Here is a fun question: who is in charge of security of the IT products and services sold direct to users (bypassing the IT)?
Now, your first reaction is likely "Nobody, just ban it!" or "Let its users strangle themselves," but I think the reality is more compliance. This post raises some of the alarms with "shadow IT:"
"Both tools [iPhone and Google Apps] were marketed directly to the appeal of the end-user and made every effort to create a tool (or set of tools) which could be brought into the business environment by an end-user with as little effort as possible."
"Corporate IT is left fighting the new battle - unknown/untested/unvalidated technologies being marketed at their user base and making its way into the corporate environment. What can IT do? Nothing, as far as I can tell."
"Let's be honest with outselves. Corporate IT has a big problem. This problem will likely get bigger, and more menacing as more things are marketed to "get around IT bottlenecks". It all goes back to the image IT has of stiffling business and imposing harsh guidelines which don't enable businesses properly."
Just smth to think about...