Introduction to Shadow IT
Shadow IT can be a sign of fundamental management issues that increase your technology Total Cost of Ownership (TCO) and keep your organization from functioning at its best. Inversely, shadow IT can be a useful approach to rapid business unit adaptation to changing business conditions that keeps your organization nimble and innovative. As a technology leader, how do you understand where you sit today and how do you balance the risks and opportunities of shadow IT for optimal business outcomes?
In this article, GeoIdentity will draw upon our years of experience working with clients and partners across utility, telecom, non-profit, and news/media industries – We’ve discovered common trends for how shadow IT develops, the risks it poses to an organization (regardless of industry), the opportunities it presents, and the best approach to balancing the two. This article is organized into the following:
What is shadow IT?
Shadow IT is an umbrella term used to describe business units or individuals implementing IT technologies (cloud services, software, infrastructure, etc) without formal involvement of the internal IT org. Shadow IT can be a significant risk for organizations – driving disparate IT (ad-hoc solutions across lines of business) resulting in an unnecessarily high TCO for your technology ecosystem and reduced organization-wide operational efficiency and effectiveness.
Examples of shadow IT can include anything from a single employee downloading an application and installing it on their PC without the knowledge or approval of the IT org, to a business unit ‘running rouge’ and procuring cloud services for team productivity or analytics tools. These and other shadow IT examples exist at every organization GeoIdentity has worked for and are likely occurring at your organization as well. Shadow IT does present risks for an organization that should be well understood and mitigated to avoid potentially catastrophic outcomes. Inversely, It also presents opportunities that can be carefully exploited to the benefit of individual teams and the entire organization.
Shadow IT risks
Through working with our clients and partners, GeoIdentity has identified five common shadow IT risks. We’ve led clients from initial baselining and diagnostics of shadow IT to course-correcting through the implementation of simple yet effective management frameworks. While these risks are able to be mitigated and corrected, the more ingrained they become the longer it may take to correct them. See below for the shadow IT risks GeoIdentity most commonly sees:
- Business units may implement technology that does not align with your organization’s policies and standards causing risks to security, compliance, and quality.
- Shadow technology may not be able to support existing Service Level Agreements between business units, throttling workforce productivity.
- Business data related to shadow technology may not be easily accessible and usable across the organization, dramatically limiting the data’s business value.
- The IT org may be caught off-guard when, eventually, they’re called upon to provide operational support or help with capital upgrades – this can strain IT budgets and consume valuable hours the IT org had planned to spend somewhere else.
- Shadow IT may not align with your organization’s long-term technology strategy, slowly dragging the company off the mark and reducing its competitiveness.
Shadow IT opportunities
Shadow IT presents opportunities as well. GeoIdentity has worked with clients and partners to engineer low-risk shadow IT-related policies and management frameworks that yield great benefits. See below for three shadow IT opportunities we’ve helped clients and partners identify and take advantage of:
- When business units are given some autonomy to manage technology initiatives, they can be more nimble and able to adapt to rapidly changing conditions that can’t wait for the next planning cycle or slow technology procurement and provisioning workflows.
- Shadow IT can be an innovation enabler, allowing business units to explore new technologies, tools, and processes and discover the applications and services that help them do their job better.
- Shadow IT can support highly niche problems that impact individuals and small teams. Small-scale technology problems are easily de-prioritized in annual planning in favor of IT investments that will have a more measurable impact on the organization. Consequently, small-scale tech problems can linger for years keeping some critical members of the workforce left behind. With shadow IT, those small-scale problems can be prioritized and managed at the business unit level.
Shadow IT drivers
Shadow IT can be born from several sources but the primary driver is rarely malicious. In fact, GeoIdentity has found quite the opposite – shadow IT is usually a result of pressure business units feel to fulfill their roles and responsibilities to the best of their ability. For multiple reasons, business units may have inherited technology that does not meet their needs, or perhaps they’re not able to get enough time or budget from the IT org to solve their problems.
Knowing what is driving shadow IT is critically important to effectively manage the risks and opportunities. Here are three common drivers of shadow IT:
- First, overly constrained IT resources. Constrained IT resources can hobble the IT org’s ability to address customer needs in a timely manner, implement continuous improvements, and keep an eye on alignment to company strategy. This can add pressure on business units to solve their own technical challenges. As more disparate, shadow IT enters the organization it places increasing pressure on an already strained IT org, and a negative feedback loop may form.
- Second, a challenge to any organization is how to effectively manage IT complexity. Mergers and Acquisitions (M&A) is a good example where company M&A activity can fuel growth but result in compounding technical debt as new data assets and systems may not be effectively assimilated into an enterprise digital strategy. Almost overnight, the complexity of IT in an organization can multiply. The IT org may become increasingly strained to try to meet the capacity and capability demands of a highly complex IT ecosystem and a shift to more reactive and less proactive IT results, ultimately leading to reductions in IT service quality. Once again, business units may feel pressure to solve their own IT problems.
- Third, If IT procurement and provisioning workflows operate too slowly, business units may side-step them and take-on tech initiatives themselves (cloud computing has made this increasingly easy to do). Increasingly, organizations are adopting cultures of rapid innovation of processes and tools to solve problems quickly. This can place tremendous pressure on business units to experiment with, select and deploy new technology on their own.
Shadow IT detriments
Shadow IT risks left improperly managed will yield detriments to the organization. GeoIdentity has identified three common detriments born from shadow IT risks that can raise the cost and complexity of IT. Increasingly, reactive maintenance and upgrades for an overly diverse technology landscape may consume IT resources that could otherwise have been used for innovation, improved service quality, or delivery of new services. See below for three common shadow IT detriments:
- One major challenge with shadow IT is that it obfuscates enterprise-wide holistic planning – shadow IT can drive weakly aligned enterprise-wide technology, data, and application architectures. As a result, business and technology stakeholders may not be able to develop a complete view of the business impacts of architectural decisions – further embedding siloed planning across business units.
- A second challenge is the increased cost of maintenance – IT maintenance activities may become increasingly complicated as business logic components become tightly integrated and overly distributed across too many systems and modules. Fixing existing features can require significant time reviewing all dependencies and require an overly diverse set of technology team capabilities. Additionally, flaws in the architecture of a software system can have a greater impact on security concerns and increase risk and compliance challenges.
- Thirdly, shadow IT may force unnecessary creativity in design and implementation activities – To meet the complex nature of application updates and integrations, designers and implementers may have to resort to ad hoc and creative solutions to get something to work.
Shadow IT benefits
If managed well, low-risk shadow IT can present opportunities and yield benefits by enabling innovation and rapid adaptation that can help your organization be more competitive and make better use of scarce resources. GeoIdentity routinely sees two common benefits presented by shadow IT:
- First, when the IT org is tasked with developing and delivering products and services, some requirements can get lost in translation and the final product may not fully meet user needs. When business units are given some free reign they can define precise user needs and rapidly deploy new products with limited involvement from the IT org. This helps keep employees productive and can be a powerful enabler for innovation.
- Second, shadow IT can lessen the burden on the IT org. In most organizations, IT is highly constrained in trying to meet evolving and expanding demands with limited resources. Shadow IT can lessen some burden on IT by placing appropriate application development and operations tasks within the business unit level.
Managing shadow IT for success
So how do technology leaders manage the balance between shadow IT risk and reward? On one end of the scale, you have increasing technology TCO associated with overall increasing technology ecosystem complexity. On the other end of the scale, you have more nimble and adaptable business units and accelerated innovation. GeoIdentity has had success with our clients and partners by collaborating with them on balancing the risks and opportunities of shadow IT through careful planning and management from within the IT org. as well as other business units. This requires simple and effective management frameworks and, most critically, buy-in and alignment across the leadership team.
While every organization is different and requires an approach fit for its purpose, GeoIdentity has had great success with the following four-step general process to manage to shadow IT effectively for optimal business outcomes:
- First, technology and business leaders need to understand where we are today by evaluating and documenting their baseline enterprise architecture (business, data, application, and technology architecture). This includes understanding the business architecture and the functional mapping that drives the data, application, and technology architectures. This step is critical in understanding current-state business/IT alignment.
- Second, technology leaders should define where we need to go by partnering with business leaders to understand their needs and define a company technology strategy that drives business performance. This should include (1) some strategies to digitally transform away from disparate IT and towards a holistic enterprise architecture strategy, guidelines, and standards that leverage technology best practices and align across the business, data, application, and technology architectures, and (2) strategies to allow low-risk business unit management of shadow IT while still aligning to overall company technology strategy and service catalog.
- Third, identify and prioritize specific goals and IT services needed to make your strategy a reality. This can be accomplished, for example, by implementing an annual planning process that includes evaluation of capital and operational investments across verticals through a technology lens to ensure business strategy and objectives are tied to the right enabling technologies (it’s critical to ensure this is a collaborative process between technology and business stakeholders).
- Lastly, execute on your goals, measure performance, and continuously improve. This will require IT Governance with appropriate technical expertise, leadership, and frameworks to plan and execute projects in alignment with a holistic IT strategy, clearly defined and measurable performance metrics, and some mechanism to course correct and continuously improve based on performance results.
Conclusion
Shadow IT presents both risks and opportunities – it can raise the cost and complexity of IT from an overly diverse technology landscape and, when embraced, can provide end-users with low-risk options to explore and deploy new products that make them more innovative and productive.
Technology leaders must clearly understand their as-is state and work in partnership with other business unit leadership to develop technology strategies, frameworks, resources, and governance that effectively mitigate shadow IT risks while exploiting opportunities. When properly done, it will positively move the needle on your organization’s performance.
GeoIdentity has extensive experience working with clients and partners to understand their shadow IT state and manage it for optimal business outcomes. The article presented here gives some high-level insight into shadow IT based on GeoIdentity’s years of experience. We’re excited to partner with you on your journey – Contact GeoIdentity today for support with your business/technology challenges. We’ve helped Fortune 500, news and media, utility, telecom, and non-profit organizations achieve their best and we’re ready to do the same for you.