It seems the verdict is still out when it comes to whether companies should embrace or brace for shadow IT. While some CIOs look at the additional software, systems, or services that run in conjunction with the established enterprise systems as a competitive advantage, products that share information with one another can often lead to unexpected and costly consequences.
Services, hardware or software unknown to IT are likely not covered in the business’s disaster recovery plan. Should the organization use these systems for critical data, this could result in expensive consequences. It is not uncommon for computer forensics personnel to be approached with storage devices and hear “this is six months’ worth of work that we can’t afford to lose.” This is invariably followed by “Can you recover the data?” Should recovery prove impossible or time consuming in the extreme, this situation would lead to missed deadlines and possibly steep fines over loss of the data or improper storage. Management could then have to justify not only the cost of data recovery, but also the initial labor costs in creating the data with no visible return to the company. This scenario can be devastating to a business.
Furthermore, it is common knowledge that time is money. Not only do users of shadow IT not utilize the skills and experience of IT department personnel (and thus likely spending a great deal of extra time trying to figure out setup and configuration), they are effectively bypassing security and administrative processes and controls designed to protect the system and data. Devices, software, or services not vetted before use are not just bypassing IT, but also QA and a myriad of other standard assessment techniques typically performed before implementation into production. The result of this can be output that is unreliable or simply wrong. This situation will result in more time spent to ferret out the accurate information needed after the shadow IT flaws are uncovered.
To protect against shadow IT, many companies implement protection and/or detection mechanisms to prevent or find rogue programs and hardware. This results in added expenses in procurement and administrative cost to prevent something that shouldn’t happen to begin with. The compounding consequences of shadow IT used in a production environment far outweigh the benefits for most companies. The additional “creativity and flexibility” afforded by shadow IT will rarely, if ever, offset the costs of IT personnel who must ultimately respond to and try to resolve the problems it creates. Think of shadow IT as a scientific experiment without use of the scientific method’s controls and safeguards. While it could result in an amazing, industry-changing discovery, the end results can just as easily cost the organization money, time, industry certifications, or company reputation. Sometimes the benefits and time-savings are just not worth the risk.