Shadow IT: It's Much Worse Than You Think - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:02 PM
Connect Directly

Shadow IT: It's Much Worse Than You Think

The number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted, according to a Cisco report. What's a CIO to do?

Shadow IT: 8 Ways To Cope
Shadow IT: 8 Ways To Cope
(Click image for larger view and slideshow.)

Most CIOs are aware that Shadow IT occurs within their organization. As it turns out, the problem may be much more prevalent then they ever imagined. A new Cisco report shows that the number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted. That means that the risk and added costs attributed to Shadow IT are also significantly underestimated. So what is a CIO to do?

I recently had the opportunity to discuss the topic of Shadow IT with Bob Dimicco, global leader and founder of Cisco's Cloud Consumption and Broker Services Practice. Dimicco and his team surveyed IT customers to gauge their estimates of how much shadow IT is happening within their organizations. Then, they compiled data from customer projects that portrays an explosion of Shadow IT in the enterprise. It also illustrates the obvious disconnect between what IT believes is happening and the factual evidence. The data used was collected directly off production networks over the past 18 months. It was collected from participating Cisco enterprise customers in the US, Europe, Canada and Australia operating across a wide range of business verticals.

According to Cisco: "IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow. One year ago, the multiple was seven times, six months ago it was 10 times, today it is 15 times and given the exponential growth of cloud we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company."

[ Confused about cloud computing price structures? Read Cloud Computing: 8 Hidden Costs. ]

In every geographical region and across all industries, the results were strikingly similar. According to Dimicco: "When we got started, we were wondering, is there going to be one or two industries where this was going to be most prevalent? No, it's prevalent across all industries and this is consistent with the major countries in which we worked with customers."

Lest you think the data might be inaccurately skewed through the inclusion of personal apps or websites used by employees on the corporate network, think again. "When we do this sort of analysis based on traffic, we always eliminate websites," said Dimicco. "If someone's going to Yahoo, or someone's going to iTunes, those things are eliminated." Much of the Shadow IT Cisco discovered included Compute services such as Infrastructure-as-a-Service (IaaS) from AWS and Google, as well as multiple storage and backup service providers. On the Software-as-a-Service (SaaS) front, marketing and sales applications such as dominated.

(Image: amisb/iStockphoto)

(Image: amisb/iStockphoto)

Why is this important? Shadow IT can increase your organization's risk of data loss. It also significantly increases overall IT operations cost. So what is a CIO to do?

Dimicco and his team developed a five-step, multi-year plan to move Shadow IT out of the shadows and bring it back under the oversight of IT through a Hybrid IT model. Essentially, the Hybrid IT model is an expansive list of IT-approved cloud services that employees use as they choose.

Before an IT department can even begin thinking about a Hybrid IT model, step one is to discover and identify which unauthorized cloud services are being used inside an organization. Cisco is (naturally) proposing its Cloud Consumption Services to assist in the discovery process. In fact, the company used the tool to compile the results for its Shadow IT report. According to the company, the tool can provide ongoing results to quickly identify new services favored by employees so they can be vetted and eventually added to the approved Hybrid IT services menu.

However you ultimately decide to handle the situation, know that the likelihood that Shadow IT can be completely eradicated from enterprise organizations is extremely slim. Rather, the goal for CIOs and IT departments should be to significantly reduce the need for employees to circumvent IT in order to perform their work duties. Ultimately, this will mean that IT departments will have to dramatically expand their portfolio of approved applications and cloud services they offer their end users. Just how many will that be for your organization? You'll never know until you get true visibility into how much Shadow IT is going on.

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/19/2015 | 11:36:22 AM
Employees and short-cuts
I agree, employees will take the fastest route. But since they don't always understand the dangers of using a non-approved app or program, it's up to managers to make sure the employees are trained to know what those are so they can help the IT department get their favored programs vetted instead of just taking down the firewall and getting it done. Sometimes protecting against data loss means it's slower, and as long as the approved programs can get the job done in a reasonable time frame all is well. It's when employees are waiting for the processes to work at all they turn to something else. If they have a process in place where they inform IT of a better program and IT is willing to try it you can develop a good hybrid culture with less shadow IT.
User Rank: Apprentice
8/10/2015 | 7:14:06 AM
Users will always take shortcuts
Users are under constant pressure to perform their tasks, disregarding what IT departments has in their policies. Users will take necessary shortcuts and it's up to the CIO to see that the shortest shortcuts are provided by the IT department.
User Rank: Apprentice
8/8/2015 | 5:01:56 PM
Shadow IT Asset Creation
ShadowIT also broadens the attack surface, including assets that attackers can leverage to infect customers such as forgotten about or otherwise unaccounted for http live apps. I'm talking about digital assets generated via third-party CMS's/hosted on third-party IaaS platforms and/or acquired via M&A activity.

The unknown digital 'debris' floating around most enterprise digital footprints is a great place to start an attack. Attackers can plot a course back into the network OR find vulnerabilites to embed malware into. In many cases the only way to know about these assets is to detect them via either manual or automated discovery methods. 
User Rank: Strategist
8/7/2015 | 1:31:52 PM
Identifying Cloud Apps Being Used is Only Step 1
Great point about step 1 being to discover the actual cloud apps being used. In the vast majority of cases, the use of Shadow IT is for appropriate business issues - time to market, innovation, etc. So, if there's a legitimate business need for these apps, then step 2 after discovering them, is to ensure that those those apps deliver the expected quality and reliability that the workforce requires. The challenge of course is that the apps run on infrastructure beyond the control of enterprise IT. Monitoring End User Experience from the perspective of the workforce end user's device, is 1 way to both discover the apps and to ensure their reliability as the end user sees it. Many enteprises use this approach to hold their cloud IT vendors accountable to SLAs that are more meaningful to the business that simple infrastructure availability and response times.
User Rank: Ninja
8/7/2015 | 10:03:19 AM
Isnt it a non-surprise? Coming from Cisco, isnt the bias obvious because Cisco has intrinsic interest for organizations to adopt cloud solutions of their own 
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll