Paul M. Ingevaldson
by Paul M. Ingevaldson

Ending the ‘forever war’ against shadow IT

Jun 20, 20236 mins
Business IT AlignmentIT LeadershipIT Strategy

Unsanctioned tech use has been a thorn in IT’s side for decades. The cloud accelerated it, and AI will only elevate the risks. It’s high time for a policy — and strategy — that works.

Business man discussing a tech project with his colleague in an office. Two business men using a laptop on an interior balcony. Male professionals working together.
Credit: Jacob Lund / Shutterstock

One of the most important accountabilities of the modern CIO is data integrity. The corporation must be confident that the data it uses to make strategic business decisions is safe, accurate, and private. There is no question that the IT department and its CIO is ultimately responsible for assuring this is true.

But ensuring data integrity is a daunting task. In the face of hackers, data repositories in the cloud, and ever-changing technology, data integrity is an ongoing battle — one made much more difficult by the presence of shadow IT. And it will only get worse as AI opportunities make it easier for employees to misuse corporate data.

Shadow IT: Unsanctioned and persistent

First, let’s define terms. Gartner defines shadow IT as IT devices, software, and services outside the ownership or control of the IT organization. This definition includes IT devices not controlled by the corporation, software that may exist on corporate IT devices, or data interactions provided by third parties on the cloud.

Despite how corporate data is used or manipulated in these scenarios, the CIO is still responsible for the accuracy and integrity of the data. Unfortunately, this is the case even if the system is unknown to IT. This expectation is all the justification IT needs to pursue and stop shadow IT.

IT must work closely with the IT steering committee — which should be composed of senior management, including the CEO and CIO, and be responsible for prioritizing the IT agenda — to develop a strong statement of policy that forbids this unilateral activity. At the same time, however, IT in conjunction with the IT steering committee must also establish a methodology that enables user departments to quickly implement computer solutions that require a minimum of IT time.

A good, but imperfect analogy for this could come from the marketing department, which is responsible for assuring the protection of the brand and trademarks both internally and externally. Any violation that is found by the marketing department is usually met with swift and uncompromising cease and desist orders. A similar approach should be taken by IT in dealing with shadow IT.

Bringing the shadow to light

To achieve this balance between eliminating unsanctioned tech and providing a way to cure the drive toward shadow IT, IT leaders should take a three-step approach.

First, CIOs should establish a quick-reaction team (QRT) that deals only with these small projects that user departments are looking to achieve — especially when it comes to leveraging AI. The QRT needs to be an elite group within IT comprising members who understand the risks of data manipulation, are well versed in security pitfalls, and follow developments in AI enough to know its opportunities and pitfalls. It would be the mission of this group to analyze the requirements and assure that data access is secure and that the user understands the nature of the data being accessed.

The QRT would also need to analyze the parameters of the work to be done to assure that the results are not already available from another existing source. They would also determine whether the software is compatible with the existing corporate network. This becomes even more critical if, at some point, the company wishes to scale the application to serve the entire corporation.

Second, the shadow IT policy must be understood and enforced by the IT steering committee. This group must understand the existential risks that data breaches could cause for the corporation and it must understand that violations of the policy would have sanctions that must be supported companywide.

Third, IT must continually monitor the contents of all devices connected to its network whether locally or remotely. Corporate computers must be monitored to be sure that all software has the appropriate licenses for all third-party applications to avoid substantial fines from vendors. Any private devices that connect to the corporate network must also be monitored to assure that they are in compliance with corporate standards and are secure. There are many software solutions on the market that can provide this service.

Additional risks — and getting it right

Even with these safeguards in place there are still substantial risks associated with shadow IT systems. If the individual who developed the system in the user department suddenly leaves their current job or even the company, there could be a long learning curve to train a replacement. Oftentimes the user department tries to shift this burden to IT since an IT-savvy replacement is sometimes hard to find. Also, we cannot expect the QRT to have the time or the ability to take over the system. This could be doubly dangerous if the departing employee has evil intent to harm the company given that his credentials are probably unknown to the company.

Another risk exists if the vendor supplying the software suddenly goes out of business, substantially increases the support fees, or otherwise changes system usage parameters. This process could be handled by the QRT but there could be time issues involved if the system has become critical to the department.

The usual reason given by user departments as to why they want to pursue shadow IT is something like: “The process to get an IT system approved, developed, and implemented is too arduous, takes too long, and requires an enormous commitment of time and resources. They want us to define exactly what we want. We, on the other hand, just want a flexible approach that gives us everything we need. Business changes fast but IT slows us down.”

Certainly, there is some truth to that. Hopefully, most of these issues can be addressed by an aggressive QRT. But the company must also understand that security and data integrity issues must be carefully considered. It is also incumbent on each member of the IT steering committee to take their job of prioritizing projects seriously so that the IT department is working on the most important projects that are needed by the corporation. If there is a need to expand IT to develop more solutions, the IT steering committee has the power to approve that.

In my book The 9 1/2 Secrets of a Great IT Organization the subtitle reads “Don’t Do IT Yourself”. Shadow IT is yet another example that shows that when IT systems are developed in a vacuum, the results can be more costly, redundant, subject to piracy, and, most importantly, lead to a degrading of data integrity. If we address shadow IT in this manner, the company should get the systems it needs in a timely manner and the CIO should not be sleeping with one eye open due to data integrity concerns.

Paul M. Ingevaldson
by Paul M. Ingevaldson

Paul M. Ingevaldson was SVP of International and Technology for Ace Hardware. He was responsible for two major divisions of Ace, the International Division with stores in over 70 countries and the IT Division supporting both corporate and retail technology activities. He retired in 2004 after 25 years at Ace and 40 years in the IT business. Since retirement, he has authored over 30 articles about various IT topics appearing in Computerworld and CIO. He also has guest-lectured in the Masters Program of Northern Illinois University since 2006. His topic is “Digital Transformation Strategy: How to effectively exploit the IT resource to gain sustained competitive advantage.”

More from this author