Cloud computing, shadow IT, and financial risk

The risks of shadow IT in the cloud age aren't just technical. It could be disastrous for the financial health of an organization if not detected.

In my last post, I talked about the IT side of the "shadow IT" problem that cloud computing has created for companies all over the world. Cloud computing has enabled end-users to remove IT departments from the decision process when hiring solutions, especially software solutions, and also to keep these same IT departments out of the loop by using cloud-based applications that can be accessed through the browser, without any kind of installation or IT oversight.

This can cause numerous technology-related problems, from users running different applications that accomplish the same purpose (multiple CRM suites, for instance) all the way to a company ending up with completely incompatible software, so that data can't be exchanged between applications, making systems integration impossible to achieve. Furthermore, most end-users don't take the same precautions as IT when hiring solutions, so they often forget to perform the necessary due diligence on companies; they might hire providers that lack essential elements, such as proper SLA guarantees.

Technology, however, is only the first half of this issue. The emergence of shadow IT also has serious implications for the financials of companies that, if ignored, can generate big long-term issues.

Cloud and the pay-as-you-go model

The pay-as-you-go pricing model is perhaps one of the greatest benefits that cloud computing has brought to the IT market. While it already existed before the advent of the cloud, it was cloud providers who truly made this business model popular amongst technology sellers and buyers alike. For all its advantages, however, the pay-as-you-go model is also one of the great culprits of shadow IT.

Before service providers of all types adopted this model, buying technology was hard. Most solutions required customization and adaptation, and deploying a system was a costly proposition, that required a relatively large budget. These costs forced users to go through official channels in order to acquire any kind of technological solution.

These days, we have SAP running on AWS for a few dollars per hour that can be hired by anyone with a corporate credit card. Companies find themselves in a position where anyone can not only hire a technology provider over the web, but where they can actually pay for the service from their out-of-pocket expenses.

This, in turn, creates a situation where keeping track and controlling IT expenses becomes a nightmare: if they can pay for services using their corporate credit cards, and if they don't feel inclined to involve IT in the process (for all the reasons we discussed before), there is no way that these kinds of expenses can be controlled. And, to make matters worse, all these small contracts with different service providers, being paid for with personal credit cards, can quickly add up to a very large sum.

The largest risk is the unknown

Perhaps even worse than these collected expenses is the liability that companies are assuming when users start hiring companies without any regard to internal processes. Imagine a company where a department starts using a cloud-based CRM solution without notifying anyone. What happens if their solution provider is compromised and someone gets access to their customer data?

If all the proper processes had been followed, this situation would already be a nightmare, but with shadow IT, it becomes even worse. Suddenly, the company finds itself in a situation where their customers' privacy has been violated, and it will only find out about it when the first lawsuits arrive, and it is too late to take any kind of measure. Not to mention the trouble our hypothetical company would have to explain itself on the market.

Shadow IT can create a series of risks to the business, related to data security and integrity, to service reliability, and to many other factors, that are made even worse by the fact that the business does not know about them and, therefore, they weren't consciously assumed, but rather imposed upon them by users who didn't think through the full consequences of their actions.

This is not to say that users are the only ones to blame. If all IT departments of all companies always managed to keep their users satisfied and happy, and had a healthy relationship with the rest of the business, users would have no reason to seek outside solutions while keeping them out of the loop. All too often I've seen conversations between business and IT that go: "Hey, I've just seen a great new software from this new startup, its entirely cloud based..." "Yeah, we don't do cloud." "Oh, okay then...".

The only thing accomplished by conversations of this sort is the complete alienation of users, who feel that the technology guys don't listen and don't care about their needs, which in turn leads them to seek out solutions on their own.

So, while there are several ways to mitigate the more conventional risks associated with the cloud, none of these can be put into place in a shadow IT environment. It's for this reason that it's very important to establish an open and clear conversation between IT departments and business users, and that IT remains receptive to new solutions and ideas. In the cloud age, IT departments that ignore their users are just setting themselves up for obsolescence.


After working for a database company for 8 years, Thoran Rodrigues took the opportunity to open a cloud services company. For two years his company has been providing services for several of the largest e-commerce companies in Brazil, and over this t...

Editor's Picks

Free Newsletters, In your Inbox