Shadow IT and rogue IT are no longer synonymous. The cloud and COVID-19 have caused IT to split into three distinct branches.
Twenty years ago, Shadow IT was just a blip on most CIOs' radar (in fact, CIOs were very new at the time and the CISO role had barely been invented). Most LANs were not connected to the Internet, and if they were, there was little fear of hackers infiltrating the corporate network.
When Shadow IT occurred, it was the purview of super users who had the blessing of a VP to bypass IT and configure the infrastructure and applications that the VP needed to produce the results their boss was demanding.
The other most common way shadow IT occurred was when someone like an engineer, researcher or scientist did full IT to get the technology they wanted because IT (or their boss) said they couldn't have it.
The common thread in both examples is that those involved in Shadow IT were technologically savvy individuals who had the means and ability to acquire, provision, orchestrate, manage and run their own technology stacks or at least troubleshoot applications. on their behalf.
20 years later
Today, this is no longer the case. With the advent of IaaS, PaaS and SaaS, the only thing needed to bypass IT is the willingness to do so. According to AV company McAfee and other research, this is particularly true for content collaboration and messaging tools like email, project management, file sharing, and so on. Freemium offerings from most cloud SaaS providers make it very easy for the average business user to bypass any barrier IT puts in their way.
The common thread between today's examples and those of the past is IT ignorance. Then, as now, if IT doesn't know this, it's not shadow IT, it's dishonest IT. The difference between the two is more than semantics – especially in light of the surge in cloud adoption driven by COVID-19 .
According to Rob Zahn, CIO of AAA of Ohio, what was already changing rapidly before the pandemic was IT's willingness to allow business users to find and use their preferred applications. The pandemic simply accelerated this paradigm shift.
“Let's hear what the project is, trust us,” he said of IT's role in approving technology projects at the department level. “We have a lot of work on our plate. We'll listen... we'll give some advice, and if it looks like there's really nothing that IT needs to be involved with, (we'll sign off).
If IT knows what its business counterparts are doing, but does not need to be involved in the day-to-day management of the technology, then it is Shadow IT: a known technology stack running outside of IT's direct oversight. Everything else is dishonest IT.
There are three distinct flavors of IT today. You have the technology that IT orchestrates, provisions and manages (traditional IT). And there is also Shadow IT and rogue IT. Each of them impacts the business differently in terms of cost, management time and effort, and risk.
Rogue IT poses the biggest risk to your organization in terms of security and compliance. Shadow IT is not far behind and can be quite expensive if managed poorly. Even IT screws up, so there is no panacea there. But they at least know what went wrong and usually how to fix it.
The shift in IT mindset
There are many reasons for IT's willingness to adopt cloud-based applications today. On the one hand, IT is perpetually understaffed and underfunded relative to the demands placed on it by digital transformation. Another is that cloud providers' offerings are the same or as feature-rich as their on-premises client-server cousins. In many cases, SaaS providers continually set the standards for their specific category of products. Salesforce.com comes to mind. Hubspot.com is another.
For IT to field its own applications that compete favorably on cost, features and functionality with SaaS is a waste of time and resources. IT is better to help the organization benefit from technology, not own and manage it.
Then there are many custom, mission-critical applications that IT is (and should be) responsible for keeping busy. These applications cannot be easily replaced or moved to a cloud, so it is IT's responsibility to ensure they remain fully functional and viable for as long as possible.
The critical role of IT in managing Shadow IT
IT really shines when it works closely with the business to ensure it has the technological resources it needs to do two key things: increase revenue while reducing bottom-line costs. With current technologies (mobile, SaaS, cloud, 5G, etc.), both are possible at the same time.
No matter how savvy business users think they are at acquiring and managing technology, the role of IT has never been more important. Only they have the expertise to truly understand the security and compliance risks of today's cloud offerings. This is because simple configuration errors in seemingly simple applications can expose large amounts of sensitive data to anyone looking.
Given the current regulatory environment, these misconfigurations expose organizations to all types of fines and lawsuits. (The EU's General Data Protection Rule (GDPR) and the California Consumer Privacy Act (CCPA) come to mind. There are a number of copycat laws in the works as well.)
Another issue that only IT has the expertise to manage is the permissions (also known as rights or privileges) granted to users in cloud environments. According to an IAM vendor I spoke with recently, AWS offers cloud users up to 7,000 different entitlements. This makes them “shadow administrators” and a major threat to the security of an organization's applications, network, and data if they don't know what they are doing.
As in the past, the irony facing IT today is that it will eventually have to manage most of the shadow IT and rogue IT that enters the organization, so it's best to stay as far away as possible.
AAA's Zahn suggests dusting off old sneakers. In addition to constantly scanning their network for new applications and new vulnerabilities, CIOs need to talk to their colleagues. Find out what they are doing. What technology do they currently run? What technology do they want to use? What projects are underway and how can IT best support them? This way, IT will be seen as a partner and not as a barrier.
Source: BairesDev
