Shadow IT: Rogue Apps or Bring-Your-Own-Software?

Among the business process disruptions wrought by the cloud is the ability for non-technical employees to make technology decisions. Thanks to self-service SaaS portals, Line of Business employees can bypass IT gatekeepers and decision-processes. Thanks to free or low-cost monthly subscriptions billed directly to a credit card, employees don’t need corporate purchase orders. With cloud-based services, company infrastructure is left largely untouched, so the non-sanctioned cloud apps can easily escape notice.

We know that Software as a Service (SaaS) decisions are increasingly being made by non-technical employees. We know it from the aggressive marketing efforts of SaaS vendors who are targeting a fresh category of buyers. We know it from the back-office grumblings of IT, security and compliance officers. We know it from looking around our own office, at our colleagues who blithely use DropBox, LinkedIn, Mozy, and other non-corporate SaaS apps to conduct business.

What we don’t know is how much, how often, and why. And without knowing that, we can’t determine if the trend heralds a blessing or a curse – and what businesses should do about it.

To better understand “shadow IT,” we invite you to join Frost & Sullivan and McAfee for a webinar on Wednesday, Sept. 18. We will explore the perceptions, facts, drivers, and challenges associated with non-sanctioned SaaS applications in the workplace.   

There are plenty of opinions in the market. At one extreme are the traditionalists – those who believe technology belongs in the hands of IT specialists, and other employees are too naïve, careless, or opportunistic to be trusted with the security keys to the kingdom. This school of thought calls for tight restrictions over employees’ use of technology – something that is harder and harder to sustain in a time of Bring-Your-Own-Device (BYOD), remote workers, and Internet accessible applications.

At the other extreme are the libertarians, who argue that technology choices belong to the employee, and given sufficient freedom, employees will find the applications and devices that help them perform their jobs best.

Somewhere in the middle are overworked IT managers who turn a blind eye to employee use of non-sanctioned apps, especially those that don’t “touch” corporate data bases. The more employees can do for themselves, the shorter the endless to-do list. Also in the middle are equally overworked employees who, chafing at the budgetary and time hurdles erected by IT, are struggling to meet their performance objectives. To them, SaaS subscriptions are an example of the kind of “get it done” resourcefulness that businesses reward.

Even the names we use to describe non-sanctioned applications reveal the industry conflict and our personal biases. To some, they are “rogue” apps – a mildly pejorative term meaning “unprincipled, deceitful, and mischievous.”  To others, they are an example of “Bring Your Own Software” or BYOS, a logical and positive extension of the “Bring Your Own Device” movement.

Of course, there are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability. Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches. They may not appropriately back up the data or ensure the application remains available to users in the event of a failure or disruption.

But how great are the risks?  And do potential risks factor into employee SaaS decisions?

Ideally, businesses want the best of all worlds: employees should have a choice of applications that IT has vetted for adherence to corporate requirements for security, performance, and compliance.

But we can’t get there unless we better understand what current perceptions and behaviors look like. How widespread is non-sanctioned SaaS in the workplace?  What drives employees to circumvent IT processes? How concerned is IT about the risks – and are their concerns based on actual experience or “gut feel”?

To find out, Stratecast and McAfee are currently running a survey of IT and Line of Business users around the world. We are asking about policies and processes. Drivers and restraints. Biases and attitudes. And we are asking not only about SaaS categories, but about usage and perceptions regarding specific SaaS software.

We don’t know whether our findings will confirm or confound prevailing wisdom regarding SaaS in the workplace. Either way, we believe the survey will provide valuable data that we (and all businesses) can use to help build the ideal SaaS policy.

We invite you to join Frost & Sullivan and McAfee on September 18 for a webinar, The Security Impact of Employee-Deployed Cloud Applications (aka Shadow IT). We will go through results of the survey, fresh from the field. We will also discuss a new approach to enterprise SaaS – one that combines users’ freedom to choose with IT’s need to control security risks. You’ll walk away with the tools you need to eliminate the risk introduced by rogue IT. Please register here.

Leave a Comment

1 × five =