Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Shadow IT—the good, the bad, and the ugly. How to deal with it?


ShadowIT.jpgThe debate over shadow IT is like a three-man standoff in a spaghetti Western. On one side you have the business leaders and developers, who view external cloud resources as a quick and inexpensive way to get a project up and running. On the other you have IT, who feels it’s losing control when the business turns to external service providers. And in the middle you have the CIO, who faces pressure to meet the needs of the business, but who also has to weigh the risks involved with using an external service provider.


As I wrote in my previous post on the changing role of the CIO, if IT’s not aligned with the business, then you leave the business no choice but to seek an external service provider. But going outside is not always a bad thing. If employees put non-mission critical applications or non-sensitive data on those external resources, then it may be fine to use an external service provider.


But if employees put customer data on an external service provider such as Amazon without thinking through their business unit’s compliance or security needs and IT doesn't know what they are doing, then that’s bad, because they’re not examining whether the external service provider is protecting all of their business interests.



Partner with the business leaders


As a CIO, how should you deal with shadow IT? My advice is, don’t prohibit it in a draconian way. The best way to deal with shadow IT is to shine a light on it.


To shine a light on shadow IT, the CIO has to have a conversation with the CFO and business leaders, along the lines of, I know you’ve been wanting us to leverage technology services, especially cloud services to deliver more business agility and speed innovation. We’re on our way, but we’re not quite there yet. I know short term you need more IT resources to develop new products faster or run a marketing campaign, and I know you’ve been looking at external service providers. I would like to work with you to help evaluate these external service providers so we don’t put our business at risk.


As part of this conversation, the CIO and the business need to consider these issues:


  • Timeliness: If the marketing department wants to seize an opportunity and run a time-sensitive promotion, they’ll need resources for customer facing websites, content management, and maybe pushing the promotion to a mobile app. If IT can’t provide resources for them, then they’ll lose revenue.
  • Security: When you’re using someone else’s servers, storage, or network, you always have to weigh the potential risk of a breach. On almost a daily basis the headlines report the theft from the public cloud of credit card information, intellectual property, and personal data.
  • Compliance: How do you make sure that the external service provider is taking all the necessary measures to protect your data and your applications? Are they able to meet all the regulatory requirements specific to an industry such as finance, healthcare, or the public sector? And if they can’t meet the requirements today, will they ever be able to?
  • Management: How are you going to manage the services that you need? If the cloud service or infrastructure is down, who do you call? Do you have visibility into what the cause is and how to fix the problem? Unlike with internal IT, you don’t have visibility or control over your service provider.
  • Finance: Without going through central procurement and internal IT, how do you make sure there’s no cost overrun? How can you be sure the budget is being managed? Who determines whether you’re buying resources at the right cost level?
  • Viability: Is your external service provider going to be in business in five years? Consider the case of Nirvanix, a cloud storage provider that went belly-up in September 2013. Customers were given two weeks to move their data. Nirvanix is not the norm, but the point is whenever you have to rely on someone else, you’re taking a risk.
  • Technology lock-in: Most of the cloud service providers suffer from what I call the “Hotel California” problem: You can check in anytime, but can you check out? If you’re not happy with your service provider for whatever reasons—it’s raising its fees, or it’s not innovating fast enough, or you’re displeased with its service—how easily can you take out your data and applications and move them elsewhere? Do you need to rewrite your application? This can create problems with migration and change management.


Become a hybrid service provider


Business leaders aren’t going to be technical experts on how to evaluate external service providers. The CIO can say, let me help you make the right choice, because if we get breached or we’re not compliant as a business, then it’s not good for any of us.


Enterprise IT is evolving into a mix of internal and external resources, with the CIO as a hybrid service provider. If an external service provider is less expensive and can provide the same quality of service and meet the requirements your business needs, why would you want to build it yourself?


It’s okay to think about using a third-party service provider, as long as you examine them based on a well-defined set of evaluation criteria that is important to your business. To learn more about how to work with a trusted partner, please visit

0 Kudos
About the Author


cloud SaaS hybrid IT

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all