Get Steve's Book on Amazon
  • Eliminating
    Eliminating "Us And Them": Making IT and the Business One
    by Steven Romero

Shadow IT: Cutting off the IT-Nose to Spite the Business-Face

Shadow-IT is on the rise. What is shadow-IT? The definition I encounter most often is: IT systems and IT solutions built and used inside organizations without organizational approval. One of the most interesting aspects of this allegedly new phenomenon is how shadow IT is being touted as a “threat to the IT department” or a threat to the CIO. Why isn’t it a threat to the “organizations” that are not approving these IT investments?

I think the definition is flawed because these IT initiatives can only be built and used after receiving some kind of organizational approval. Many folks would correct this flaw in the definition by changing “organizational approval” to IT approval. This clarification would bring the supposed threat to IT more into focus with shadow IT decisions being made unilaterally by the business, circumventing the IT organization entirely.

One of the latest warnings comes from Gartner predicting that “within the next three years, 35% of enterprise IT expenditures will happen outside of the corporate IT budget.” A report by Forrester Research also warns, “IT chiefs that don’t raise their game when it comes to innovation will see their authority undermined within the next three years as execs hire their own staff to build new tech services, bypassing the IT department and creating a two-tier system”.

Oh no! Something must be done! How dare these business units make unilateral decisions about information technology! That’s IT’s job!

I sincerely hope my heavy sarcasm is not lost on anyone, but I fear it might be. Many folks, especially those inside of it, mistakenly think all information technology decisions should be made by IT. Though I am an IT-guy, I am not outraged by the business units “going around” their IT organizations. Yes, I am very concerned (due the potential risk and security threats, cost leverage and economies-of-scale, redundancy, reusability, etc.) but I am not shocked because I view Shadow IT simply as a swing of the pendulum. For years, many IT organizations have been making unilateral decisions about information technology. Sure, this mitigates many of the concerns I just listed, but it simply returns us to the now years-long issues associated with IT making unilateral decisions about information technology (disconnected from the business, too slow, too costly, mired in bureaucracy, etc.)

IT should not be accountable for approving the building and use of IT systems and IT solutions, the business should – in partnership with IT. What is not mentioned in any of the IT-is-doomed commentary is that each of these instances of shadow IT, also known as rogue IT, are fostered by businesses bypassing their own IT organizations that are spending their own business dollars! Why aren’t these businesses equally concerned and involved with the IT budget as they are with their shadow IT expenditures? It all adds up to business money!

The premier piece of advice being offered to IT in response to the shadow IT boogeyman is the need for IT to drive business innovation. This implies it is entirely up to IT, which is a huge misconception. If IT organizations are not driving business innovation it is only because the enterprises that contain them are not ensuring IT drives business innovation. Ensuring IT drives business innovation is not the only thing many enterprises are neglecting. The vast majority of businesses are not taking the steps necessary to ensure information technology:

  • enables the enterprise to realize its strategy and goals
  • delivers optimal value
  • risk is appropriately managed
  • resources are appropriately managed
  • performance is appropriately managed

In short, businesses are not governing IT. (IT/business alignment, value delivery, managing risk, resources and performance, are the five principles of IT governance.)

IT governance (more appropriately called Enterprise governance of IT) is a function of the business – it is not a function of IT. All of the things that IT does right and all of the things that IT does wrong are directly related to the businesses that enable or allow IT to do right or to do wrong. Most businesses delegated information technology decision-making to their IT-counterparts years ago. That delegation gradually devolved into abdication and now the business has the audacity to give IT a failing-grade followed by a “we’ll just go around you” response.

Instead of stepping back up to the plate and assuming their non-neglected accountability for the information technology aspects of the enterprise (just like every other aspect of the business), business units are bypassing the mess they themselves produced. Now they are creating “shadow IT.” What on earth leads these business folks to believe the outcome of these new IT constructs will fare any better in the long-term? If they did it wrong the first time working with members of their own enterprise, what do they think the result will be working with people who aren’t members of the same team (third-party providers)?

And let’s clear something up right now, shadow IT or rogue IT is far from a new phenomenon. More than 25 years ago I was part of an IT organization that had to provide support for a mini-computer system unilaterally purchased and implemented by a business unit. They even installed raised floors and HVAC systems in their business office! Another example was when we found brand new HP servers sitting on our data center loading dock. They were purchased with non-IT budget dollars by business users who did not want to use the ‘IT standard’ Compaq servers. The major difference with rogue IT today is that ‘the cloud’ doesn’t require the business to install raised floors and their purchases don’t get delivered to your data center loading dock. Consumerized IT options provide business users with countless information technology choices constrained only by the limits on their corporate credit cards.

Please don’t get me wrong. The business is not solely responsible for this shadow IT situation. IT did not shy away from business delegation and subsequent abdication of information technology decisions. IT organizations were all too eager to become the high-priests bestowed with command-and-control of the information technology domain. Their willingness to make unilateral technology decisions helped to lay the foundation for IT’s system-fixation that contributed to the current chasm that exists between many IT departments and the business groups they support. In light of this, let’s use another definition of shadow IT that focuses more on the function of IT: people performing IT functions who are not part of the official IT organization.

What motivates people to perform IT functions when they are not part of the official IT organization? They are motivated by the perception that IT is too slow, too costly, overly complex, and out of touch with the business. How did this happen? I already mentioned it earlier in this post: the business has failed to govern IT. The business is responsible for ensuring the principles of IT governance – IT/business alignment, value delivery, risk management, resource management, and performance management. If the business ensures those principles they will ensure their IT organizations are fast enough, cheap enough, simple enough, and amalgamated with the businesses they serve.

Despite enterprise failure to govern IT, IT organizations better not sit around waiting for the business to step up and take the IT governance lead. Here’s what IT can do:

  • Become the expert on consumer technologies and earn the reputation as the go-to resource when it comes to new information technologies – ALL information technologies.
  • Become experts in cloud computing (if that wasn’t clear in the previous bullet) and establish the ability to make in-house vs. cloud decisions, manage cloud risks, lead cloud integration, facilitate cloud provisioning, contract negotiation and cloud SLAs, and lead the development of enterprise cloud strategy.
  • Realize this could be the start of a golden age of development and revolutionize their development capability (agile, cloud-based, consumer apps, etc.) and focus more on business development vs. application development.
  • Stop demonizing shadow IT and start understanding and embracing it. Find what is incenting business users to avoid or go-around IT and address it – solve it.
  • Educate the business and advocate and foster their leading role in information technology decisions by leveraging their willingness to make shadow IT decisions to help them realize they are just as responsible for corporate-IT as they are for shadow IT.
  • Establish a formal shadow IT risk acceptance policy requiring all department heads, business unit leads, and general managers to sign a document accepting responsibility for all enterprise risks associated with shadow IT in their organizations.
  • Advocate and foster IT governance, which is just as essential to making reasoned and rational information technology decisions in regard to decentralized and federated IT constructs as it is to centralized IT.

I don’t agree with the pundits and experts contending shadow IT is a sign that IT must “change or die” because they are only half-right. As I have said before, when there is a problem in a relationship it is rare that only one party needs to change. The business needs to change just as much as IT does – if not more. The greatest change necessary is for the business to take accountability for governance of all information technology, and not just the information technology in the shadows.


PrintView Printer Friendly Version

EmailEmail Article to Friend

References (14)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Paytm Coupons
    John Mills
  • Response
    The considerable discrepancy accompanying swindler IT today is that ‘the cloud’ doesn’t force the partnership to establish lifted drops plus their obtains don’t acquire delivered to your material halfway loading slip.
  • Response
    My hopes are more and I have to learn more from you thank you very much, actually I am using this site queensland assignment so feel very good. All are using this site for develop the websites.
  • Response
    My hopes are more and I have to learn more from you thank you very much, actually I am using this site queensland assignment so feel very good. All are using this site for develop the websites.
  • Response
    Response: awriter
    I really had a great time with your post! I am looking forward to read more blog post regarding this! Well written!
  • Response
  • Response
    Response: Janette B. Perry
    At the risk of making a suggestion you probably already know, I also want to point out that you don't have to walk the journey alone. Having a strong and healthy support group, whether they be family, good friends, or counselors, can empower you along the way.
  • Response
  • Response
    Response: apk
  • Response
  • Response
    Response: cam heating
  • Response
    Response: net worth
  • Response
    Response: rank
    Romero Consulting - Blog - Shadow IT: Cutting off the IT-Nose to Spite the
  • Response
    Romero Consulting - Blog - Shadow IT: Cutting off the IT-Nose to Spite the

Reader Comments (2)

Great post, thanks for sharing. A coworker of mine mentioned "shadow IT" and I ended up here; glad I did.

July 24, 2012 | Unregistered CommenterBusiness Continuity

This is a topic that is close to my heart..Cheers.Where are your contact details though.Thanks a lot


April 25, 2017 | Unregistered CommenterAsif

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
« What is Cloud Computing? | Main | The Business of IT Governance »