Is shadow IT emerging from the gloom?

Are CIOs and rogue apps starting to co-exist in peace?

There was a time when shadow IT was a fairly simple concept: if it's not on the list, don't use it. If you do use it, you've broken a rule.

This was certainly the view expressed by a top UK CIO, who was speaking under Chatham House rules at a Computing gathering recently.

"I'm not saying they don't try... but I stop them," said the CIO.

Another IT boss suggested that something as innocent as people attempting to "drive business decisions" on Excel spreadsheets could be calamitous if such a shadow IT process was later shut down by IT security.

"I'm sure there's stuff they do that I don't know, but if I put in a system that would disable the software I didn't know about, it would be tough luck," insisted the first commenter.

"If I break an Excel spreadsheet, I don't give a damn - they have to be brave enough to come and see me and tell me about it."

"But if a business process stopped like that, because of the change you've made, that could be detrimental," replied the second speaker.

"If the business process stopped just due to a spreadsheet, that would be ridiculous," the first CIO shot back.

"If someone breaks the rules, I write to somebody and there are consequences. If people go out and buy Salesforce.com occasionally, they leave the business.

"It's that simple. That is not their job - it's mine," said the CIO.

It was a playful and outspoken exchange, for sure, but it underscored some important points the dilemma IT leaders face when it comes to shadow IT.

So should IT chiefs accept that shadow IT is a fact of life and find a way to tolerate it, or is an all-out ban the better approach?

Clive Longbottom, founder of analyst firm Quocirca, says the first approach is more realistic.

"There's no use sticking your head in the sand like that - that person needs to get themselves a good sniffing tool and just check where all their data is going, and that's when you find out that things like Dropbox, Box and even Microsoft OneDrive, are being used massively," argues Longbottom.

"They're becoming new data stores which IT is unaware of, so they can't be reported against properly, so decisions are being made against a portion of the information rather than against all of it - it's horrible for the business, but you can't take the other militant view of it and say ‘Right well we'll stop it,' because people say ‘No, we're using it because it helps me as an individual or us as a group do what we need to do'.

"You can explain till you're blue in the face that it's not good for the business, and it's the business which is paying your [employee's] salary, but it's still a case of ‘Yeah, fine, I understand all that, but this is the best way to get my job done'," Longbottom says.

But can the extent of the 'shadow' in shadow IT be quantified? As vendors have come out with quick, easy solutions (again, such as Dropbox) that can be easily downloaded and used with no fuss, others - often with more enterprise-focused goals - have moved to join them in order to retain, or even newly acquire, a share of the market. It can be argued that, in many cases, there is now a non-shadow solution to most of the popular tools commonly used under the radar.

"If you look at where Box have gone, they've got General Electric as an over 100,000 seat customer now, so they took something which started off in the same light as Dropbox, but now you can say, ‘Well, if you're going to use such a system, let's take one where the business has control, and all the data is one place where it can be pulled back, as well as integrating with the business'," observes Longbottom.

Dropbox has had to respond, and now offers an enterprise version of its service, even announcing integration with other vendor products in exactly the way Box made its mark.

It's still not enough for Longbottom, however.

"We've spoken to Dropbox and said what they need are tools that can trawl through their whole estate and be able to identify, at a reasonably good level, phenomena such as two email addresses belonging to the same person - a company one and perhaps a personal Gmail account, for example, so when a company [wants to investigate an employee's activity], they can provide a report through to the individuals involved, and suggest whether these people are in fact part of the same estate."

It's controversial, of course, involving questions asked around both information privileges and security policy, even security laws, as well. But Longbottom believes such reach for a product is one possible way to begin to have CIOs like our staunch shadow-hater to begin to look more deeply at the issue.

"These vendors have created a rod for their own back, and now they need to create tools to stop ruining company security policies," suggests Longbottom.

As we've seen with both Dropbox and Box - the companies traditionally associated with shadow IT have no choice but to adapt to survive.

When it first launched, security was hardly at the forefront of Dropbox's mind. But as it developed and grew, and started charging premiums for ‘extras' like higher volumes of storage space, centralised storage options and social elements, improved security too became an option.

And as security becomes an increasingly important 'basic hygiene' function in any software, many classically 'shadow' products have stopped charging for that security function, and now offer it for free.

"There is certainly maturity coming in from the vendors, and departments are maturing too by moving away from ‘Thou shalt not' and making what was shadow business-focused, after conversations with customers," agrees Longbottom.

So while shadow IT is still a real problem that very much exists, evolving philosophies in companies regarding policy are slowly moving hand-in-hand with shifting - if begrudging - responsibilities in vendors.

Perhaps soon there'll be a workable, popular alternative for every shadow concept, as Huddles replace Dropboxes and CIOs stop offering their way or the highway.

"It's definitely [nowadays] better than a CIO asking ‘We've had SharePoint for the past 25 years - why don't you just use that?'" concludes Longbottom.