Not long ago, when business managers surreptitiously downloaded and used their own SaaS programs, it was called shadow IT.
Today, business-managed IT has come out of the shadows and into the spotlight, Nearly two-thirds of organizations now allow business units to select technology that fits their own particular needs, according to KPMG’s 2019 Harvey Nash CIO survey. Among organizations that don’t permit it, over half say it still exists.
While business IT can boost productivity and enhance product development, it also poses significant risks if it’s not managed properly. Here are some guidelines for getting the most out of business-managed solutions without harming the organization.
The proliferation of no-code and low-code tools, and a proliferation of easily integrated cloud-native products has made it easier for business units to configure and manage their own applications, automation, and analytics and there’s no question that doing so brings advantages.
“No one knows the business better than business managers. The traditional process of trying to communicate their requirements to IT, which then has to try to interpret and implement them, is a largely broken model,” said Steve Bates, principal and global leader of KPMG’s CIO Center of Excellence.
According to the KPMG Harvey Nash study, companies that actively encourage managers to adopt and collaborate with IT on their own technology provide a better customer experience and release new products faster than others. As the world grows more digital, choosing the right software matters more than ever. By 2022, IDC predicts that 80% of revenue growth will depend on digital offerings and operations.
Problems and Limitations
If business IT is not well-governed, it can cause the organization a host of problems, the most serious of which are cyberthreats. Every new app increases the attack surface, offering hackers a new door where they can try to infiltrate the corporate network. Though business managers may not realize it, connecting to many third-party and open APIs can easily create cyber risk, Bates pointed out. “It is easy for the business to lose visibility and understand who is accountable for maintaining security on all the connected layers” says Bates.
Even secured connections and apps are not designed to meet the organization’s compliance requirements and could lead to a failed audit. In addition, programs not run through a strong central governance and architectural review process may interfere with the performance of corporate apps.
Another problem is maintenance and sprawl. Modern IT departments use zero touch deployment and automation to push software and updates throughout the organization with a single touch, keeping pace with recommended patch levels, security updates, and builds. Bates points out that business managers may not have the experience and sense of urgency to update their software promptly, which can lead to security and performance gaps. As unmonitored apps accumulate, the IT performance of the organization as a whole deteriorates.
A Hybrid Model
Organizations need to strike a balance between imposing controls so tight they don’t allow business units to innovate and ensuring safety and efficiency. While some apps can be run by business units with few problems, others should be left in the hands of IT experts.
Business IT works best for simple, low-code applications that don’t require an engineering background to set up or manage. “Business units can unleash their creativity within bounds that IT can set,” Bates said. Robotic process automations created on platforms like Blue Prism or Appian are good examples. However, complex programs like ERP, custom apps, or any systems involving high risk security, network, or compute dimensions should remain under the purview of central IT.
“To help bridge the gap, many companies are rethinking their architectural review boards, to include business managers as well as IT representatives”, said Bates. The boards hash out design standards, platforms, and features that provide business units with the leeway to do what they need while still adhering to a basic risk-based organizational framework.
Emphasizing Business Value
Business-managed IT is part of an overall organizational trend in which demonstrating business value and results are paramount.
Central IT, too, has become more focused on business outcomes. “Instead of funding one platform or technology, then moving on to the next, IT is making smaller, more frequent investments directed toward specific results. If the results aren’t achieved, the technology is scrapped,” Bates said.
“It’s what we call dynamic investment, and we think it will continue to mature,” Bates said. “We increasingly see a willingness for organizations to invest in smaller, modular, short-term solutions, knowing that they may move on to something else as the business needs change.”
Business-led IT fits well with this new, more agile IT environment. Working together, business managers and IT can steer the organization with precision toward important digital transformation goals.
To learn more about how dynamic investment can fit into your business-driven IT plans, click here.