, global chief technology officer of Enterprise Security Services at HP, agrees shadow IT is a significant issue, though he doesn't think it's necessarily as pervasive as PwC sees it. But he does agree, "It's one of the biggest challenges to IT."

He says business units often make these direct IT buying decisions out of a sense they have to move fast to reach new channels or markets. "This is often based on a clear business mandate and logic." But there are often "hidden costs" in managing data after a shadow IT project has occurred, he points out. Resources become more and more fragmented and spread out or "misaligned." One top concern in shadow IT will certainly be security and compliance of data.

"You're introducing a lot of new risk into the system," he says, noting that the chief information security officer (CISO) or the chief security officer (CSO) in the enterprise has a clear role to play when it comes to shadow IT.

"One of the main roles of the CISO is to call out these behaviors," Kawalec says. They have to figure out what is going on and analyze it, and report findings about the security and compliance implications of shadow IT to the chief executive and the board of the corporation, where final decisions need to be made. "Shadow IT cannot be played out in the shadows," Kawalec concludes. "Someone has to shine a light on what's outside the norm."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.