey to legitimising the cloud, it’s important for IT provisions to be seen not as a taxing process but as a natural part of the business. To achieve this, IT executives should adopt the role of educator, rather than enforcer. Instead of tracking policy offenders IT and enforcing compliance reminders, departments can share information with their employees what they should know about the service-level agreements and legal language they will encounter when they are making their own purchases. Information about preferred suppliers can be proactively shared, but it’s beneficial to foster an ‘open door’ environment where employees can consult IT about solutions outside of the preferred supplier list.        

One of the reasons Shadow IT exists is the accessibility that vendors offer to get business services on demand, so IT departments must be equally approachable. As a starting point, IT departments can share the preferred supplier information with the company but must also be willing to discuss exceptions and ensure employees are comfortable reaching out when it comes to procuring nimble solutions.  In this way, organisations will have the power to keep track of usage of unsanctioned apps putting their company’s security at risk, helping them to combat the threats of shadow IT.  

Combining these measures will help to fill the gaps around visibility related to shadow IT risks. To achieve this outcome, organisations need to view IT procurement as a trusted resource that can help achieve business objectives quickly and innovatively and protecting the company from risk. By equipping organisations with platform capabilities and holding open communication about suppliers, IT professionals can ensure the integrity of data and provide appropriate measures for threats assessment and responses to cyberattacks caused by shadow IT.  

 Jordan Griffiths is Managing Director of Operations at Accenture.