He says business units often make these direct IT buying decisions out of a sense they have to move fast to reach new channels or markets. "This is often based on a clear business mandate and logic." But there are often "hidden costs" in managing data after a shadow IT project has occurred, he points out. Resources become more and more fragmented and spread out or "misaligned." One top concern in shadow IT will certainly be security and compliance of data.
"You're introducing a lot of new risk into the system," he says, noting that the chief information security officer (CISO) or the chief security officer (CSO) in the enterprise has a clear role to play when it comes to shadow IT.
"One of the main roles of the CISO is to call out these behaviors," Kawalec says. They have to figure out what is going on and analyze it, and report findings about the security and compliance implications of shadow IT to the chief executive and the board of the corporation, where final decisions need to be made. "Shadow IT cannot be played out in the shadows," Kawalec concludes. "Someone has to shine a light on what's outside the norm."
Sign up for CIO Asia eNewsletters.