How to deal with Shadow IT

The issue arises when a business unit decides that they are exempt from organisational IT policy; that they have a right to act in the interests of their business unit rather than the enterprise as a whole; that they have no accountability to a central It function. When this happens, it is an indicator of a total failure of corporate governance, a dereliction of duty by the governors of the organisation. Shadow IT is ungoverned IT.

LANDesk have collected the views of a number of people about Shadow IT. I was honoured to be one of those who they asked. The collection can be found here (ePub or mobi).

This is based on my contribution:


What is Shadow IT? Why are we talking about it so much in 2014?

The term "Shadow IT" is - like so much IT terminology - used freely to mean all sorts of things.
My definition of Shadow IT is IT that is implemented and operated in business units with less involvement from the centralised organisational IT function/entity/agency than that IT function would like. [Update: I now prefer the term "Dark IT"]
This differs from distributed IT, where IT capabilities are implemented within business units with the consent and collaboration of the central IT function (at whatever level of direct IT involvement from lots to very little). [I don't have an issue with distributed IT, at least not in this context.]

Shadow IT (as I'm using the term here) is guerrilla IT. Shadow IT is business units going it alone, going rogue.

Shadow IT is a Bad Thing. There are good reasons that an IT function is entrusted with the custody and stewardship of the corporate digital information and technology assets. These reasons include:

  • the protection of the organisation, including security and compliance (privacy, sovereignty, regulatory)
  • control of risk to the digital information and technology assets
  • maximising value from those assets through the application of expertise
  • maximising return on IT investments through shared services
  • optimising resource allocation

None of this precludes distributed IT, where a central IT function maintains as much involvement and control as they need to meet the objectives above, whilst allowing a business unit the autonomy they need to meet their goals.

The issue arises when a business unit decides that they are exempt from organisational IT policy; that they have a right to act in the interests of their business unit rather than the enterprise as a whole; that they have no accountability to a central IT function. When this happens, it is an indicator of a total failure of corporate governance, a dereliction of duty by the governors of the organisation. Shadow IT is ungoverned IT.

Shadow IT occurs at all levels in many organisations, from staff who think it is OK to store and exchange corporate information via external services such as DropBox, to HR departments who buy and install systems over the objections of IT, to marketing departments who think they are clever by engaging external providers to build and run applications or websites without telling anyone.


How do IT know if shadow IT is in an organisation?

The central IT function often finds out about Shadow IT when it dawns on the guerrillas that they need a network, though it is not unknown for them to arrange their own external connections.

Most commonly IT finds out when something goes wrong. Data escapes, or is stolen. Data is lost or corrupted. Productivity is lost when a system fails. Suddenly these things are IT's fault. Many executives quickly forget the principle of "no accountability without responsibility".

The IT function should find out about new IT systems because the organisation's ELT (executive leadership team) tells them. IT is a core asset of most organisations. It is the single most important asset in many of them. A central agency to oversee the asset and protect the organisation's interests is fundamental. If business units - and individual staff - are allowed to have their own IT systems outside the reach of this central agency, it is not that function's fault. It is the fault of the governors and executive of the enterprise who are failing in their responsibilities - it is a dereliction of duty at the highest level.



Should we regard Shadow IT as a good or bad thing? Is it a threat or an opportunity?

Shadow IT as I have defined it is a Very Bad Thing. it represents every kind of risk for an organisation: reputational, financial, customer, regulatory...

Of course IT should care, but only because caring has been delegated to us. The people who should really care are the governors and executive, whose failure to set and enforce IT policy is putting the organisation at risk.

The analogy I use is money, another important resource for any organisation. Money is managed centrally by the CFO. The Board has a Finance sub-committee. The organisation has regulatory commitments about money. It sets strict policies. If the CFO says a business unit can't have the funds they need for a pet project, the manager of that unit can't just ignore the CFO and go borrow money outside the organisation. Well, they can, but only once. Everybody knows this is a career terminating move because the CFO is entrusted with the financial safety and probity of the organisation. Why is it any different for information?
[In any discussion of Shadow IT, substitute the word "Finance" for "IT" and see if it still works.]



What plans or actions would you recommend that an IT consider put into place ?

Get the Executive Leadership Team's attention. If Shadow IT is breaking out everywhere and the ELT don't care, if I was the CIO I'd be looking for a new gig. The governors must understand the importance of governing IT.

In the meantime, I'd be selling to the owners of Shadow IT the benefits of the rogue business unit transfering ("outsourcing") ownership of their IT system to IT, whilst retaining ownership of the informational service. This separation of service and IT system is a key concept in getting business units to let go of the IT assets.

If that doesn't work, get a waiver signed and escalated to the ELT: "When - not if - this ***s up, IT are not responsible for the mess". But when the flaming debris are raining down, we still will be held responsible, regardless.

Finally, never let a good crisis go to waste. When the company is picking over the rubble after some Shadow IT disaster, make sure you were already on record warning of the risks. And make sure you already have policy and plans drawn up for governing and managing Shadow IT, waiting for the day when the Board of Directors say "this must never happen again".

Syndicate content