Christian Verstraete asks:

Should we make business users aware of the potential security and compliance issues related with “shadow-IT” and if yes, how?

CIO Questions by Christian Verstraete,
HP Blogger
, Mon, 09/24/2012 - 19:37




If the CIO or his/her staff see a potential IT security risk, regardless of the source or location, they have, in my opinion, an obligation to bring it to the attention of the appropriate people along with a solution for dealing with the risk. If the CIO is is a corporate officer they have an even stronger obligation, possibly a legal one, to do so.

The second point to remember is that in the event of an IT security breach, regardless of the circumstances, IT in general and the CIO in particular are likely to called upon to deal with it and quite likely held responsible for its occurrence. It may not be fair but this is usually the case.

As to how this should be communicated, the CIO should discuss the finding with the most senior executive responsible for the area housing the shadow IT function.  Diplomacy is critical here. Everything must be approached objectively and with the best interest of the overall organization, its reputation and its customers in mind. No drama.  Just facts, stated clearly and without blame along with a clear description of the risk and the recommended solution.  If the risk is severe and the business unit executive unresponsive, then the CIO has an obligation to have a discussion with the next level or the CEO.




We have periodically doing awareness Training, e-Learning, and Internal over potential security along with compliance and governance initiatives. With governance and control of IT, we have eliminated most of so called “Shadow IT” which used to be existed. All system and business developments, maintenance, and operations were consolidated.

Current issues were how to manage public cloud service, SOA related service where business is/are interested, and which requires internal connections and interfaces to existing systems, and master data. There have not been surfaced with this complexity area of requirements, though we have to -consider possibilities. This may be or become external “Shadow IT” so called for the future, if we are not carefully consider use of this service.




Yes I definitely believe the business users should be aware of the security and compliance issues related with “shadow-IT.”

Let’s look at some figures predicted by from Gartner: about 35% of enterprises got extra (Shadow) IT spending beyond its original budget. They subscribe to the services they need, while others  use the existed cloud-based tools and platforms to develop their own applications. Both of them simply bypass the IT department in an enterprise.

The reality is over the past decades, the employees have always been “bypassing” IT by using “shadow-IT”, i.e. build and use applications in an enterprise without any (IT) approval. At present, the applications are not developed by IT department. It’s done in different departments by different teams and requiring different timeframes.

IT is not only focusing on the ownership and control of a certain services and applications, but also focusing on the data that has been used by the applications. I believe only the CIOs and enterprises who are aligned with the changes in this transformation will be the winner.

(1) (1)

Would you like to comment on this content? Log in or Register.
Heather Campbell 14 Points | Thu, 10/11/2012 - 03:43

It's a loser's game, unfortunately. Two pre-conditions need to exist to eliminate shadow IT:  1) Support and enforcement at the executive level , and 2). An IT function that delivers.  Get these in line and you can eliminate shadow IT.  If not, people are motivated to succeed in whatever way they can.

John Dodge 1535 Points | Mon, 10/15/2012 - 13:40

What you are saying is give end users what they want or else they will revert to Shadow IT. That's the challenge for IT. End users have the leverage and are in revolt. But IT can't view as Shadow IT it an insurgency that should be supressed even if such measures enjoy the support of the C suite. That's anti-agile, anti-transformation, IMO. IT somehow has to craft a policy that safeguards data assets, but gives end users enough of what they want. Education about the dangers of Shadow IT is part of this.

Then again, I can't help think of what blogger Jamal Khawaja said about a company he worked for: "BYOD=yerfired."          

Pearl Zhu 90 Points | Thu, 10/04/2012 - 15:57

Especially at the age of clou, BYOD, social, business department bypass IT to purchase SAAS base solution, with ignorance of potential security and GRC issues, some big shadows IT may directly bring risks to cross-functional discipline, CIOs may need do best to prevent it first, via communicating with business executives to gain their support, well educate business about potential risks, before shdow IT cause more serious problems; second, IT should proactively work with business for vendor selection or service requirement, with speed, most of time, when business shop on their own, they may think IT is too slow to response, lastly, if "shadow" is already part of reality, then IT need brighten them up and manage them more smoothly. Shadow IT is also a good reminding for IT to up speed and work more closely wiht business to delivered tailored solution, Prevention, Prescription and Participation are key. thanks. 

Tom Henderson
Tom Henderson 4 Points | Tue, 10/02/2012 - 18:24

It's my belief that you can accommodate most of BYOD if you embrace data protection management and mobile device management software. All devices need control, and there are too many good DPM and MDM apps out there to be in denial.

First you have to eat the dogfood of actual policies and education about the policies, and executive and HR buy-in of IT use policies. Without that, just go home and collect unemployment.

John Dodge 1535 Points | Wed, 10/03/2012 - 14:09

Ahh...the usual blunt (and insightful) Mr. Henderson! Great to see you up here, Tom. Just remember, there's a time limit on unemployment. BTW, is this a not so subtle Windows 8 recommendation?

Martin Davis 131 Points | Wed, 09/26/2012 - 18:47

Unfortunately most IT professionals immediately think Shadow IT = Bad. In my recent article part of the discussion relates to this very issue and I conclude that: 

"CIOs must accept that IT cannot control everything and need to embrace the Consumerisation of IT given the massive benefits it can provide. They must find a way to help the organisation whilst still preventing it from doing something stupid." 

It is far more than making the users aware, IT have been trying to do that for years, it is more about putting in place frameworks or ways for the business to help themselves without causing issues or risks.

John Dodge 1535 Points | Thu, 09/27/2012 - 13:08

With the rise of BYOD and CoIT, perhaps more resources and muscle should be put behind that education and awareness effort in non arbitrary way. End users have to buy in that a rational BYOD is in  their interest, too.

John Dodge 1535 Points | Wed, 09/26/2012 - 12:39

I really like the way this question is framed because it implies that BYOD, Shadow IT or whatever you want to call it is everyone's opportunity - and problem. Education will smooth the way torward a coherent policy and manageable execution of BYOD, BYO Cloud etc. It can't be done with IT acting like the enforcer like in the old days (last year-:). It's all about educating users  how Shadow IT can harm the enterprise if security aspects are not factored into every BYO implementation.    

Cameron Chehreh 21 Points | Tue, 09/25/2012 - 18:25

Interesting question…

I would also offer the other question to ask is “why is shadow IT appearing in the enterprise initially?”. We have all seen shadow IT for a myriad of reasons ranging from responsiveness to the business, agility to deliver new solutions and lack of skills to support the rapid advancement of technology.

My perspective and short answer would be yes we should make the business users aware. When looking at the risks of shadow IT my perspective is oriented more from a risk management perspective. There are always consistent issues to contend with when delivering IT services to traditional businesses mostly centered on delivery but also include compliance and audit ability.

When shadow IT emerges the controls necessary to preserve and protect the business from a regulatory and compliance posture diminishes and the larger the organization the greater the dilution of these controls.

Bilateral collaboration between business and technical leadership and regular training sessions help alleviate these issues and begin to address the “how” part of the question but, as in all business it is about the people. Fostering that awareness starts with a solid relationship across the business and technology stakeholders and the inter-personal relationships as the baseline conduit for communication.