by Myles F. Suer

Shadow IT: the CIO’s perspective

Oct 18, 2018
CIOIT LeadershipIT Strategy

Should CIOs fear or endorse shadow IT? The CIO’s perspective may surprise you.

man in shadow breach cyber attack ceo
Credit: Thinkstock

CIOs have many reactions to shadow IT. Some complain that IT is generally measured as a success only by delivering something the business wants. However, IT organizations can get caught up in just doing cost control, security and overarching governance.

With this context, CIOs say, it’s important to realize that shadow IT is not the problem. Instead, it is a symptom, real or perceived, that IT is not delivering what the business needs. While some CIOs suggest that if you have shadow IT, it means IT isn’t doing its job.

Most think differently. They say it is the CIO’s job to listen and offer solutions. For this reason, IT organizations need to embrace shadow IT and build a culture where shadow IT effectively becomes sanctioned, secured and made to meet the needs of broader users by IT. In sum, IT organizations need to not view shadow IT as the enemy, but instead see it as an opportunity to right the ship before it is too late.

Moving from the department that says “no”

CIOs believe that embracing shadow IT is how IT departments go from the department of “no” to the department of “know.” IT should be a place helping people get their job done securely and easily. CIOs think that a key to limiting negative impacts from shadow IT is to partner with the CFO to ensure there are spending controls. But, CIOs are clear, this only can happen when the CIO and IT are already doing an excellent job at solutioning and delivering on business needs and well along the way with SaaS and cloud.

One CIO respectfully disagreed with the group a bit here. To them, if you have employees, they said, you’ll have some amount of shadow IT. Nevertheless, this CIO believes IT should be aware of this activity and act less as a draconian gatekeeper. This CIO suggests shadow IT is always a case of people trying to get their job done better/easier and usually occurs when they can’t get IT to support them effectively. They believe most IT organizations look at shadow IT as bad/dangerous without trying to understand the why? When you understand the why and embrace the business you are starting to do your job.

Unfortunately, it only takes one hack of an IT managed solution to convince business leadership that IT is too slow or too costly. For this reason, IT leaders need to lead and enable. They can no longer play from behind. The problem is that security failures can occur as the result of a business leader not wanting to participate in governance, cost controls and security. It is essential for this reason that IT leaders be at the business table.

Meanwhile, acting against shadow IT is seen universally as a bad idea. CIOs must meet the needs of the organization as a whole and often the opportunity for the whole is suboptimal for an individual department. What’s fully optimal for a single department can be detrimental to the whole. At the same time, data almost always will be incomplete and in the wrong context. Processes and workflows will be flawed. Without IT leadership, there is little chance to integrate applications or to fix security risk. CIOs say without these, management will eventually replace the CIO.

Can the amount of shadow IT be reduced by CIOs listening better and showing more flexibility?

CIOs suggest importantly that shadow IT should be used to learn how employees work or even better how they want to work. With the right attitude, CIOs can have constructive conversations regarding adding a solution or recommending alternatives. At the same time, CIOs believe that listening, communicating or being flexible is a crucial step. especially when done proactively with business leaders. IT lieutenants need to play a role here too. For this reason, he CIO owes it to the organization to have a “can do” attitude and to do the outreach to ensure shadow IT conversations get started.

When CIOs routinely say “no” or put something on the bottom of a long list, the business today will go it alone. This is especially the case when the IT budget process is broken. And when it gets bad enough, it will become the CEO’s or CFO’s problem to fix.

For this reason, the CIO’s job increasingly is to surface and educate. It is, also, to partner with the different lines of business to provide the right tools. CMO marketing technology spend can rival today CIO spend. Responding to this requires many IT organizations to shift to a broker mode or even make organizational change.

Regardless of how technology is acquired, effective CIOs provide a needed technology governance function. The fact that CMOs spend as much on technology as CIOs is a key area needing governance. CIOs suggest importantly that not all software needs to be centralized or even be part of the enterprise architecture. There can be a purely local instance to meet specialized needs.

CIOs say interestingly that CMOs typically don’t want to manage technology spend—they’d prefer “outsourcing” this to CIO. For this reason, it is critical that IT leaders be able to work with their business counterparts. They need to know that just because they listen doesn’t mean that the central organization is in the best positioned to provide a service. CIOs should listen with an ear to who is in the best position to meet a business requirement.

If IT is inflexible, a mismatch can occur for speed, quality, cost, or features tradeoffs. If a CMO needs a webpage up now, for example, it doesn’t need two weeks of design, QC and approval. CIOs should be able to effectively fix it on the fly.

In sum, shadow IT should be leveraged as an “Ideas Lab.” It should be used to define the IT roadmap. IT, however, must highlight the governance model it provides to run these projects/programs in a better, cheaper, and more secure way. IT should always coach, advertise and sell its strength in areas of policy, governance, security and vendor relations.

What are the biggest negatives for shadow IT

CIOs had a laundry list. Here is their top 6.

  • Duplicated efforts.
  • Siloed efforts/no integration. CIOs liked to call this stranded data.
  • Multiple sources of truth. In other words, multiple financial systems reporting different financial results. This can cost a fortune in audit fees as well as SOX violation remediation.
  • Employee experience. You want to avoid multiple access identity management environments and multiple systems to touch to service customers.
  • IP being locked away in unknown silos. You do not want the CIO left figuring out IP on-the-fly.
  • Vulnerability outside of IT’s purview or bypassing IT data security/controls is scary for most CIOs. The lack of governance and cybersecurity controls around information contained in Shadow IT applications.
  • Legal and security risks with non-mainstream applications. Some at the edge skip security and compliance by going it alone.

Clearly, business users want and need integration. Shadow IT poses a challenge with additional end points and applications not optimally configured or with appropriate integration or APIs. CIOs, for this reason, believe that having IT-created and enforced architecture, data management, security (including identity management) standards that apply across the organization including shadow IT. CIOs say this is key to keep the core business data truth in the central repository, customize it to purposes at the edge. Otherwise, IT is left with an archeological dig to “reverse-engineer” intent. In conclusion, poorly managed shadow IT, can lead to confused customers, embarrassed team members, which in turn damages overall morale and even business.

Can CIOs and Enterprise Architects ensure enterprise architecture supports Shadow IT?

CIOs had different answers to this question. Some said that a CASB solution can be used to gain continuous visibility into shadow IT. With this, CIOs can collaborate, prioritize and potentially deploy/integrate.

CIOs to ensure that shadow IT is run correctly need to stop saying “no” all the time and start exploring ways to accomplish what the business needs. They need to ensure a flexible architecture is created that supports today’s needs and change. CIOs, at the same time, say it is important to stop building proprietary, unmanageable applications.

CIOs clearly need to review and remove unnecessary and no-value-add redundancy. At the same time, CIOs need to get out of the way of creativity at the edge. CIOs need to realize that there is a business champion and budget for innovation at the source of shadow IT funding.

At the same time, CIOs need to figure out what processes are preventing the business from achieving its goals. It might be a micromanager—it is not always a tool or architecture. In general, enterprise architecture is seen as the cornerstone to mitigating any type of organizational risk. CIOs suggest that certainty in IT architectural standards is needed no matter who funds or does the work. Data and security architectures need to be baked in. There needs as well to be documenting business processes for shadow IT.

It is clear CIO have plenty to clean-up. One CIO suggested that CIO need to almost be the opposite of “cost-cutting CIO.” Technical debt takes work to “shovel out.” Clearly, there is no single answer, but building monitoring, delivery and management tools that can incorporate disparate systems is an effective way to gain visibility.

Clearly, CIOs can try to completely subsume control of shadow IT. Locus of control, however, isn’t the overarching issue. It is important for incoming CIOs to understand and fix adversarial relationships. Shadow IT root cause can be an IT organization that is starved for budget. Given this, it important to remember the business has money to get things done.

Clearly, if the CIO and the rest of C-Suite see eye-to-eye, the details can always be worked out. Part of alleviate the amount of shadow IT involves putting in place self-service including a IT service catalog provided as a cloud management solution.

Does shadow IT change the service management equation?

The CIO and IT teams need to shift their mentality from building things to being service brokers. They need to work collaboratively to integrate shadow IT solutions that drive the business into the service catalog. CIOs suggest, however, there is a difference between a team adding a custom Excel macro and a team quietly installing 400 seats of Salesforce when the organization runs Oracle CRM/ERP.

Meanwhile, service management can only be as good as the relationship between IT and the business. In a healthy environment, you should automatically incorporate shadow IT under IT support. CIOs need to realize that people in general take the path of least resistance. If using Dropbox or Slack or whatever is easier, they will use it. The CIO shop needs to provide tools that are useful, usable, and get them used. CIOs should try to make non-shadow IT applications as the path of least resistance.

Today, projects rarely fail due to technology or the budget, they usually fail because of the existing corporate culture, silos, bad processes, and simple lack of know-how. One CIO shared that they struggled when they were relatively new to lead the effort to integrate a large acquisition when they found that there were two competing shadow IT groups. But with this said for homegrown or highly customized systems, service management can become a nightmare especially as the organization incurs technical debt.

How should CIOs make shadow IT a net positive for the business?

CIOs say that open APIs on the technology side can help, but there are still many risks with shadow IT. Having a culture of learning and governance on the business side helps. With it, better choices can be made. It is important for CIO to do the following:

  1. Listen and not become defensive
  2. Get the history before taking any action
  3. Attempt to come to agreement before the rest of the C-Suite is engaged
  4. Find opportunities to provide direct support

One CIO remembered at this point a meeting with a VP of Marketing. Their pitch was our applications would make things easier for his group. The VPs of Marketing responded that the last time you guys said you had an eight-step process it became 14 steps. This of course was before this CIO’s tenure. The CIO responded, “good point; what if we got it to six or seven steps?”

Another approach that worked for on our CIOs is to find the shadow IT “developers” and take them under IT’s wings. This involves teaching them, working with them, getting them better tools, and listening to them. This includes helping them understand how the current architecture helps them meet their goals. CIOs believe it can help to put in place a community of practice, standards, knowledge management and more. For this reason, CIOs need to be coalition builders.

As part of this, CIO say that recent improvements including low-code/no-code tools and associated data models make it easier to keep shadow IT aligned to enterprise architecture. If done right, PowerApps and the Common Data Model/Data Stores are interesting for citizen developers and pros alike. Clearly, the implications of shadow IT need to be understood by all executives. Where there are problems, it should not just CIO’s problem.

Parting remarks

Shadow IT is clearly both an opportunity and an obstacle for CIOs. Its impact depends upon the CIO. Do they use it to build bridges or do they instead use it to build walls? Clearly, governance matters and for this, CIOs need better alignment to CEOs and line of business leaders. It is largely in the CIO’s hands.