Shadow-IT is on the rise. What is shadow-IT? The definition I encounter most often is: IT systems and IT solutions built and used inside organizations without organizational approval. One of the most interesting aspects of this allegedly new phenomenon is how shadow IT is being touted as a “threat to the IT department” or a threat to the CIO. Why isn’t it a threat to the “organizations” that are not approving these IT investments?
I think the definition is flawed because these IT initiatives can only be built and used after receiving some kind of organizational approval. Many folks would correct this flaw in the definition by changing “organizational approval” to IT approval. This clarification would bring the supposed threat to IT more into focus with shadow IT decisions being made unilaterally by the business, circumventing the IT organization entirely.
One of the latest warnings comes from Gartner predicting that “within the next three years, 35% of enterprise IT expenditures will happen outside of the corporate IT budget.” A report by Forrester Research also warns, “IT chiefs that don’t raise their game when it comes to innovation will see their authority undermined within the next three years as execs hire their own staff to build new tech services, bypassing the IT department and creating a two-tier system”.
Oh no! Something must be done! How dare these business units make unilateral decisions about information technology! That’s IT’s job!
I sincerely hope my heavy sarcasm is not lost on anyone, but I fear it might be. Many folks, especially those inside of it, mistakenly think all information technology decisions should be made by IT. Though I am an IT-guy, I am not outraged by the business units “going around” their IT organizations. Yes, I am very concerned (due the potential risk and security threats, cost leverage and economies-of-scale, redundancy, reusability, etc.) but I am not shocked because I view Shadow IT simply as a swing of the pendulum. For years, many IT organizations have been making unilateral decisions about information technology. Sure, this mitigates many of the concerns I just listed, but it simply returns us to the now years-long issues associated with IT making unilateral decisions about information technology (disconnected from the business, too slow, too costly, mired in bureaucracy, etc.)
IT should not be accountable for approving the building and use of IT systems and IT solutions, the business should – in partnership with IT. What is not mentioned in any of the IT-is-doomed commentary is that each of these instances of shadow IT, also known as rogue IT, are fostered by businesses bypassing their own IT organizations that are spending their own business dollars! Why aren’t these businesses equally concerned and involved with the IT budget as they are with their shadow IT expenditures? It all adds up to business money!
The premier piece of advice being offered to IT in response to the shadow IT boogeyman is the need for IT to drive business innovation. This implies it is entirely up to IT, which is a huge misconception. If IT organizations are not driving business innovation it is only because the enterprises that contain them are not ensuring IT drives business innovation. Ensuring IT drives business innovation is not the only thing many enterprises are neglecting. The vast majority of businesses are not taking the steps necessary to ensure information technology:
- enables the enterprise to realize its strategy and goals
- delivers optimal value
- risk is appropriately managed
- resources are appropriately managed
- performance is appropriately managed
In short, businesses are not governing IT. (IT/business alignment, value delivery, managing risk, resources and performance, are the five principles of IT governance.)
IT governance (more appropriately called Enterprise governance of IT) is a function of the business – it is not a function of IT. All of the things that IT does right and all of the things that IT does wrong are directly related to the businesses that enable or allow IT to do right or to do wrong. Most businesses delegated information technology decision-making to their IT-counterparts years ago. That delegation gradually devolved into abdication and now the business has the audacity to give IT a failing-grade followed by a “we’ll just go around you” response.
Instead of stepping back up to the plate and assuming their non-neglected accountability for the information technology aspects of the enterprise (just like every other aspect of the business), business units are bypassing the mess they themselves produced. Now they are creating “shadow IT.” What on earth leads these business folks to believe the outcome of these new IT constructs will fare any better in the long-term? If they did it wrong the first time working with members of their own enterprise, what do they think the result will be working with people who aren’t members of the same team (third-party providers)?
And let’s clear something up right now, shadow IT or rogue IT is far from a new phenomenon. More than 25 years ago I was part of an IT organization that had to provide support for a mini-computer system unilaterally purchased and implemented by a business unit. They even installed raised floors and HVAC systems in their business office! Another example was when we found brand new HP servers sitting on our data center loading dock. They were purchased with non-IT budget dollars by business users who did not want to use the ‘IT standard’ Compaq servers. The major difference with rogue IT today is that ‘the cloud’ doesn’t require the business to install raised floors and their purchases don’t get delivered to your data center loading dock. Consumerized IT options provide business users with countless information technology choices constrained only by the limits on their corporate credit cards.
Please don’t get me wrong. The business is not solely responsible for this shadow IT situation. IT did not shy away from business delegation and subsequent abdication of information technology decisions. IT organizations were all too eager to become the high-priests bestowed with command-and-control of the information technology domain. Their willingness to make unilateral technology decisions helped to lay the foundation for IT’s system-fixation that contributed to the current chasm that exists between many IT departments and the business groups they support. In light of this, let’s use another definition of shadow IT that focuses more on the function of IT: people performing IT functions who are not part of the official IT organization.
What motivates people to perform IT functions when they are not part of the official IT organization? They are motivated by the perception that IT is too slow, too costly, overly complex, and out of touch with the business. How did this happen? I already mentioned it earlier in this post: the business has failed to govern IT. The business is responsible for ensuring the principles of IT governance – IT/business alignment, value delivery, risk management, resource management, and performance management. If the business ensures those principles they will ensure their IT organizations are fast enough, cheap enough, simple enough, and amalgamated with the businesses they serve.
Despite enterprise failure to govern IT, IT organizations better not sit around waiting for the business to step up and take the IT governance lead. Here’s what IT can do:
- Become the expert on consumer technologies and earn the reputation as the go-to resource when it comes to new information technologies – ALL information technologies.
- Become experts in cloud computing (if that wasn’t clear in the previous bullet) and establish the ability to make in-house vs. cloud decisions, manage cloud risks, lead cloud integration, facilitate cloud provisioning, contract negotiation and cloud SLAs, and lead the development of enterprise cloud strategy.
- Realize this could be the start of a golden age of development and revolutionize their development capability (agile, cloud-based, consumer apps, etc.) and focus more on business development vs. application development.
- Stop demonizing shadow IT and start understanding and embracing it. Find what is incenting business users to avoid or go-around IT and address it – solve it.
- Educate the business and advocate and foster their leading role in information technology decisions by leveraging their willingness to make shadow IT decisions to help them realize they are just as responsible for corporate-IT as they are for shadow IT.
- Establish a formal shadow IT risk acceptance policy requiring all department heads, business unit leads, and general managers to sign a document accepting responsibility for all enterprise risks associated with shadow IT in their organizations.
- Advocate and foster IT governance, which is just as essential to making reasoned and rational information technology decisions in regard to decentralized and federated IT constructs as it is to centralized IT.
I don’t agree with the pundits and experts contending shadow IT is a sign that IT must “change or die” because they are only half-right. As I have said before, when there is a problem in a relationship it is rare that only one party needs to change. The business needs to change just as much as IT does – if not more. The greatest change necessary is for the business to take accountability for governance of all information technology, and not just the information technology in the shadows.