Embrace the 'shadow IT' world

As IT managers grapple with the problems raised by ‘shadow IT’, the best way forward may be to embrace the phenomenon.

Shadow IT — the deployment and use of IT solutions by non-IT staff, without the permission or knowledge of the IT department — is widespread across Australian organisations. According to Alan Hansell, advisor at analysis firm IBRS, “Shadow IT or departmental systems are the norm in almost every organisation in Australia today.”

“Industry surveys indicate it is regarded as a disruptive technology by CIOs as the organisation loses control of its IT assets when its use is pervasive,” said Hansell.

Not only has shadow become IT the norm, it’s becoming more prevalent. “Shadow IT is definitely growing across many organisations in Australia,” said Audrey William, head of research, ICT Practice at Frost & Sullivan Australia & New Zealand.

This sentiment is mirrored by Gartner analyst Simon Mingay. In the report ‘Embracing and Creating Value from Shadow IT’, he wrote, “Almost every CIO and leader of an IT shared-service organisation is faced with having to deal with significant growth in shadow IT.”

And just in case you think your organisation doesn’t have any shadow IT deployments, “Most CIOs who don’t see much shadow IT in their organisations are not looking for it or are looking in the wrong place,” wrote Mingay.

This growth in shadow IT is driven in part by the ease with which company divisions can trial cloud applications. “If an individual within a company needs the app or the solution that will allow him to do his job in a quick manner, then they will definitely want to,” said William.

It’s hard to determine exactly how much money is spent on shadow IT. According to Hansell, industry surveys indicate that spending ranges from 10 to 30% of the IT budget, “but I suspect the respondents are guessing, as its use is outside their remit”.

According to William, nowadays it’s not necessarily the CIO who is the main influencer of IT spend, but rather the business line managers who drive spending decisions. “It is these groups of line managers that are driving the need for what they choose to use to work in a more efficient manner,” she said.

She identified cloud computing as contributing to this issue of spend. “The ability to download apps via the SaaS [software-as-a-service] model and the easy way of making payments via a credit card makes bypassing it very easy for employees,” she said.

The problems with shadow IT

This unsanctioned implementation of IT systems outside of the IT department’s knowledge can have fairly disastrous consequences. For one, shadow IT can open security holes — staff outside the IT department may not have the ability to identify security vulnerabilities, so any software they introduce to the organisation may put it at risk.

William says that lack of IT support is also a big issue, particularly when things go wrong. “Every company has a designated list of systems integrators they work with,” she said. “The lack of support, because the current systems integrators know nothing about the app or software, is a critical issue.”

Hansell points out that this lack of IT support has a flow-on effect into the IT department: the CIO might find that shadow IT projects — for example, business professionals implementing an off-the-books system to download corporate data — end up requiring unexpected support from the IT department, which could divert IT staff from implementing major projects officially sanctioned by the company.

And if there is no governance or proper structure, in a very large organisation shadow IT could get out of control, says William. “And when other departments start seeing what a particular division has been trialling and experimenting, they will start wanting to buy SaaS solutions that can help their business unit, without informing IT about their decision.”

SaaS trials can also raise problems for control of sensitive organisational data, says William. Some SaaS applications — for example, big data apps — will suggest that the information employees are working on during the trial period be uploaded to the public cloud.

“This is dangerous as it means that some aspects of private company information will be revealed,” said William. “Important data would have leaked out to the public internet.”

The aforementioned ambiguity about exactly how much the organisation is spending on shadow IT is also a problem. Funds spent on IT without the IT department’s knowledge may not end up being acknowledged, and analysis of overall IT spend would therefore be flawed or incomplete. Decisions made on the basis of that analysis could also be flawed.

There are other cost considerations. The CFO may become alarmed “at the out-of-control cost of using a utility-based SaaS solution by business units, for example, to do a statistical analysis of sales data”, said Hansell.

CEOs can also find themselves troubled, according to Hansell. Such concerns include unreliable reports from departmental systems (as they are not tested as thoroughly as those from the IT department) and a lack of means to control the cost and unreported use of shadow IT.

Shadow IT can also cause friction between upper and middle management. Hansell says that business managers may argue they have no alternative but to use shadow IT solutions, claiming the executive didn’t allocate funds to their IT-related projects.

Why not ban it?

Given the plethora of troubles that the experts say it can produce, it may seem tempting to simply ban the use of shadow IT — that is, to issue an edict to all managers and employees that unauthorised deployment of IT systems, or adoption of IT services, will not be tolerated. While that might seem a great idea on the surface, it might not be the best idea in practice.

For starters, a flat-out ban won’t deter staff from deploying IT solutions, particularly given the IT savviness of today’s employees, according to Hansell. “Banning shadow IT is as futile as banning office gossip,” he said. “IT-literate business managers and professionals, frustrated at the lack of support from IT, will use whatever means they have to develop departmental systems which they deem critical for their success.”

Furthermore, “The best management can do is insist that staff providing information from departmental systems convince them they have been subject to peer reviews and reasonableness testing,” said Hansell. “Managers who take the results at face value and do not query them are putting their jobs at risk.”

Yet even if a ban were successful in deterring staff from employing IT solutions under the radar, there are reasons that you might not want to do it. For a start, a ban could stunt innovation within the organisation, according to William.

“Innovation is key in an organisation, especially with the rapid disruption taking place across industries as a result of cloud, mobility and the Internet of Things,” said William.

“By dictating to employees what they should use, you might not necessarily be allowing them to think and generate ideas of how the software can lead to a new development that might be helpful for the overall company, or help with certain old ways of doing things,” she added.

William specifically singled out cloud-based solutions. If an individual or a division deploys a cloud-based solution and it provides some benefit, and the IT department realises the benefit the new solution has brought, it can then embrace the solution.

“Set rules, allow it,” said William. “And if it works and really solves the problem of what the employees are trying to achieve, then eventually embrace it. Help staff understand that IT is willing to listen and support them with their needs.”

For example, if a division wants to create mobile applications to help achieve some specific goal, “The CIO or IT director can talk to the existing system integrators and mobile vendors to talk about some of these ideas the staff has put forth in a more proactive way,” she said. The CIO or IT director can then get the suppliers to work alongside both the IT team and the business division in question to implement the mobile apps.

“That way you are encouraging innovation by getting IT involved, and not bypassing IT, but also creating a positive win-win situation for all,” said William.

However, not everyone believes that embracing shadow IT is the best call for every situation — in the name of efficiency, for example. According to Mingay: “If the enterprise is demanding efficiency, then embracing shadow IT is probably a mistake… In which case, proper action needs to be taken and supported to suppress shadow IT.”

Yet, “If the enterprise wants a more exploratory and creative approach to exploiting IT, then embracing shadow IT and supporting it, albeit with some guardrails, is likely to be more sustainable and result in more value being created,” he added.

“What is not sustainable is the IT organisation being driven on an efficiency agenda, then allowing shadow IT to proliferate with no accountability or guardrails.”

The challenge of the embrace

However, while banning shadow IT outright may be difficult, embracing it also presents challenges. Hansell says that organisations find it difficult to manage shadow IT because overconfident business professionals often take shortcuts and don’t perform reasonableness checks on their results before publishing them. They can also fail to document their systems’ design and its context.

Managing shadow IT can be difficult also because “data definitions in a corporate database are often obscure and used without clarifying their meaning; for example, whether the sale price of an item includes or excludes GST”, said Hansell.

So what’s the best way to embrace shadow IT, if you go down that path? According to William there is no “one size that fits all approach”. Some organisations — very large companies, financial services organisations and government departments — will have stricter governance and regulations.

But in other firms — including start-ups — “there will be rules in place, but because they are driving innovation and encourage employees to bring new ideas to the table, there will be slight flexibility”, said William.

Companies in this second group should foster an environment that encourages departments and staff to reach out to IT when it comes to procuring solutions. “After listening to the needs of the individual or department, IT can decide to allow the solution to be used or completely disallow it,” she said.

The IT department can also suggest users speak to the suppliers and integrators. “That way there is an open dialogue and trust, and it will then make it easier for IT to put rules in place with regards to shadow IT,” she added.

Hansell suggests organisations develop a support group for business managers and professionals to:

• train them in how to use the software made available to them: for example, Microsoft Excel for planners, SAS for statisticians or business intelligence solutions for analysts;
• advise them on how to interpret the meaning of data they are accessing;
• instruct them on how to do reasonableness checks on results; and
• show them how to protect the data provided against unauthorised access.

“Conduct regular surveys on the use of shadow IT and benefits accruing to ensure the support group is maintained,” said Hansell. “The departmental systems reported in the survey will enable a systems inventory to be established to gain a degree of control.”

Top image courtesy n4i under CC BY 2.0