The Problem with Shadow IT
26th June 2015
Author John Baddiley
Risk? Duplication? Governance? Yes, but that’s not the worst of it.
The past couple of years have seen a lot of press on the topic of shadow IT – the use of IT systems and solutions built and used without the approval of the IT business unit. The growth of cloud services lowers the barriers to entry; in many cases there isn’t a requirement to install anything into your existing IT systems, and only a web browser or HTTP connection is required.There’s no doubt that there can be risks associated with the ungoverned deployment of technology services within a business, but this is not the largest problem associated with shadow IT.
Businesses that we’ve worked with have had a number of reasons for the use of shadow IT, including the following common themes:
- IT budget – in many cases, IT budgets have long approval processes, are missing business-aligned prioritisation for IT initiatives or the budgets themselves are insufficient to meet business needs.
- Too slow to move – the IT department is often seen as slow and unresponsive to business needs, or has insufficient resources to meet business needs in a timely manner.
- Too hard to engage – IT departments are often seen as being hard to engage, with a service mentality that doesn’t rapidly respond to changing business requirements, or overly bureaucratic processes
- No innovation – in some cases, the IT department is seen as a hindrance to technology-enabled innovation.
- No prioritisation – the prioritisation of IT expenditure is often a challenge for business units, with big-ticket items and IT “keep the lights on” projects being the focus.
- Don’t understand our business needs – in some cases, business units believe that the IT department doesn’t understand their needs, and focusses on the wrong problem.
The real problem with shadow IT is not that it exists, or that it breaks IT or security rules, but that the business felt that building shadow IT was the best answer. Shadow IT is a response to the failure of the IT department to meet business needs in a rapidly changing environment. Shadow IT is a symptom of an IT function that is not delivering what its business stakeholders expect of it. Shadow IT is a symptom of a dysfunctional relationship between the IT department and the business that it serves.
Undoubtedly, shadow IT can have risks, whether they be information security, process, duplication or budget, but at the same time it’s delivering value to the business units that have contracted it.
So what are the solutions for IT departments? The risks of Shadow IT can be managed or mitigated when the following approaches are taken:
- Build a strong business relationship – In our experience, IT departments need a strong, proactive relationship with the business units that they serve. “Trusted advisor” is a term that is often thrown around, but trust is something that is earned, not an attribute-by-right. IT departments that understand the challenges that their business units face, and can offer options for how technology can resolve these are more successful.
- Offer a responsive service – A service catalogue alone doesn’t deliver a responsive service culture. IT departments need to offer multi-modal delivery models, with governance where it is required, and pragmatic, light-touch delivery models elsewhere. IT departments should aim to provide technology with the business, not to the business.
- Operate as a service facilitator, not service provider – The world that businesses find themselves in now is changing at an ever increasing pace. The days of IT departments delivering everything IT related are well past their use by date; successful IT departments deliver services where they can excel, and facilitate services through partners where appropriate.
- Information security is a business risk – when approaching the information security risks associated with shadow IT, IT departments should remember that information security is a business risk that surfaces through technology. Business stakeholders must be involved with risk discussions, and take ownership for decisions made.
- Provide incremental improvement – IT departments should prioritise solutions that incrementally improve services in the immediate future over larger gain following a longer term. Services and systems that provide incrementally improving functionality and performance immediately are generally preferred to a large improvement in two years.
- Build bi-modal approaches into the IT strategy – IT projects are not all the same, and they shouldn’t be treated as such. Gartner popularised the idea of bi-modal IT, and IT departments should apply these principles to support business agility while maintaining scalability and reliability of legacy systems.
John Baddiley is a Senior Business Manager in our Wellington team with a focus on technology and how it enables the Digital Enterprise. John has over 20 years’ experience in the IT industry, and leads our Enterprise Architecture and Cloud Computing capabilities. His customer and business focus has enabled some of New Zealand’s largest businesses and public agencies to accelerate change and stay ahead.