There’s always been “Shadow IT” - deal with it!

By Bryan Oak, Director of Consulting Services, Searchlight Consulting

“Shadow IT needs to be controlled”, “the Cloud is the root cause of shadow IT” are frequently heard complaints about what Gartner’s Glossary of IT Terms defines as “IT devices, software and services outside the ownership or control of IT organizations” and elsewhere as “IT systems and solutions built and used inside organizations without explicit organizational approval.”

There have been plenty of articles and features written over the last few years on the topic of Shadow IT and the ills that it begets.  Security concerns, compromised regulatory compliance, the inability to optimise enterprise-wide investment decisions, as well as lack of testing, change control and configuration management, are all cited as problems that are compounded by its existence.

You would be forgiven for thinking that Shadow IT is a recent phenomenon, a trend that has been born out the advent of subscription services and the dastardly plans of every CMO to undermine their IT counterparts.  However, the reality is that there have always been “IT devices, software and services outside of the ownership of IT”.

Early in my career, I worked at a high tech manufacturing company. As with many such organisations, even in the mid-80s, there were a myriad of business systems and applications that were owned, managed and supported by the business and not IT.

Engineering CAD systems were the domain of Product Development; shop floor control and data collection systems, Manufacturing Engineering; the Quality Labs owned the LIMS, Advanced Manufacturing teams implemented simulation modelling, robotics, expert systems, and if you needed support for any bit of hi-tech equipment you needed to talk to Maintenance.  The IT department, as it was then, only really got involved if you needed to install a PC or a cable, or needed some BASIC or C programming to be done and even then that job usually fell to the most recent Summer intern!

The systems that these “business” groups used, specified, designed, developed or procured, met their business operations’ needs. They were sanctioned by investment groups and budget holders, and were supported, formally or informally, by those within the department with a more technical bent. This practice of separate ownership was everywhere, and no-one considered it particularly worrying or threatening at the time.  Indeed, it meant that the “business” really felt accountable and responsible for the use of these systems and the data that they contained – the lack of which has, ironically, become a “new world” complaint about business applications today.

The artificial lines drawn between operational systems owned and managed by a business team, and those that are the remit of corporate IT functions are still common-place. The “Cloud” and software-as-a-service (SaaS) tools are only another manifestation of this.

So, what’s changed?  Why is this such a cause for consternation?

In the same way that technology prevails in our personal lives and the consumer world, IT is now ubiquitous throughout any enterprise.  The difference is connectedness; the need for and value of integrated information, coupled with the increasing need to protect data from malicious intent.

Probably more so than historically, it is common practice for IT solutions vendors to go to non-IT people to sell their products/services to circumvent IT policy constraints, formal procurement processes or more invasive questions. SaaS solution subscriptions can be purchased with no more than a credit card.  In short, business applications are easier to procure “in the shadows”.

With a few exceptions, every organisation has an IT management structure in place. Every IT manager, IT Director or CIO likely feels that there are information technology components that should be inside, but are currently outside of their purview.  So, does IT accept this and become a commodity broker and order taker, patrolling the boundaries, responding to defined requests and delivering to predetermined service levels?

Or should IT round them all up, strap them down with architectural standards, service level agreements, rigorous change and release management processes?  Get it all under IT’s control and the problem will go away. This approach is often touted, especially from those “inside” of IT. However, it only serves as an illustration of the dichotomy of business and IT.  One is a necessary evil or servant of the other, and putting everything IT-related under IT’s control doesn’t address some of the reasons that so-called Shadow IT exists. Fundamentally, few business leaders like being told what they can and cannot do, and many believe that it will get done better and more quickly if they do it themselves.

It is probably true to say that the distinction between IT and “the business” has become purely an organisational construct that is quickly outliving its value.  It becomes more and more sensible to assume that you need IT skills “in the business” and “business” skills in IT.

So, if information technology is all pervasive, if business capabilities and critical information exists throughout and outside your organisation, with outsourced service providers, partners and in the “cloud”, if the skills and talent you need to harness the value of that information can and should exist throughout the organisation, what’s the key to making it all manageable?

The answer is “It depends” - are the exec comfortable with non-IT teams taking on what might “traditionally” be seen as an IT responsibility? There is an element of risk assessment to be made, and a level of pragmatism.  You need to decide which battles are worth fighting.

If the solution is completely standalone & adequately supported, then a more relaxed stance can be adopted. However, if it requires interfaces to other corporate systems; is dependent on an individual for support, or was deemed business critical, then IT and the wider organisation needs to be more assertive about the type of solution that should be adopted and who should own it. Getting the CFO onside to challenge value for money & risk levels is always useful.

For a more holistic and comprehensive approach, the basic principles of Systems Thinking and Critical Thinking are a good starting point to look at information technology as assets within the enterprise system, rather than a department or organisational function.  Put in place frameworks and disciplines that will:

  • Enable IT investment decisions to be made within the wider context – whole-enterprise thinking
  • Undertake business-wide portfolio management and investment reviews that do not need to make the distinction between business OR IT projects
  • Facilitate integrated architecture and design reviews, to ensure that inter-connectedness and information integration objectives can be achieved where needed
  • Establish regimes for risk-based
    • Comprehensive testing and disciplines for release management – without stifling innovation and the ability to make changes rapidly
    • Security of information, internally and through suppliers
  • Put in place appropriate service level frameworks for all technology services, regardless of where the systems are or who they are managed by, starting with a light-touch for innovative services, becoming stronger as these become part of the core business offering.

You will still need to deal with politics, egos and people change management, but if IT thinks and acts like an “enabling” part of the organisation rather than a “controlling” one, then the concept of Shadow IT starts to diminish in terms of meaning and potential to disrupt.