Taking back control of Shadow IT
24th Jun 2020
Geoff Izzard, Mason Advisory
IT practitioners will usually have experienced the world of shadow IT. To put it in simple terms, Shadow IT is any technology, digital or data product/service not under the management and control of the IT organisation. This can range from things as simple as spreadsheets or local databases, all the way through to full IT projects and functions that operate within a business setting and outside the controls of IT.
There are two basic forms of Shadow IT: first are the Business Developed Applications (BDApps); second are the IT functions. From an IT organisation and best practice perspective, it is down to the IT organisation to find the right approach to bring Shadow IT back under the appropriate technical, operational, service and security controls.
Control of BDApps
No IT department is ever going to stop the development and existence of BDApps within an organisation. They tend to exist for a wide variety of reasons, all of which will repeatedly occur over time and as the business organisational needs develop and change. Typical reasons for the creation and existence of BDApps will include:
- it being easier to develop a BDApp within a business unit
- a BDApp was brought in from elsewhere, where it was proven to work
- the BDApp just developed up from a basic business idea
- a supplier sold in a BDApp from under the radar of IT
Why BDApps isn’t really the issue, it is more important for an IT organisation to accept that all the reason will be valid to the business function that created or adopted the BDApp. Equally it doesn’t really matter if the BDApp is a simple high-function spreadsheet, or a fully functional web-based application as a service, the overall approach that an IT organisation should take in resolving this should generally be the same.
Key to the whole approach is excellent engagement between the IT and business organisations, and can be broken down into four steps:
- The IT organisation must work with the business community and get them to identify and log all the BDApps that they use.
- The business needs to highlight all BDApps that are critical to business processes and operational delivery, and then the IT organisation will need to extend an effective service wrap around these critical BDApps.
- The IT organisation will develop and execute plans to bring critical functionality into core IT operations by replacing this functionality in BDApps, with core IT solutions or developing robust solutions as part of an integrated IT service.
- The review and management of BDApps needs to become an ongoing part of continuous improvement of the IT service.
IT Functions within the Business
A far bigger issue for any IT organisation is the existence of an IT function within the business that is not part of, or under the controls and standards of, the IT organisation. While these IT functions are termed Shadow IT, they are very rarely hidden from view, and it is usually very clear that there is IT development, operation and support that is outside the control of the IT organisation.
There is no doubt there are many business reasons as to why an IT function may exist within the business, but they will generally fall into one of two models, each with a different requirement for change.
Firstly, there is the historic or legacy model. This will justify an IT function either because it was always there, or more often these days, because it has come over into the business as part of business acquisition or merger.
In historic cases, one of the best approaches for an IT organisation is to conduct an assessment of legacy IT on a people, process and technology level against a robust IT strategy for the organisation. This will not only assess the Shadow IT function as a whole, but has the added benefit of engaging the business function in the strategic role of IT in support of business operations and future requirements.
The aim of any assessment must be to provide clear recommendations as to how a Shadow IT function can and will be brought under the core control and service of the IT organisation. It is always best if this is done in a manner that requires minimal immediate change, but involves plans for a properly managed transition, including technology, contracts and people, into the IT organisation over an agreed period of change.
Secondly, there is the far more prevalent issue of funding -where a business function considers the budget and funding is theirs to spend, and they can therefore decide how to spend it. While the approach to resolving historic Shadow IT functions is still relevant here, a significant step needs to be made before that can be achieved.
In any organisation where the perceived ownership of IT is down to agreed business funding, a change in the culture is needed between the business and IT communities. In saying that, there is no silver bullet approach to achieving this change, suffice to say that it must start with IT being seen as the partner who delivers business services and improves operations, and not just another IT supplier. This can only be achieved through executive sponsorship and positive business engagement. Quite often there will also need to be some rebuilding of trust between IT and business communities. IT should not be afraid of accepting criticism of past issues, and must have the confidence to demonstrate how it can, and will, deliver future success.
Benefits of Control of Shadow IT
A final and important point to note. There is rarely a reason for a business function to freely give up control of Shadow IT without a clear understanding of the benefits that will bring, and a compelling reason to change. Of utmost importance to most business communities, if the IT organisation can show that it can deliver the same or better service, for the same or less cost, then this is the most compelling reason for change.
Additionally, an IT organisation must show that it is providing many other benefits that extend across the whole organisation. These will likely include a single set of controls and standards across IT, improved integration across business operations and out to third parties, improvements in information security, and a clear strategic and managed life-cycle for IT.
Disclaimer – opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer or organisation.