A trend that is frequently discussed in industry journals revolves around the growing involvement of business decision makers (BDMs) in the IT acquisition process. There is a further issue that is not generally the subject of trade publication articles, though: the extent to which BDMs are going beyond system selection and acquisition, and involving themselves in IT operations.

To obtain some visibility into this issue, Techaisle asked SMB & Midmarket survey respondents (reported in three of Techaisle reports: 1/ SMB & Midmarket Buyers Journey 2/ SMB & Midmarket, ITDM vs BDM Decision Process) to identify the party (ITDM or BDM) most responsible for various aspects of cloud and mobility security. The results both provide insight into the IT operations activity levels of BDMs, and into potential issues that might arise as a result of ad hoc, unplanned and business driven IT purchases (or shadow IT).

The first thing we notice when we look at small and mid-sized business approaches to cloud security and mobility security is that there is a discrepancy between policy and practice. In cloud, that is the only discrepancy in the process. In 62% of small businesses and 71% of midmarket firms, business management has primary responsibility only for “Setting policy to define who has access – and the degree of their access – for cloud applications and corporate data used and/or created by cloud applications.”

When we look at mobility, we see that within 47% of midmarket firms, BDMs have responsibility for a second policy area: “creating and enforcing policies governing corporate rights around management and security of personally-owned devices used for business purposes.” Amongst small businesses, BDMs – perhaps owing in part to the fact that these organizations don’t have a lot of IT resource on staff – have primary responsibility for all forms of policy (the two examples noted above, plus policies governing personal and business use of devices, reimbursements for personal devices used at work, and security associated with personal devices connected to corporate resources).

As is noted above, this data sheds light on two interesting issues. The first is that (with the exception of small business mobility) BDMs are not really involved in IT operations, at least with respect to security. BDMs are an important force in acquiring technology; they determine the need for solutions, often hold the budget for the purchase, and have distinct ideas about what the solution should accomplish and what its key attributes should include. But they do not, as a rule, extend that activity into management; this (or at least, the security aspects of this) remains the purview of IT.

Where this has an especially interesting implication is in shadow IT. Shadow IT activities, ranging from “BYOD” (bring your own device) purchases of mobile devices to the sourcing of cloud-based applications and infrastructure, tend to occur without direct IT involvement. The BDM buyers, however, have little experience with actually doing the work required to ensure that these systems and devices are secure, backed up, auditable…all services that are generally provided by IT. It isn’t impossible for BDMs to expose shadow IT purchases to IT after the acquisition is made, and to ask for management help, and/or to contract with a third party to provide similar types of support. But if this kind of activity doesn’t occur regularly, and without substantial delays between purchase/use and support, BDM ‘managed’ shadow IT activities might (as IT departments fear) lead to security vulnerabilities and/or other management issues.