As the cloud carnival slowly makes its way through town, organizations (fortunately) are becoming increasingly aware of many of the pitfalls associated with the adoption of nontrivial, enterprise cloud-computing solutions. Oft-cited risks include data privacy, uptime reliability, security, total cost of ownership, vendor lock-in, and jurisdictional jeopardy (the potential violation of rules and regulations that apply when your data, especially customer data, crosses borders).
Well, there’s another risk.
Under cover of darkness, and most likely already thriving in your organization, are Shadow IT departments. These arise when users and department heads go it alone, provisioning and deploying IT systems (most often cloud services) that are sourced externally and funded from local discretionary budgets without the involvement of the IT department or even the knowledge of the CFO.
It doesn’t take much for Shadow IT departments to sprout up in the typical commercial organization. The pressure to do things faster, cheaper, and more easily makes it almost inevitable. Conditions are ripe for the growth of Shadow IT when a combination of factors exist, the most obvious a poorly managed IT function in an organization with ineffective or inconsistent enterprise governance. Other factors include bad IT-business communication and user frustration with being stuck waiting in the queue for corporate IT services. The role vendors play, circumventing IT and finance to pitch directly to line-of-business leaders, should not be understated. Vendor offers can be very compelling to someone with a number to meet and an IT department that’s not helping him or her to meet it.
So what’s so bad about Shadow IT? If it can help the business get its work done, what’s the harm?
Well, in its 2012 CIO New Year’s Resolutions, Gartner states: “Shadow IT can create risks of data loss, corruption or misuse, and risks of inefficient and disconnected processes and information”: a warning that should set off alarm bells in the boardroom. What Gartner is talking about is not just an IT problem but an organizationwide, systemic problem that requires an organizational response.
Typically, the CIO and CFO are both accountable for enterprise risk, but from different perspectives. CIOs are acutely aware of Shadow IT. Are CFOs?
If your organization’s brand is important to you, if the reliability of your business processes matters, the Shadow IT phenomenon needs active exposure and management. Not blocking (that’s futile), but active management.
Hybrid Cloud Is the New Norm
Organizations that have successfully implemented stand-alone cloud systems feel that they may have won the Shadow IT war. That feeling won’t last too long once those systems need to be integrated with other systems, cloud or otherwise. The minute you start integrating your cloud with these other systems, you have a hybrid cloud and you’re going to need to manage your IT ecosystem, not just the individual systems and services.
The U.S. Commerce Dept.’s National Institute of Standards and Technology defines hybrid cloud as “a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.” Gartner believes this model will be dominant within five years. My view is that it will take a lot less time than that.
This means that right now CFOs need to begin viewing their organizations’ IT environment as a mix. Managing this mix — of technologies, platforms, and solutions — becomes harder, not easier, in a cloud environment because IT risks, once isolated within discrete machines and systems, become systemic risks in the cloud with its virtual machines and dynamic workflows.
Systemic Risk Is the Real Threat
Those users and line-of-business managers signing on to cloud services on their own hook are not always sensitive to the challenges faced by IT governance and security professionals in their efforts to keep the increasingly complex and volatile cloud ecosystem free from threats at every level. Pretty quickly, this hybrid cloud ecosystem becomes a complex array of moving parts that require meticulous design, implementation, and operation. This is made much more difficult by the fact that in the cloud, these functions are abstracted away from the users as organizations rely on external parties over which CFOs and CIOs have little control.
In addition, in this environment traditional IT security models are not always up to the task. For example, the focus on perimeter security that may have been appropriate for conventional on-premise IT systems is inadequate (and pretty much beside the point) in the hybrid cloud paradigm.
Don’t Gloss Over Complexity
Senior managers with functional responsibility over specific vertical silos of the organization may underestimate the overall complexity of their own business. Don’t imagine that simple cloud solutions can paper over the underlying business complexity. If your IT systems are critical to your business, test all your assumptions. And while individual cloud instances may be built on a scalable, robust, and resilient security model, the reality is that security is systemwide when it comes to enterprisewide hybrid cloud instances. Essentially, this means that taking a systemic risk perspective is key to the minimization of threats.
The question CFOs have to ask themselves is, Does everyone share the same systemic view of risk? If not, then maybe it’s time for you to start ringing that alarm bell.
Rob Livingstone, a former CIO, is the author of the book Navigating Through the Cloud. He runs an IT advisory practice and is also a Fellow at the University of Technology Sydney (UTS), Australia, where he teaches in the areas of strategy and innovation in UTS’s flagship MBITM program. Visit Rob at www.rob-livingstone.com or e-mail him at email@example.com.