Through some of the work that I do for my Clients, I’ve helped to identify and reduce Shadow IT as a part of better aligning IT delivery with strategic business goals. It has been sort of a mantra, that Shadow IT is a bad thing and must be eliminated. Over the past couple of years though, I’ve increasingly found myself second guessing that mantra.
BYO IT
While governance and security are even more important now than in times past, the characteristics of IT services have changed around us. Take end user devices for example. The product life of a desktop or laptop system, several years ago, could be argued to be three years or more. While the device can certainly function for that long and even longer, most users are “out-using” the device long before that now. Device manufacturers are developing products that are well dialed-in to what users want… even if the users don’t know they want it. The product cycles for these innovations are measured in months rather than years. Furthermore, usability of the products themselves has significantly improved beyond what used to create routine help desk tickets. The product marketplace has slanted heavily in the direction that users are disgruntled by someone suggesting they have to use some particular make and model of computing device. Users are eagerly willing to switch to B.Y.O. IT
Offerings available through SaaS and PaaS cloud providers are very sophisticated and robust. They are moving to the point of commoditizing IT services that not long ago were considered quite complex. Some of the development work that consumed IT cycles in creating a new service has been already done and done well by these providers, bringing into question the cost justification of a new service creation project at the very least.
Changing Views of Shadow IT
So what does this mean to our traditional view of Shadow IT? Well, if one is still reticent about letting go of the notion that Shadow IT is always bad, then it means the job of managing the proliferation of Shadow IT is becoming harder than ever. If one is coming around to a model in which some Shadow IT may even be beneficial, then the focus of the work comes around to how to ensure governance and security.
Some may address this by trying to establish an approved list of BYO services. In my opinion, this may be just as steep a treadmill as trying to eliminate Shadow IT. Others have addressed this through what I call the “Walk a Mile in My Shoes” approach, through which the IT leader will try to make users appreciate what IT actually goes through to bring a service to the enterprise, in hopes that they will take with them an eye for good security and governance concerns. To me, this is a roll of the dice, and given the typical success (or lack thereof) we usually have with communication plans in the IS security context, my hopes are not high for that one.
An argument can be made that Shadow IT, framed in the proper context, can even offer relief to IT services planning and delivery. However, the aspects of governance and IS security are even more open ended in such a model, which requires a shift of attention to that area.
We’d greatly welcome your thoughts on Shadow IT in your organization, and in particular to hear about examples of how the changing marketplace has reinvigorated Shadow IT proliferation in your firm.
Loading ...
1 response so far ↓
1 Dave Williams // Oct 12, 2011 at 7:24 pm
Shadow IT has been around in healthcare (where I work) as in many industires for years. I agree with your comments about re-thinking Shadow IT. Clearly the benfit of reducing Shadow IT provides the enterprise a better understanding of its overall IT costs. Command and control improves by reducing Shadow IT, specifically in the area of security.
With that said, I believe IT is in the business of supporting and protecting the enterprise and its users. Shadow IT typically provides better end user service because it is focused on its users only. The problem comes when enterprise objectives are ignored and security or system availability is compromised.
So how do we achieve balance? I believe it starts with governance. Establishing the rules of engagement between enterprise service providers and Shadow IT is critical. This is best done by educating key business IT owners of the value of both enterprise and Shadow services. Next, define the roles and services to be provided by enterprise and Shadow. Enterprise should focus on core services (security, e-mail, processing, storage) which can be viewed as utility services. Shadow IT should focus on department or end user requirements and follow enterprise standards, specifically security.
The challenge is in the details which takes us back ot governance. There are likely no right or wrong division of services. Regardless of the division of services, it is imperative for the governance team to agree and communicate the results.
Leave a Comment