Shadow IT is the monster that just keeps growing. Since I talked about it here 18 months ago, the problem of Shadow IT has only gotten bigger. If you run an IT team, you might want to sit down before reading these Shadow IT statistics. They'll make your heart beat a little bit faster — and possibly consider a career change.
Thanks to the proliferation of software-as-as-service (SaaS) and cloud-based products, even these larger numbers may be underestimates, since much IT-related spending doesn’t even go through official IT groups anymore. ServerCentral has even projected that within the next 10 years, 90 percent of IT spending will take place outside of the IT organization.
According to industry analyst firm Gartner, by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources. Why is Shadow IT such an easy mark? The answer stems from their implementation outside the IT realm.
“IT organizations have guidelines to how new software is introduced to the environment. There is a process in place where proper testing is done in a sand boxed environment before it is introduced into production,” wrote Christopher Frank in Forbes. “When we bypass these procedures, we risk potential threats and attacks to the environment, increasing the potential for data loss and compromise.”
Per a recent Logicalis CIO survey, 90 percent of CIOs worldwide are bypassed by line-of-business in IT purchasing decisions sometimes and 31 percent are bypassed routinely. Not only does this result in the security problems described above, but it also means that skilled IT resources cannot influence what happens to Shadow IT data. Non IT pros aren’t schooled in software standardization and integration practices, nor do they understand and can communicate to their constituents best practices for introducing new applications.
And, contrary to popular belief, malicious cyber-attacks aren’t the biggest threat. Logicalis found that while only seven percent of lost organizational data is actively hacked, 81 percent of is stolen or even inadvertently disclosed.
According to the Cisco blog, based on Cisco Cloud Consumption engagements, large enterprises on average use over 1,200 cloud services – and over 98 percent of them are Shadow IT. Many of these organizations don’t have a cloud governance office, nor have they implemented the data security tools to identify high-risk cloud-service vendors or cloud anomalies, or trace cloud-service implementations to specific teams.
You’d be hard-pressed to find an organization that says it's completely unaffected by Shadow IT, and most CIOs will acknowledge that at least a few Shadow IT applications are operating outside the realm of IT oversight. But…it’s only a small problem. Nothing to worry too much about, right?
Not exactly. The reality, said Cisco’s Shadow IT report, is that CIOs underestimate that number by a factor of 15 to 22. Cisco’s survey found that, on average, CIOs estimated that they had 51 cloud services running in their organization. The actual number was 730! Even in highly regulated industries such as healthcare and financial services, Cisco found between 17 and 20 times more cloud applications running than the IT department estimated.
Getting real is the first step. Shadow IT exists because IT simply does not have the capacity to serve every business requirement. Period.
“To eliminate the problem of Shadow IT, we need to start with what causes it to occur in the first place. Simply put, it comes down to enterprise IT not serving business needs well enough. Typically, the IT group is too slow or not responsive for the appetite of business users, too costly and doesn’t align well with the business needs. So, the business users build their own functionalities and capabilities through shadow IT purchases,” wrote Peter Bendor-Samuel in a recent piece on CIO.com. “If you’re a CIO who wants to address the problem of Shadow IT — and be more relevant to the business — you must recognize that your IT group needs to perform better than Shadow IT.”
Of course, most IT departments don't have the resources to hire an army of expensive developers, so the goal should be to partner and collaborate before line-of-business managers go too far down the path of using unsanctioned technologies.
IT and business leaders must work together to create standardized processes and procedures to harness the power of their line-of-business workforce, or the creation of new business applications for consumption by others using development and run-time environments sanctioned by corporate IT. As we’ve talked about here before, this is most effective if IT leaders set the stage, offering guardrails for scope and access, as well as governance, implementation guidelines, and best practices. Application development outside of IT doesn’t eliminate the need for IT; it elevates it to a more strategic level.
If this sounds stressful, don’t worry. No-code and low-code development platforms are built for exactly this type of collaboration, and thanks to them, Shadow IT can now operate securely and at scale. Forrester estimates the market for these platforms will grow from $3.8 billion in 2017 to $21.2 billion in 2022.
No-code platforms in particular are a powerful weapon in the war against Shadow IT. Using these platforms, anyone capable of building a spreadsheet can also build and maintain a business application that includes workflows, reporting, notifications, and just about anything else a hand-coded app could deliver. IT can still define the appropriate data policies and user access, but offloads much or all of the actual development to the business. Platforms like Quick Base offer enterprise security and reliability to ensure that IT can do its job and regain some control over Shadow IT.
In short, no-code platforms offer the ability to move at the speed of business, without losing oversight and control as with Shadow IT. The business gets the solutions they want. IT gets the peace of mind it needs.
Want to learn more about how well-governed low-code platforms enable organizations to leverage line-of-business professionals while maintaining quality and security? We hope you will watch our webinar featuring John Rymer from Forrester Research. As a vice president and principal analyst and the author of Forrester’s report “The Forrester New Wave™: Low-Code Platforms For Business Developers, Q4 2017,” Rymer discusses the fast-growing low-code development market and how IT leaders are using business developers to power digital transformation and refocus resources on the projects that matter.