Like most IT leaders, CIO Bryce Austin has contended with shadow IT for years.
But today, instead of tracking down hidden servers to find rogue technology, Austin focuses mainly on cloud inventory management.
"Cloud makes it easier to bypass IT for larger functions," said Austin, CIO at consulting firm Digineer.
Individual workers and business groups alike can power up a new application easily and quickly without IT ever knowing, he said. Tech vendors increasingly go straight to business unit leaders with their sales pitches, raising the likelihood of someone deploying cloud apps without IT's blessing.
The business' easy access to cloud apps and vendors might seem to make the IT function obsolete, but Austin and others said the lack of cloud inventory management makes the CIO role more critical in many ways, because CIOs and their staff must now find and inventory such cloud apps to determine whether and when they make sense for the organization. Indeed, the situation actually further shifts how CIOs do their job and even how they should think about rogue IT.
"Shadow IT never went away and it's not a negative. It just is. It's the way we do and will work," said Chris Curran, a PwC principal and chief technologist for the U.S. firm's advisory practice. "People who need information and tools should be able to get them whenever they need them. But the issue is doing it in the context of the information, security, privacy and integration protection that's needed."
Data security, pricing jeopardized by rogue cloud apps
Organizations of all kinds are encountering workers using cloud apps without IT's knowledge. The usage stems from both individual workers seeking out cloud apps to help them perform a particular task, as well as entire departments lighting up enterprise apps in the cloud, said Forrester Research analyst Lauren Nelson. It's easy to do in both cases and often creates efficiencies in business processes for the workers and departments involved.
Unfortunately, many CIOs are left out of the loop, and as a result, they quickly lose track of what apps are performing which functions, Nelson said. "You think you've identified what's being used, but then you find there are people using apps that didn't go through your process."
Nelson said she worked with one company that, after finding 600 user accounts for cloud apps, went into firefighting mode, eliminating high-risk items where there were security concerns only to find at the end of that process the updated cloud inventory was out of date again.
Scott YoungsCIO, Key Information Systems
So, why even attempt cloud inventory management?
Data flowing through rogue cloud apps -- or actually any unsanctioned app, cloud or on premises -- increases risks around security and regulatory requirements, Nelson and others said. In fact, a 2014 study from cloud security company Netskope estimated that the use of cloud services by the business increases the likelihood of a data breach threefold.
Additionally, with data flowing through rogue cloud apps, experts said a company could lose the so-called single version of truth for its data, a key component of corporate analytics programs and decision making.
Then there are cost factors. An organization with multiple independent accounts for the same cloud service or cloud app is hardly going to get the best rate. It may also be paying for duplicate and redundant services.
CIOs recognize these potential problems, but Nelson said most still struggle to address the situation.
Emerging best practices for cloud inventory management
Nelson, Curran and others said there's no one tool -- no silver bullet -- that a CIO can deploy to track and inventory all the cloud applications that are being engaged by employees and departments.
"What's more typical, you see people collecting and building spreadsheets and doing analysis on their own," Curran said.
There are, however, emerging best practices for how to track and inventory what's happening in the cloud.
Nelson said implementing a cloud inventory management strategy should start with the CIO and IT staff recognizing that what's happening isn't necessarily a bad thing. "These are innovative employees who are trying to find tools that bring value and differentiation," she said. "So, [CIOs] want to provide guardrails without stomping it out."
Armed with that mentality, CIOs should implement or, if already in place, better employ tools (i.e., network traffic analyzers and cloud management tools) to scan traffic to see where data is going and whether it's going to cloud services, Nelson said.
Then CIOs should ask employees to let them know if they're using cloud apps, she and others said. After that, CIOs should get in front of the situation, so workers seeking apps can approach IT for advice or, perhaps, select from a list of vendors and products already approved by IT.
Scott Youngs, the CIO at Key Information Systems, an IT services provider, acknowledged the challenge in tracking and keeping an up-to-date inventory.
"If they're going outside, there's no way for me to know that they've done that unless I go ask them," he said, adding that even monitoring tools won't catch every cloud app "unless I know every cloud IP address."
He added: "You can't stop it. The best thing you can do is have relationships with the lines of business."
Addressing rogue cloud apps at line-manager level
But Youngs said he and other CIOs can't just build relationships with other executives if they want to track what's going on.
"I have to go further down than I used to; it's first-line managers, too. You create those relationships so people will come to you," he said. "The role of the CIO has changed. People used to come to you and you were the king of the hill. You'd dole out whatever resources you felt were necessary and it was very much the lines of business come to the mountain. Now it's very much the other way around. Now you're the sales guy, the marketing guy. I have to go out to every department and ask, 'Do you have what you need?' because people want to move as fast as they can, and you cannot be the bottleneck."
Curran agreed: "It's about advising and guiding and integrating and less about controlling. The role changes from control to integration and visibility."
In fact, Curran recommended abandoning the idea of getting and working from a full written cloud inventory anyway; he said trying to collect this with the idea of finding someone skirting the system "creates a contentious environment."
Instead, he said the best approach is to build relationships, "to communicate what you're trying to do, why you're doing it and what's the benefit for the organization."
Austin, the Digineer CIO, said he learned that lesson.
He said he learned that his sales department had gotten a cloud-based analytics app when it sought his help integrating the app with back-end systems. Sure, the department had good reason for getting the app, he said, but noted that IT could have helped with the procurement process to ensure the selected application was the best value for the company in all regards.
But Austin takes the blame for sales going around IT. "I hadn't developed a strong enough relationship with the head of sales that he thought to come to IT for the best decision," he said.
Stemming the need for shadow cloud
Now, Austin said he tries to track rogue cloud apps in several ways. He said he works with the accounts payable people to know what tech vendors are getting corporate checks, and he works with his IT staff to monitor traffic moving between corporate computers and websites via the internal network. He said he also gets suspicious if his IT team sees a significant drop-off in activity on longstanding corporate applications.
More importantly, Austin said he's working to stem the need for rogue cloud apps. He's giving workers and department leaders more options so they know they can come to his IT department first for what they need.
"The best way to make sure it doesn't happen is to offer better products and services from my own organization than the things that the people in my company are seeking out in the cloud," he said.
CIOs will see a real ROI on taking these approaches. Beyond being able to track and get that sought-after cloud inventory, CIOs will be able to better ensure data security and better control costs.
Moreover, CIOs will be able to keep themselves relevant and critical for corporate success.
"Right now, there is more and more pressure to differentiate your customer service, and if central IT can't give [employees] the tools they need at the time they need them, the business will get it themselves. So, IT has to learn to do things differently or they'll be in charge of only back-end systems and not the innovative systems," Nelson said.
Watch this video presentation from Derek Lonsdale, IT transformation leader and Lean expert at PA Consulting, on how understanding business processes plays into cloud inventory management. Here, CIOs explain why cloud economics will differ for each business.