In this hyper-competitive world, CIOs have to think carefully before saying “no” to new technology.

On the one hand, the IT infrastructure is essential to almost every organization and increasing risk is not an option; on the other hand there is risk if a competitor gets hold of a new disruptive product or service.

Which begs the question of whether organizations should buy enterprise applications from startups. It may already be happening with the so-called Shadow IT where lines of business sign up for software as a service offerings without the knowledge of the CIO.

Some of these services may be relatively innocuous, particularly if they don’t involve personal customer information: Think, for example of a staff member using to list customer contacts with names, addresses, phone numbers and email.

That’s different from choosing an enterprise resource software suite from a startup. Yet according to Computerworld U.S. an increasing number of enterprises.

It cites a Swiss insurance company, for example, signing up for an unnamed SaaS tool from a startup over a better known competitor because of the new software’s agility, flexibility, ease of use and adjustable business model.

It also quotes Oliver Binz, an independent management consultant for IT and risk management based in Australia, who says CIOs should look at startups the way investors do. “They’re always going to have higher risk than an established company, but you invest in one because the return is likely to be greater.” But, he added, “don’t invest in a startup if you can’t afford to lose your money or live with the consequences if it fails.”

With lines of business increasingly willing to go behind the CIOs back, it’s imperative that the organization set a policy: Either dealing with unknown suppliers is forbidden, or they at least have to be scrutinized by the IT leaders to see if they meet with the security and risk needs set out by corporate policy.

Startups are out there with services for enterprises and aggressively courting for business. You don’t always have to say no. But the organization needs to know what the risks are when it says yes.