Back 
January is the month of diets, exercise plans, and if you’re in the high-technology world, predictions for the coming year. The web is rife with executive prognostications for 2016. What the web is not rife with, however, is those same executives looking back and asking “Did my predictions from last year come true?”
City of Palo Alto CIO Jonathan Reichental noted in a recent LinkedIn post that “Everyone who made 2015 predictions should now be required to say whether they got them right or wrong.” In the spirit of that post, here is a look-back at my predictions for last year (and whether or not they were correct).
My first prediction was that we’d see a decline in everyday enterprises building their own data centers:
“2015 will see a marked decline in companies not named Amazon, Google or Facebook building their own data centers. I’ve had conversations with a number of Fortune 500 customers of late, and they’re all effectively saying that they just can’t justify such a massive portion of their budget for such an undertaking, especially as cloud offerings have matured and there are innovative new-age security solutions to enable these cloud solutions to meet stricter security and compliance requirements.”
Analyst research confirms this prediction. According to a study by 451 Research, organizations are limiting investment in non-strategic data centers and looking to alternatives like the cloud if they require additional capacity.
In the second, I said we’d see more enterprises embrace shadow IT:
“In 2015, we’ll see Shadow IT go mainstream. Those organizations that don’t have (or don’t believe) they have Shadow IT are either dying, extremely regulated, or have their head in the sand. By mainstream I mean that organizations will move from a position of calling Shadow IT negative and they’ll start to look to these initiatives for competitive advantage, harnessing the agility and innovation they can yield, and as a way to streamline processes. Given recent innovations in the cloud security and analytics market, this will be easier for organizations to do in an efficient way.”
I think I was only half-right. Over the course of the year, most of the IT leaders that I met with acknowledged that shadow IT was alive and well in their organizations. Netskope is also seeing an influx of inbound requests to help enterprise CIOs and CISOs address shadow IT in their organizations. That said, we still see about a 10x difference between the expected and actual numbers of cloud apps per enterprise. The actual number has grown to 755 cloud apps per enterprise in October 2015 vs. 579 in October 2014, according to our most recent Netskope Cloud Report.
I also think I may have been overly optimistic in my statement that most organizations would look to shadow IT for competitive advantage. Some IT leaders like Mark Zimmerman at MaRS say shadow IT is “great for employees,” but the general mood is that shadow IT remains a pain in the neck. I do believe that shadow IT presents an opportunity for IT to find incredible tools that will give their businesses a competitive leg-up, but also acknowledge that IT leaders are hamstrung by operational and security issues that make it hard for them to take advantage of them.
My third and final prediction was that organizations would eschew blocking and adapt their policies to say “yes” to useful and popular cloud apps:
“We’ve noticed that a lot of our financial services customers have employees and customers using Dropbox against IT’s wishes. For instance, we had one banking customer whose IT initially refused to share data via Dropbox due to the common mis-perception that Dropbox cannot be made enterprise-ready. They quickly came to the realization, though, that attempting to shut down such an app was both unrealistic and counterproductive. So, they had two choices: adapt their policies around cloud apps and institute solutions to govern them, or risk losing their large number of pro-Dropbox customers to another bank. Obviously, they opted for the former option and adapted their policies. As with classical economic theory, the market is always going to be ultimately dictated by demand. I think this will become a more prevalent in 2015 and shunning cloud apps will become hazardous to a company’s financial health.”
This was probably my weakest prediction, although we have evidence from our own customer base of enterprises enforcing granular policies (like “No sharing outside of the company”) rather than blocking apps outright. See my colleague’s blog post on layered cloud app policy best practices from some of our most forward-thinking financial services customers.
That said, many organizations still block cloud apps outright, and it has nearly the opposite of its intended effect. The result is nearly always one or both of the following:
- “Exception sprawl,” where the policy is so disruptive to business process that many people seek exceptions and, over time, the exceptions outweigh the blocks;
- An inverse relationship between app blocking and app quality develops, because when people are blocked from using apps like Box or Dropbox, they seek out low quality apps that fly under IT’s radar.
Because firewall cloud service categorizations are so coarse-grained, IT can’t block an app category like file sharing; instead they have to do it app by app (and so they end up blocking well-known apps like Dropbox and allowing risky ones like FreakShare). It’s ironic, but about three-quarters of aggregate cloud usage is in apps that have been blocked at the firewall, and for which an exception was made. And there is literally a mathematical step-wise function to describe app quality in our Cloud Confidence Index and blocking, in which apps rated “excellent” are the most blocked and those rated “poor” are the least blocked.
Overall, I give myself a passing grade (but with room for improvement) on last year’s predictions. I think they are in the right direction, but perhaps optimistic for a one-year time horizon. We look forward to tackling these challenges – helping organizations safely use the cloud, turn shadow IT into a competitive advantage, and adapt their policies to move from blocking apps to blocking risky activities – in 2016.
Read the blog