CIO Insights: Dealing with shadow IT

Businesses used to rely on experts to provide advice about which technology to buy. Now, users can purchase a service in no time with only a browser and a credit card, allowing them to bypass IT.

In this third installment of CIO Insights, we talk to three leading Australian technologists about how to deal with shadow IT and become a strategic business partner as opposed to the ‘police department’.

Scenario: The CIO suddenly finds out that the chief marketing officer has purchased a software-as-a-service product for a marketing initiative. The CIO now needs to think about how the company’s data will be secure and how the new product will integrate with other systems and infrastructure without having the opportunity to do any careful planning beforehand. The CIO is frustrated that the CMO didn’t consult with IT on this initiative early in the process. The CMO feels that IT doesn’t understand the tight deadlines of marketing.

What would you do in this situation?

Alex Jones, CIO at Synergy

Marketing obviously has an underlying view that they are going to get what they want more effectively without you. So the question that you have to ask yourself is: ‘Why do they think I’m more of a barrier than an enabler?’

CIOs are famous for having personal inclinations towards mitigating as much risk as possible. The clear message here is that the CIO’s desire to mitigate risk can be inconsistent with the objectives of the organisation.

It’s actually not an effective way of mitigating those risks to just say ‘no’ when people come up to you. If the CIO tries to set up such tight rules where the business units are truly inhibited then that just generates a lot of frustration. Just saying ‘no’ when people ask them for something doesn’t mitigate the risk because then they do it anyway – the CIO is failing to mitigate risk and add value.

Read: Gone are the days when CIOs simply said ‘no’.

You have to be seen to be adding value to the process, rather than getting in the way. The CIO is worried about data security, integration and wants careful planning – that’s what makes IT perceived as being the barrier. Others think ‘as soon as I come and ask you for something that’s going to cost me $10, you are going to give me 1,000 reasons why I can’t have it’.

There are now increasing numbers of opportunities for people to get their needs met with all of the software-as-a-service options; they have more options to get these things independently than they had before. Effectively, the bar is higher for IT because, relatively speaking, if there are more alternatives to what you have to offer, then you have to be better.

It’s also possible in the scenario that marketing didn’t even realise IT could help them and just assumed they couldn’t. So it’s having people in your team dedicated to being there with the different stakeholders, knowing where the business is going and offering these options. That way you become part of the solution, not part of the problem.

IT has to dedicate itself, real resources to work with the different stakeholders around the business so that they can anticipate needs, make constructive suggestions early, and become one of the 'options'.

Business partnering is not just about having an open door policy and hoping people will walk in and talk to them every time they want something. It’s about having dedicated professionals within the IT organisation whose entire job it is to get out there and find out. It’s like account management.

Inevitably, the CIO will have to make a decision where to use resources because no one ever really gets more money than they had before. It’s not a no brainer, because effectively what you are doing is you are asking the organisation to invest in this capability and the organisation is often not going to be well disposed towards investing in what you might call 'internal account management'. They are not going to see the value.

They are going to say, ‘If you can afford taking three people off normal operational work to do that, then why don’t you just cut three headcount out of your team altogether and then just don’t do it at all?’ So you are going to have to have that debate. Just getting the license to put those people on board is hard. And if you do it, they then have to show their value.

But if you don’t have those people, how can you expect you are going to be able to collaborate effectively and actually add value on the team? I think it is the most strategic investment that an IT organisation can make internally.

Johan Sulaiman, head of IT – Asia Pacific at LEK Consulting

This situation most likely happens when the CIO or IT director is not responsive to the business needs, is not engaging him or herself into the business, and is still having that mentality of ‘this is my domain, you come to me if you need anything’.

If they come to you with an idea and you keep saying to them ‘let me come back to you in a month after we evaluate this thing’, then they’ll think the IT team and leadership is not on top of the game.

They might think, ‘if I share this project with IT, they’ll make it a slow process, they put a lot more roadblocks, so let me do it myself’.

Read: Virtualization could save businesses $6b in costs by 2020: IDC.

Page Break

If you have a good working relationship with the CMO and you have proven to management that you can meet project deadlines, I don’t think they will go away doing it on their own. They only will go away doing it on their own if you keep missing your deadlines, so there’s no trust there.

By having a weekly catch up or monthly management catch up, that sort of surprise coming out of nowhere probably can be avoided. You want to advise the CMO, saying ‘there’s a technology that I’ve been looking at and this is what a CMO mentioned it in another company, it may be beneficial to you’. This kind of conversation over a coffee or in the weekly/monthly meetings can help you promote yourself and become a trusted advisor.

If we bring ideas and initiatives to the CMO, he or she will definitely engage with you more and more. The role of the CIO is to promote and introduce new technologies to the company. If someone comes to you all the time with new technologies and you execute and implement them, then you might start questioning yourself and if you are doing your job enough to explore and bring new initiatives into the company.

If you introduce 8 out of 10 [technologies] and the other two came from other business units, then you could say you are doing a pretty good job. If it’s the reverse, then you would probably start questioning yourself.

Read: Mixing with marketing: The CIO-CMO partnership.

You need to put maybe 5 per cent of your team or budget just to introduce new technologies, explore what they can do for your company, the business. It might fail, it might be successful. But at least you put in that effort, instead of only maintaining what you have. By always looking in the market and keeping yourself educated and the team, you can always give that advice to the senior management team.

Also, I would disagree with my colleagues if they said ‘we own the data’. IT doesn’t own the data, the company does. Our role and function is how to secure the data, and how we share the data with the other business units using different applications.

When it comes to the security of the data, we don’t want people who don’t need access to be accessing a system. So if they define that, then we will help them to implement the objectives, instead of simply saying ‘you cannot have this’. The approach is to try to deliver the project goals and objectives with the CMO.

Rob Livingstone, former CIO and owner of an advisory practice

A situation like that is unfortunately not too uncommon. Shadow IT is very real in many organisations.

It goes to the heart of governance within the organisation: who’s accountable for the consequences both in the short term and in the long term for that decision being made?

The overall governance in an organisation should balance the demand to meet short-term requirements or issues versus elevating the systemic risk, such as a data breach, degraded data quality, cost issues, etc.

Achieving that balance in organisations is not easy because you are dealing with individuals who maybe do have a more conventional/traditional perspective on their roles, their departments and how the organisation should be run.

The first step is to transform IT into a division that can add transformational value to the organisation and be seen as a peer. Once that occurs, it's then a question of applying the right governance across all the executives [so they] understand that fragmenting and federating systems should be in accordance with a defined understanding of who’s accountable for what, and who has jurisdiction over what.

Having everyone buy their own services, getting it in the door quickly, can be sustainable provided the risks don’t eventuate. However, a small cloud application, which might just be swiped with a credit card and deployed in a particular part of the business, could contain information which is at serious risk of access by an unauthorised person, which could jeopardise the entire business.

Risks can arise from a lack of integrity of your broader IT systems, which means the ability to connect the system with others, the ability to manage disaster recovery, to ensure compliance with data jurisdiction and the emergence of privacy laws – for example, the new privacy legislation that is coming out in March this year.

Also, if a client wants to log in to a single portal because there’s value in having a one-stop shop service, how can that be possible if the underlying databases are all spread across cloud providers, internal data centres, with 10 different systems put in by 10 different departments down the track?

The fundamental issues deal with how coordinated the organisation is and that starts right at the top in terms of the organisation’s business plans, strategies and mission. It’s about how clearly that is articulated so the common objective and strategy is aligned with all the c-suite, so everyone understands that they are not just looking after their own patch.

It’s also making sure that a percentage of everyone’s role is to look at what others are doing and how they work together to achieve the common objectives of the organisation instead of protecting their patch or folding their arms and saying ‘this is not your job, this is my job’.

Are you facing a particular challenge and need some advice? Contact Rebecca Merrett at

For more articles in the CIO Insights series, be sure to check out:
How to approach innovation
IT offshoring/outsourcing – how much is too much?
Legacy systems – love them or leave them?
What not to do when hiring talent

Copyright © 2014 IDG Communications, Inc.

6 digital transformation success stories