One of the biggest threats to enterprises isn't a hacker halfway across the world hoping to score valuable data to sell on the black market. And it isn't a disgruntled former employee looking to do the same. It isn't even a rogue nation-state perpetrator looking to disrupt big business. It's shadow IT.
Broadly defined, shadow IT includes "investment in acquiring, developing and/or operating IT solutions outside the formal control of a formal IT organization," wrote Gartner analyst Simon Mingay in a January research note. Shadow IT rose to prominence after the proliferation of cloud and mobile technologies consumerized IT. Employees could suddenly access foreign applications via the corporate network from their personal iPhones and Android smartphones. Apps ranged from the personal to the professional, but they were most definitely unsanctioned.
Shadow IT has grown more varied. Ask CIOs what shadow IT looks like in their businesses and they will likely riff on a marketing executive that purchases Salesforce.com licenses, or point to a business analyst who dumps corporate documents into Dropbox for anywhere access. They may lament developers who use corporate credit cards to purchase cloud infrastructure from Amazon Web Services. They may whine about the sales staff who conduct presentations around the world from their mobile devices.
For all of the scenarios, the common denominator remains the same: It happens without the CIO's permission and without his or her knowledge. As recently as 2014, CIO conferences convened whole panels on how CIOs grapple with shadow IT. While the public hand-wringing has ebbed, CIOs responsible for technology in diverse sectors tell CIO.com that shadow IT remains a concern. Here, several share their tales of shadow IT woe and how they’ve handled this unique issue.
DevOps or shadow IT?
Shadow IT is a serious affair at SAIC, a US$5 billion provider of IT services to government agencies. Because SAIC employs 10,000 people building IT solutions, CIO Bob Fecteau sees shadow IT as essentially DevOps. That is, some groups are building, testing and running their own IT capabilities. “The business says they won’t give me IT support, so we’re going to create operational development capability called DevOps," Fecteau says. "IT occurs in those spaces."
While he accepts that IT work is happening outside his purview, he says he is still responsible for knowing how much of the corporate budget is going to IT — whether he sanctions it or not. "What’s relevant is: Can I account for it? Do I understand how much it costs? And do I understand how much it impacts the business," Fecteau says. "If I can answer yes to most of those questions then I’m probably doing my job."
Fecteau must also balance getting employees the capabilities they need to complete their missions while instituting the proper controls to protect SAIC. The hardest part of shadow IT, Fecteau says, is procuring an enterprise-class license to support shadow IT once it begins to scale.
Fecteau is careful to distinguish shadow IT, while risky, from "rogue IT," in which employees may move corporate files and other data into unsanctioned cloud applications such as Box, an action subject to termination because it violates company-defined compliance policies. Beholden to its federal customers, SAIC can't afford risking data leakage to a vendor. Fecteau says he surveys SAIC's technology consumption constantly to understand what is running. "We have a pretty good understanding of what goes in and out of our enterprise," he says.
Regardless, Fecteau acknowledges that the CIO role has transitioned from "I have to do everything, to I am now the orchestrator of everything IT." And ultimately, he says, "I’m responsible for knowing the entire IT spend. Whether I spend it or not is irrelevant."
IT running amok in restaurants
Shadow IT can keep Sarah Naqvi, CIO of restaurant operator HMHost, up at night. The company employs 35,000 people spread across 300-plus restaurant brands catering to travelers in airports as well as travel plazas and rest areas. Because it handles about 950 million credit card transactions, it must comply with Level 1 PCI standards for retailers. "The distributed nature of our operations presents a challenge," Naqvi says.
To protect the laptops and smartphones she issued to HMHost's 500 corporate employees, Navqi has implemented mobile device management software that effectively containerizes apps running on the device. The majority of employees, from servers at HMHost brands such as Bubbles wine bar to Starbucks baristas working in airports across the country, access HMHost's corporate apps, including scheduling and time management software, from their personal phones. But they also court risk by installing and accessing anything from unsanctioned note-taking apps such as Evernote to Box and consumer apps such as Instagram and Pinterest.
This has created a wild west Naqvi is struggling to get her arms around for an organization whose security and compliance policies demand that she take a hard line to unfettered access. But she also says that she must do a better job aligning proper technologies with business needs and expectations for technology consumption. To do this, she has created a steering committee for security and compliance intended to audit solutions HMHost employees are consuming. She is also investing heavily in education, including classes that teach employees about risks associated with using unsanctioned technologies.
"Whether we like it or not, shadow IT exists in some shape or form in every organization," Naqvi says. "We can pretend that it doesn’t or try to get a handle on it." Naqvi is trying to get a handle on it.
Punting apps and locking down desktops
When Tom Anfuso joined National Life Group as CIO in 2014, he spent a good chunk of time "cleaning up" shadow IT comprising end-user computing applications. Actuaries and other knowledge workers for the life insurance company, which supports $2.5 billion premiums for 800,000 customers, were using apps written in Microsoft SharePoint to view data, access reports and keep customer records. There were also plenty of elaborate VBA Macros written for Excel spreadsheets, he recalls.
"It was often in the context of 'IT doesn't have something for me so I'm just going to get it,' and they just kind of built their own stuff," Anfuso says. "That was the majority of what we tackled here in the form of shadow IT."
Anfuso took an inventory of those apps before ultimately eliminating less important apps or moving valuable apps into Salesforce.com, Tableau or another platform. After years in which employees could do "almost anything with their desktops," Anfuso also virtualized National's desktop environment, centralizing control firmly with IT. "We made it much harder for people to build, download and install software," Anfuso says. "Being able to do an inventory to understand what’s running and ensure that you have control is key."
Anfuso says it wasn't hard to get buy-in from National's executive leadership for these sweeping changes, which were designed to mitigate security and risk. "I got complete buy-in from the leaders of our different business teams. We didn't really face any resistance. In fact, most people were glad that IT was willing to take on what they were doing."
Ultimately, he says, change management, rather than the technology changes, was the toughest challenge to tackle. He worked with the business leaders to pick the best time to institute changes.
Bottom line: Communication and transparency are paramount. Gartner’s Mingay says it’s vital for CIOs to assess the extent of shadow IT within their enterprise and then brief senior executives about the potential value and risks it poses.
Moreover, if you decide to crack down on your shadow IT instances and implement new technologies and policies, be sure the business lines know exactly what you plan to do and when you plan to do it.