In a survey, cloud security broker vendor CipherCloud found that 86 percent of cloud applications used at workplaces are unsanctioned. That's a big percentage. Obviously, the security vendors have an incentive to raise such fears about shadow IT, so take this claim with much salt. However, the issue merits attention.
I don't see shadow IT as that big of deal. Moreover, I believe that CIOs can embrace, rather than fight, the rise of shadow IT for their own benefit. How?
There are three benefits to the CIO from departments' shadow cloud use.
First, if you have cloud services used and managed by non-IT organizations -- say, the HR department using a SaaS HR management systems -- then you don't have to spend your time selling your users on the cloud. They're already there! I spend most of my time convincing people that if they use Amazon Web Services or Salesforce.com that the sky won't fall, so I love to deal with users who already get it.
Second, department-managed cloud services saves you from having to drive through a requirements cycle for that department, since it already selected the right (hopefully) cloud service. That requirements cycle can take as much as a year for most IT shops, which is way too long for users. You can't blame them -- that kind of shadow IT is caused by IT, after all.
Third, these shadow cloud deployments give you the green light to put more stuff on the cloud, including applications and data. Much like the first point, departments' own use of cloud technologies means you'll get fewer objections when you propose cloud migrations. When you do objections, you point out that they were the cloud pioneers -- that one always shuts down the arguments.
Shadow IT is a normal thing in a Global 2000 company today. In fact, I'd be more concerned if you did not have a group in the company playing around with cloud computing already, unsanctioned by corporate IT. That means they're not engaged in their own technology usage.
How IT reacts to these "rebels" tells me a lot about the IT shop. If the IT shop beats down shadow IT, it's missing an opportunity. If the IT shop ignores shadow IT, it's not doing its job. Instead, IT shops should engage constructively with shadow IT, treating it as a resource and opportunity.