Is shadow IT a security threat that you must stamp out, or something IT must learn to live with? Neither, says Jim Cole, senior vice president at Hitachi Consulting. It's a sign that IT isn't innovating fast enough. In an interview with The Enterprisers Project, Cole explains why an attitude adjustment about shadow IT can make IT a more effective partner for the enterprise.
The Enterprisers Project (TEP): How widespread is the problem of shadow IT? Do all large organizations have some?
Cole: The degree to which shadow IT exists within an organization has less to do with the size of company, and more so with culture inside and outside of IT. The more progressive, risk-taking, innovative, and results-driven an organization is — and how dynamic the markets it serves are — directly correlate to the company's likelihood of having greater degrees of IT being driven outside of the IT department. The question is whether the CIO and IT team are functioning as the strategic champion and enabler of change.
If the IT organization is strategic, well-funded, and sought after by the business, you will find lower levels of IT consumption being driven outside of IT, because IT is with the business making it happen. However, it often seems to be the case that IT is struggling with declining budgets and an ever-shrinking strategic voice of change in the business and finds itself in the unenviable role of being the office of no. When that happens, end users will bypass the established rules and procure the solutions they need with less of IT's perceived heavy-handed involvement.
In reality, thanks to the consumerization of IT and the pervasive spread of personal devices in the workplace, there is some level of shadow IT happening in most companies though it is often denied. In fact, we at Hitachi Consulting have run tests inside companies and found staggering instances of IT outside of IT, and the true shift in this direction is just starting.
TEP: With the wide availability of inexpensive or even free cloud offerings, shadow IT often seems like the path of least resistance to busy executives. How should IT fight that perception, or should it even try?
Cole: Throughout human history, most attempts at isolation and preservation of the established way of doing things have fallen victim to the unrelenting forces of change. People and the companies they're associated with must change, innovate, reach new markets, and as a result, take risks. My recommendation is for today's CIOs and their leadership teams to proactively engage in a meaningful partnership with the business. Don't just join with the business, enable it!
TEP: Some experts advise organizations to embrace shadow IT. For those that do, how can they keep their networks and data secure if they don't even know what software employees may be using?
Cole: In today's interconnected world it is simply not realistic to think you can keep your network and data secure if you don't know what software employees are using. Instead, working to establish what capabilities are in bounds and out of bounds and why is incredibly crucial.
Most employees do understand the risk of data breaches, regulatory violations, and other such operating risks — so my advice is to engage them in conversation to find creative workarounds that help get their work done in an innovative, impactful and safe way. That will not only benefit the business but also its customers.
TEP: What is IT leaders' best strategy to diminish the incidence of shadow IT?
Cole: Engage, engage, engage. Get embedded into the business, become part of its change strategy, and help facilitate moving forward with new tools to drive higher levels of efficiency and effectiveness. Educate business leaders on how technology solutions from SaaS to bare metal can make a difference in the results they can achieve.
As IT leaders, our role is to help bring technology-infused solutions to the business and/or build them with the business and thus drive differentiation and a competitive advantage. However, our value diminishes when we are perceived as change blockers rather than change enablers. As a result, we are often left to tend the remaining solutions until they (and we) reach end of life. The risks are dwindling budgets, diminished impact, and being passed over by the businesses as they race towards the future and new markets.
TEP: Any common mistakes you see IT leaders making around shadow IT?
Cole: The most common mistake occurs when we put our proverbial head in the sand and state emphatically, "Not in my shop" when quizzed whether there is shadow IT. The important question is what to do about it?
The best advice is to engage in what the business is doing and help them figure out how to do it better, faster, and more insightfully, all the while using new tools, delivery models, and platforms. Ultimately, you need to do whatever helps to drive the shift from stovepipe industrial-aged applications to those focused on speed of decision-making, rapid customer engagement on all the various forms of communication, while balancing security with innovation.
