CIOs: How do you Brighten Up Shadow IT in your organization?

As we all know, there are many systems and solutions built and used inside organizations without IT approval and generally people use because it is free, instant set-up and don't care or understand the security implications. IT feels like a race against time! So what’s the right attitude to shadow IT, and as a CIO, should you, or how do you “brighten them up” in your organization?

1.  Shadow IT needs be Seen as an Innovation Opportunity 

Shadow IT exists for real reasons, some subjective (lack of trust, turf games, etc.) and some objective (the way budgets work - sometimes there is no money/resources for it in the IT budget, but there is more than enough in the BU's budget, etc.). Make them your allies - not enemies. 

Accountability can rule the day. Most, if not all CIO's, are accountable for the security and integrity of the enterprise's data and networks. Technically, Shadow IT should not be allowed to introduce anything into the enterprises' architecture. At industrial age, the enterprise IT still acts as controller only, think IT is scarce, while the world of clouds, shadow IT crops up: it means the business department started bypassing IT for purchasing SAAS base applications on their own; on one hand, such circumstances are understandable, as business compete with agility, the speed of application solution can accelerate business growth; on the other hand, IT also has enough good reasons to control it: as IT infrastructure cost fortune, broke easily, shadow IT will cause risk/security loopholes to the business in the long term. 

The standard answer is that you promulgate a policy: requests for new tech must pass through the initiation process, etc.; but if that worked you wouldn't have a shadow IT. And if you take a hard line, you risk punishing the innovators who seize an opportunity to add value with a new system or technology (as well as those who are just ignorant of the process or too lazy to follow it). But overall, shadow IT need be seen as an opportunity

• IT can then discover new needs or risks or new tendencies 
• IT can standardize some shadow applications, if there is no major security threat 
• IT can explain the people why some shadow IT applications are for the company not acceptable (data security,...) 
• It's an internal competitor that can in some occasion help to wait for the right IT project      

Every opportunity also has risks. Shadow IT works only when there are no proper IT policies in place. It is always good to test and check new tools which can give benefits but should always be done in supervision of IT or after approval from IT. There has to be a cost to bypassing the process and project requests "submitted" in this informal manner would naturally be at the bottom of the priority pile. But maybe other punishment can be relegated to performance review time. Innovation that adds value mitigates the offence of failing to adhere to corporate policy; but a simple disinclination to follow the process does not, and a violation that compromises security is punishable even up to termination.

2. How to Brighten Up Shadow IT

The IT governance approach ought to be to consider the unofficial tech objectively. Upon the discovery of non-approved tech, treat it as a project inception request with requirements implied by the implementation. If you have to control, best scenario is to control from the root level so that users don't install the freeware or shareware but properly implementing on the Enterprise O/s level security.

• Treat them as the prototyping teams: When IT treat them as an opportunity you can have visibility and much better control of what is going on. - Give them hosting and integration options commensurate with the prototyping paradigm! Then in the end you will gain visibility into what is going on, help them make it more sustainable and catch issues before they become problems. So not to punish the users of shadow IT, either promoting transparency to IT over their uses, so that IT can act or react with the right decision or project priorities or tool.. 

• If Shadow IT exists because so called 'best practice' or innovative initiative, then removing them erodes business success. Perhaps those "shadow" or "darkness" have some innovation light, then IT may amplify and share the best practice, Therefore, only business and IT work as true partners, as IT need get fellow business peers’ support, transform shadow IT into full spectrum of IT services, by building a rich ecosystem of services atop infrastructure -in both public and private cloud environments through integration and GRC management discipline, also well manage business-IT-Vendor trilogy in order to gain purchasing power for negotiation or reducing process redundancy.  

• Establish an environment to support and encourage it – If end users using Shadow IT for innovative work. As CIO, you need to think in a direction where innovative ideas don’t stop, so set up a team to support the business to do what was needed. It helped to enable the means to spot apps that were going critical - and also for small apps created an environment where requirements for something that may go large were effectively defined in an end user environment - ensure some good practice (security, scalability, tech support) would be available for those that grow into business is critical 

 There're a few things "bothering" IT these days, shadow IT, dark process or technology debt, there’re both opportunity and risk in it,  IT need expose and understand why they exist in the first place. The integration of "shadow IT" or "end user computing" teams into the IT organization works best when done as a conscious decision by the business unit running them because it makes business sense and makes things easier. Do more selling. Show real value of doing it through IT leadership and it would not be too difficult to brighten them up. 

Posted in: CIO Debate,GRC