Is shadow IT something CIOs should worry about?

Here's the CIO perspective on shadow IT and how their peers have responded to the advent of shadow IT within their organizations.

Shine a spotlight on shadow IT and prosper keyboard programmer hands

Pervasiveness of shadow IT

I talked to several CIOs in the #CIOChat recently about shadow IT.Their collective wisdom is shared in this post. The first thing that impressed me in this chat is that the CIOs know the numbers. CIOs shared what they had learned from Cisco, Gartner, and Brocade. Cisco found that shadow cloud use was greater than 15 times higher than estimated by CIOs. CIOs said that Gartner’s research found that more than 40 percent of IT spend is in fact shadow IT. And Brocade, which did a global survey of 200 CIOs, found that more than 80 percent had seen some form of unauthorized cloud/SaaS usage.

Does the presence of shadow IT make a statement?

I asked the CIOs whether the presence of shadow IT makes a statement about business/IT alignment. CIOs had a wide range of answers to this question. CIOs said that often the real problem is not shadow IT but why and how shadow IT emerged. CIOs suggest that in many cases, shadow IT is in fact a symptom of unmet needs. It can as well imply a perceived lack of speed for IT versus the needs of the business.

On the negative side, it can mean that the CIO isn't collaborating with IT’s internal customers. Given this, I asked whether collaborative CIOs experience fewer instances of shadow IT in their organizations? I was told that collaborative CIOs are more likely to have constructive engagement on technology from all sides, which is a leading indicator of success. Additionally, CIOs suggest that leadership skills and vision dictate whether shadow IT is a potential friend or an enemy. This is important when you consider shadow IT’s scope. At this point, one CIO said that CIOs need to realize that shadow IT is more of a statement about improved business agility and digital proficiency than the business thinking they can get to a solution independently.

What can CIOs do to limit the presence of shadow IT?

CIOs feel that instead of attempting to block employees from using cloud computing and SaaS applications, CIOs should spend time with employees and understand their needs. From this process, CIOs should make sure compelling solutions are created that address these needs.

The former CIO for Yahoo, Mike Kail, put this nicely: “CIOs need to start viewing themselves, and their teams, as ‘business and productivity enablers’ versus ‘application blockers and usage police’.”

At the same time, it is important for CIOs to keep in mind that unmet needs are what caused shadow IT and that users may have seen the need for something more innovative than current offerings. For these reasons, CIOs need to recognize there is value in what the users of shadow IT are trying to do and that great solutions can come from anywhere. It is important that CIOs create requirements and rules for mainstreaming shadow applications including: application footprint, cost, data requirements (storage, security, et al), and integrations.

Separately, CIOs need to get out of their offices more. They must be engaged and visible. For too long, IT has said “no.” IT today needs to be part of saying “yes” or at least saying yes (with qualification). CIOs need to talk to people and walk in the employees’ shoes. CIOs must at the same time demonstrate things are done well in IT and delivered in a timely fashion. As a part of this, it is important that CIOs help the rest of the team understand how IT department goals align to overall business objectives. This can include sharing value generation the stories. At the same time, it is important to create a strategic enterprise architecture and communicate this to the entire business. Part of this architecture and plan needs to show today that what IT produces aligns with consumer ease of use Millennial workers and other digital natives are demanding app-like functionality or moving from what Geoffrey Moore calls “system of record functionality” to “system of engagement functionality.”

At the same time, as IT organizations become more technically capable, IT needs to provide tools that empower so called “citizen developers.” CIOs say as they go from "cloud" to "multi-cloud" use, shadow IT may grow. CIOs should work with it, not against it.

What are the business risks of shadow IT?

CIOs shouldn’t be afraid to use their authority to stop shadow projects that are detrimental to the overall organization. Part of doing this involves putting light on the shadow IT, especially when it challenges business agility, efficiency and quality (reliability and security). In terms of the risks that CIOs worry about most, they include bad data, inefficient processes, and less than competent staff. Clearly, a lack of standardization can impact overarching business agility, as well.

One CIO says that the things that scare him the most are file sharing in an outside companies’ system and the proliferation of random IOT devices on the network. Clearly, a loss of customer data is a huge potential issue, especially for regulated industries or with the emergence in Europe of the General Data Protection Regulations (GDPR) that will impact any business in the world that has customers that are the E.U. citizens. As a result, CIOs have a healthy fear about the potential reputation loss, reduced stock value, and brand value that may follow a data breach.

Parting remarks

CIOs clearly have a major role in determining whether shadow IT becomes an opportunity for improve IT alignment with business goals or not. Regardless of how a business capability is initiated, IT needs to ensure business capabilities function appropriately within the enterprise architecture and in accordance with business standards. CIOs have strong feelings even about the term “shadow IT.” My friend Joanna Young, former CIO of Michigan State University, summarized this well by saying just as "IT and The Business" should be outlawed phrase, so should "shadow IT." IT is IT. IT produces valued outcomes in support of company goals -- or not. Create the former and eradicate the latter regardless of "shadow."

This seems like good wisdom. CIOs clearly need to be constructive about IT initiatives created elsewhere in the organization to succeed.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Fall 2018 digital issue of CIO