IT Purchasing Processes and the Risks of Shadow IT

This guest blog was contributed by Mahesh Kumar | 2/20/14
Technology procurement processes in most large organizations are, quite simply, dysfunctional. And this fact has serious ramifications for the business. My most recent post here, Procurement Data by the Numbers, talked about problems with the data within technology Purchase Orders. Here, I will discuss the technology purchases that evade the POs altogether – the growing realm of shadow IT.

Shadows are growing in enterprise IT

Shadow IT refers to any technology that’s used in the enterprise but not supported, approved or managed by the IT organization. It’s becoming a bigger concern for companies due to several converging technology trends:

  • Cloud applications make it fast and easy for departments to simply subscribe to the applications they need, without having IT perform due diligence.
  • With cloud infrastructure like Amazon Web Services, groups can spin up infrastructure for their applications, again without IT’s involvement.
  • With personal mobile devices, business users themselves are bringing applications into the workplace and using consumer applications for work tasks.

These trends bring many benefits, of course. Cloud computing can provide your business with greater agility while mobile devices and apps make your employees more productive. The challenge for IT and procurement teams is to understand what’s happening in these realms, because the unknown or ‘shadow’ part of these extra-IT activities can present significant business risks.

Do you know what you don’t know?  

Lack of insight is perhaps the greatest business threat – because shadow IT presents many risks to the enterprise.

Data security and privacy risk: An employee that uses a personal email to send information about confidential programs can lead to trouble if that email is compromised.  People using unpatched systems or insecure applications can likewise put data at risk.

Regulatory compliance risk: Even outside regulated industries like finance and healthcare, most businesses have an obligation to report if their customer data is breached. If you do not know which cloud applications might be holding your customer data, it’s difficult to know if that data has been breached.

Data integrity: There’s a larger problem of not knowing where and how all of your data resides, and which sources have the most up to date data. 

Operational efficiency/cost controls: With fragmented IT purchasing processes, you may be wasting resources on duplicate functionality or missing opportunities to negotiate better licensing terms.

Shining a light on Shadow IT

Gartner analyst Guriq Sedha suggests in a research note from April of this year that IT procurement teams need to focus on collaboration, policies and practices in order to close the loopholes leading to shadow IT.  

However, until enterprises understand the scope of the problem – and know what they don’t know – they cannot possibly set up the policies and workflows to address the situation. Further, with the growing Internet of Things and constant evolution of cloud applications, enterprises can never entirely get ahead of the problem.

To find and close the gaps in IT procurement, enterprises need to supplement policy and process with the right data. Data is the key to shining the light on shadow IT.

  • Spending data: Look at where spending is going and correlate spending with IT industry information to find the IT-related processes outside of traditional procurement processes.
  • Network and technology data: Look at IT systems and network data to find out what’s actually operating on your network. Correlate IT systems data with procurement records to find systems that are out of scope or new.

Focusing on the data can help enterprises mitigate risk as well. Rather than trying to lock down processes and enforce policies, focus on protecting the data. To determine whether policies and processes are being followed, companies need to listen to what the data tells them.

Mahesh Kumar

Mahesh Kumar is the chief marketing officer at BDNA Corp., a Mountain View, Calif.-based Data-as-a-Service solutions provider. He believes in big ideas that have ubiquitous application. A passion to democratize IT information led him to conceptualize, build and market the industry’s first Configuration Management System, the information hub that drives IT processes. At Kontiki, Kumar marketed products that provided anytime, anywhere access to rich digital content. He also made key contributions at Loudcloud, the cloud-computing pioneer. Kumar likes to golf, spend time with his family and venture on an occasional mountain climb. Kumar has an MBA from the Wharton School and a master’s in engineering from Clemson University.