Bring Shadow IT Out of the Dark, Gartner Tells Tech
Mention shadow IT to many technology professionals and they'll shudder before trading war stories. But to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon, said analysts speaking at the Gartner Symposium/ITxpo 2015 in Orlando this week.
"Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It's called innovation. It's happening in the edges where we don't deliver the solutions. You might not agree with it but you should think that way. The people today who are innovating are the people who will take your jobs in 20 or 30 years," said Hank Marquis, research director at Gartner.
On average, 28 percent of IT spend occurs outside the IT department today, he said. That number is expected to increase 5 percent over the next five years, a separate IDG report found. But when these shadow IT investments run into technical problems, IT staff get the support phone calls, Marquis said. Often unaware of the implementations, the solutions or services in place, and the integration techniques used, IT then must scramble to address technical, governance, security, and risk issues – sometimes critical concerns that endanger the entire organization.
When the CEO of one healthcare company told his newly appointed vice president to use his budget to avoid IT, the executive set up an account with Amazon and began sending protected health information (PHI) to the corporate database via unsecured FTTP, said an IT professional who used to work there and did not want to be named. IT learned of the system and got involved when the vice president's team ran into a problem – and the "compliance tsar" heard about the system's breach of HIPAA and demanded an immediate fix, the ex-employee told Enterprise Technology. Other times, shadow IT instances crop up en masse during an acquisition's audit, an IT executive at a northeastern bank said.
In another instance, a group of employees at a financial firm was filming in downtown Manhattan at lunchtime and decided to send video back to the office to its shadow storage system using the corporate network. Trading ground to a halt as the network tried to deal with the huge – and completely unexpected – load, Marquis said. In another case, a sales department set up a crucial system on an individual's desktop without IT's knowledge. When the sales person went on vacation and turned off the PC, nobody could log a sale for the entire time the rep was out, Marquis recounted.
"Shadow IT for the right reasons, in the right areas, can create value. Shadow IT – this money is being spent – can create value. And shadow IT can destroy value," he said. "But what we're not doing is engaging, giving examples – hey, it's ok if you're doing what you do, but not if the result is the destruction of value – versus a system where you can bring something into the fold and protect it."
Out of the Shadows
Rather than reining in shadow IT, CIOs and their departments should empower departments to innovate with technology but set up boundaries so adoption abides by compliance, regulatory, and security rules, said Marquis. This approach encourages innovation without placing organizations in peril, he said.
"You have an untapped pool of resources all around you," said Marquis. "The dark side is you'll be responsible for the bad decisions all those shadow IT people make."
Trying to rein-in shadow IT will not only fail, it places companies at a disadvantage. One firm, for example, had attracted a particularly attractive candidate from a top university. On his first day of work, IT gave the young professional a Lenovo laptop and a Blackberry; in response, the employee said he used an iPhone and Mac – and quit, Marquis said.
"His first day was his last way because we didn't let him work the way he wanted to work. This is becoming an HR issue as well. You're not going to stop shadow IT. It's not going to go away. You're not going to suppress it," he said. "You might as well embrace it, leverage it, use it."
To accomplish this, Gartner recommends IT organizations first engage the business as a partner, not a competitor, by holding open discussions with senior executives to redefine IT's role in leading and defining the enterprise's investment in IT. CIOs should establish an end-user board for continuous dialog, especially with "non-routine workers," who will be those pushing the envelope on technology usage, said Marquis.
Next, it's vital for IT to establish risks and boundaries.
"If you bought it, you break it, you own it. Those making IT-related investments should be accountable for those investments," said Marquis. "Shadow IT can destroy value as easily as it can create value. Bring that to their attention. They don't always understand the ramifications of their decisions. Your answer shouldn't be, 'That's why you shouldn't do it.' Your answer should be, 'That's why you should come to me.' It's not your fault somebody did something if you tried to help them."
IT must work closely with the internal audit and asset-management teams to ensure compliance for user-generated IT projects, he said. And the department should offer tiered services and support, moving away from an all-or-nothing approach. However, it's vital that top executives support IT's role in overseeing business-critical solutions such as procurement and hiring, added Marquis.
Next, organizations should adopt a bimodal environment. Mode 1 focuses on prioritizing facility over speed, on keeping the lights on and adhering to rigorous change-management processes, said Donna Scott, vice president and distinguished analyst at Gartner, during her keynote on Tuesday. Mode 2 is non-linear, focused on speed, and more experimental, she said.
"It's an innovator culture. Mode 2 prioritizes speed over stability. You design them to be more cloud native or cloud optimized. You enable elasticity," Scott said.
To support innovation and embrace shadow IT, CIOs and their teams also need to develop a digital workplace strategy, Marquis said. The technology department must work closely with human resources and other departments to look beyond BYOD and "make employee-centricity a component of every design and a consideration in every investment decision," he noted.