In the past few years I have had exciting and passionate conversations about cloud where the topics have been as varied as elasticity, rapid delivery, innovation and cost optimisation. Not anymore. This year has been the year of cyber security, compliance, personally identifiable information (PII) awareness and GDPR. The cloud hype has changed.
The hot topic when it comes to cloud, as I noted at a CIO executive function I attended recently, is security and compliance. It isn’t surprising in today’s world, but as worries, concerns and challenges were all laid out on the table, one thing was missing. Someone stepped up to name the elephant in the room, uttering two words that when combined have become taboo in tech circles.
Gartner studies have found that shadow IT can account for 30 to 40 percent of IT spend in large organisations.1 Such a large amount should be enough to scare any IT executive. But what exactly is shadow IT, and what does its existence signal about your IT department’s role in keeping the business competitive and functioning?
Shadow IT refers to software that is built, deployed, maintained and managed without the involvement of an organisation’s IT department. It isn’t the same thing as, or caused by ‘the cloud’, but cloud platforms have greatly increased its accessibility and prevalence, as websites, cloud storage and databases are now a few clicks away. Not being officially sanctioned, these technologies often don’t comply with a business’ information technology and security controls.
It occurs, increasingly, because a laptop, an internet connection and a credit card can get an employee started more quickly and less expensively than going through official IT channels. But it does so insecurely and without necessary levels of compliance. From a business risk perspective, it’s a danger.
Shadow IT exists because it’s easy. As individuals, organisations and enterprises have become more comfortable with cloud offerings, the corporate world has become far more accepting as well.
I now find myself participating in discussions on ‘cloud first’ and ‘cloud only’ strategies and I have seen first-hand the level of maturity rising. With it, so have expectations. People now want their IT to be faster, better, cheaper. (It’s often myself that adds ‘secure’ and ‘compliant’ to that list.)
These desires explain why shadow IT exists. Often, the rise in shadow applications is because IT departments are not keeping up with the ever changing expectations of the business. This is a risk in and of itself, as this adaptability is critical when facing increased competition outside the organisation.
IT departments need to keep up with this demand – but they also need to maintain innovation momentum and rapid delivery, and deliver secure and compliant offerings. They can’t become a blocker, but they also have to deal with the real risk of shadow IT.
It’s definitely not an easy task, but talking from experience it’s certainly an achievable one.
I’ve heard the sentence, “But I can sign up this service in 10 minutes” many times. And it’s true, they could.
The IT knee-jerk reaction is usually along the lines of, “Yes, but it’s not compliant and secure, so you can’t.” Ideally, the desired answer from IT would be: “You can do that in the IT provided and managed platform too, which includes all the necessary security and compliance wrapped around the service to keep you and us safe.”
Telling staff not to go signing up to technology with their credit cards ‘because they can’t’ will probably not achieve the desired result, especially if they have no other option to enable their work.
However, if you instead build a platform where IT offerings are automated, and replicate, or even simplify further, the customer-friendly experience of cloud providers – including seamless organisation specific levels of security and compliance – then you have created the path of least resistance. It’s a win-win.
It’s worth noting that shadow IT is not only your security department’s problem. Cloud platforms have contributed to it’s increase, organisation specific cloud offerings can help minimise it or even eliminate it.
With a governed enterprise multi-cloud offering, there is no need for anyone to play in the shadows. It’s simply easier not to. Additionally, departments will also have access to a premium level of solution design expertise and support (probably better than the third party options they’ve looked at).
There’s immense value (often in hard dollars) in knowing that company data is protected at all times, that it’s encrypted and backed up according to your organisation’s policies and standards. Regardless of the area your business is in, this will provide comfort to stakeholders, customers and regulators.
From an operational lens, building your own solutions will mean never needing to go back and remediate non-compliant and inconsistent platforms and services from the outside. It will reduce the number of migration activities too, giving teams the breathing space they need to focus on higher value activities.
So, if there’s one thing I could say to people when we have tricky conversations on shadow IT it’s that the solution is (relatively) simple:
It’s time to invest in organisational risk and get building.
For a more detail on approaching an automated multi-cloud, view Robert’s previous piece, ‘The Power of automation: Cloud is not enough’.
© 2017 - Sun Jan 16 11:51:13 UTC 2022 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.