If the CIO or his/her staff see a potential IT security risk, regardless of the source or location, they have, in my opinion, an obligation to bring it to the attention of the appropriate people along with a solution for dealing with the risk. If the CIO is is a corporate officer they have an even stronger obligation, possibly a legal one, to do so.
The second point to remember is that in the event of an IT security breach, regardless of the circumstances, IT in general and the CIO in particular are likely to called upon to deal with it and quite likely held responsible for its occurrence. It may not be fair but this is usually the case.
As to how this should be communicated, the CIO should discuss the finding with the most senior executive responsible for the area housing the shadow IT function. Diplomacy is critical here. Everything must be approached objectively and with the best interest of the overall organization, its reputation and its customers in mind. No drama. Just facts, stated clearly and without blame along with a clear description of the risk and the recommended solution. If the risk is severe and the business unit executive unresponsive, then the CIO has an obligation to have a discussion with the next level or the CEO.
We have periodically doing awareness Training, e-Learning, and Internal over potential security along with compliance and governance initiatives. With governance and control of IT, we have eliminated most of so called “Shadow IT” which used to be existed. All system and business developments, maintenance, and operations were consolidated.
Current issues were how to manage public cloud service, SOA related service where business is/are interested, and which requires internal connections and interfaces to existing systems, and master data. There have not been surfaced with this complexity area of requirements, though we have to -consider possibilities. This may be or become external “Shadow IT” so called for the future, if we are not carefully consider use of this service.
Yes I definitely believe the business users should be aware of the security and compliance issues related with “shadow-IT.”
Let’s look at some figures predicted by from Gartner: about 35% of enterprises got extra (Shadow) IT spending beyond its original budget. They subscribe to the services they need, while others use the existed cloud-based tools and platforms to develop their own applications. Both of them simply bypass the IT department in an enterprise.
The reality is over the past decades, the employees have always been “bypassing” IT by using “shadow-IT”, i.e. build and use applications in an enterprise without any (IT) approval. At present, the applications are not developed by IT department. It’s done in different departments by different teams and requiring different timeframes.
IT is not only focusing on the ownership and control of a certain services and applications, but also focusing on the data that has been used by the applications. I believe only the CIOs and enterprises who are aligned with the changes in this transformation will be the winner.