Do You Know the Way to Ballylickey? Shadow IT and the CIO Dilemma
I was once on a driving holiday in southern Ireland. As anybody who has been to that beautiful part of the world will know, the scenery is magnificent, but the road signs can be very confusing. Totally lost I pulled over to ask directions to Ballylickey and a local farmer uttered the immortal phrase: “Well, if I was going there the first thing I would do is not start from here!” Amused by the response and the clarity of his logic, I drove off and tried again at the local pub. But when I think about it that guy was right – starting off from the right place is hugely important. And when we apply that homespun logic to IT most CIOs are not starting in the right place when it comes to their cloud strategy.
The reason is rampant Shadow IT—an explosion of cloud service access by employees with no IT involvement. This is nothing new. For years, we’ve known that employees and lines of business (LoB) are bypassing IT departments to get the cloud services they want to get their jobs done. More recently, this acknowledgement of rogue IT has been quickly followed by a conversation around the unintended and potentially dangerous consequences: increased security risks, compliance concerns and hidden costs.
CIOs realize unauthorized cloud services are being used. They realize that with Shadow IT comes siloed information, data compliance issues and missed opportunities for bulk pricing. But how many CIOs really understand the number of cloud services being accessed, the full cost of these services over and above the sticker price their companies are being charged by the public cloud provider and the risk profile they represent—let alone have a proactive strategy for addressing these issues?
In an effort to shed light on the pervasiveness of Shadow IT, we examined trend data garnered from Cisco Cloud Consumption Service engagements with large enterprise customers across United States, Europe, Canada and Australia from January 2013 to July 2015. Derived from actual usage data collected from our customer’s networks representing millions of users, the results are both authentic and alarming.
The Shadow is Getting Bigger
Companies are using up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorized. Specifically: IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow. One year ago the multiple was 7 times, six months ago it was 10 times, today it is 15 times and given the exponential growth of cloud we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company.
Pervasive Across Industries
There is almost no difference in the multiples by industry or by geography. Shadow IT is a challenge that is prevalent across all companies in all industries in all countries.
The Hidden Costs of Shadow IT
One of the key selling points for Cloud Services is that they are cheap and the providers are falling over themselves to lower the price almost daily. But our research with customers shows that the true cost of public cloud is 4 to 8 times higher than the cost from the cloud provider. This is because many cloud services are not standalone applications, they need to be integrated into the standard IT operational model and procedures of the corporation. This incurs additional costs to authorize the security issues including the data encryption and user authentication standards, network integration processes, vendor management issues, service catalog integration work and vendor management activities to name just a few. Not understanding cloud usage is creating huge, but often invisible, costs for companies.
So what’s the answer?
Public cloud is a reality but so is private cloud. The answer is not to ban the public component. Employees and LOB have spoken: they want choice and flexibility. Nor is the answer to move 100% to public only usage. The security and compliance issues are just too important and will get even bigger as the rapid adoption of IoT drives shadow IT more and more.
The answer is an effective hybrid cloud strategy that embraces the best of both worlds in a way that provides what I call the “three Cs” – Choice, Control and Compliance. Cisco’s Intercloud strategy is designed to do just this across all cloud usage. It effectively gives CIOs the ability to deliver the same security and compliance in the public cloud as they can today in their private cloud. But to do this they first have got to regain control of cloud usage in their company – just because users are choosing Public Cloud does not mean the CEO or the Board will waive the CIO’s responsibility to protect the company’s data and be the guardian of effective IT spend. It is, and always will be, their neck on the block when things go wrong.
As you can’t control what you can’t see or what you are not involved in accessing, then we believe that the first step to doing this is to carry out a Cisco Cloud Assessment analysis. This gives the CIO the data to choose which applications should run in private clouds or in public clouds and shows how to implement a single operational model for a truly secure, compliant hybrid cloud.
After all, how can you get to where you want to go if you don’t know where you are to begin with?