Let’s start by agreeing to dispense with the term “Shadow IT.”
Anything with the word “shadow” in it is bound to have a negative connotation and so whether we’re talking consumerization of devices or applications, almost every modern organization today is confronted with some form of either departmental or consumerized IT. The two are different — even more reason to avoid grouping them both under the “Shadow IT” designation. Lines of business may opt to use non-IT procured devices or non-IT-managed applications, employees might be using their personal computer at home to work on their presentation because they never took their laptop home from the office, or they might be using a personal Dropbox instead of the corporate OneDrive for cloud storage and collaboration.
Of course, there might be compliance and legal side effects to formally sanctioning departmental or consumerized IT. The image of a well-meaning employee sending a document containing privileged information to their non-two factor secured personal email comes to mind. Nobody wants to lose control of privileged data.
It is not unusual for IT leaders to feel uneasy about the existence of departmental or consumerized IT within their organizations. However, in reality, the growth of departmental and consumerized IT is more reflective of changes in society, technology and the nature of work than it is reflective of the IT organization itself.
So, we need to monitor departmental and consumerized IT. But how?
There are several ways of going about this. The first is to put everyone on lockdown. Only domain-joined devices may access corporate data, end-users may not install third party apps and cut access for all non-corporate sites via the enterprise proxy or firewall. The problem is, this approach doesn’t work. Prohibitive IT policies drive down employee productivity which impacts business productivity. In other words, locking things down hurts the business. It is important to recognize that the days of the IT organization being able to control and deliver on all things IT are gone but concurrently so is their sole accountability for it. So consumerized IT should be an issue only insofar as it remains in the “shadows”—that is, not creating value or creating more problems than it is solving, or where accountability is in the wrong place.
The second is to delegate accountability for corporate IT versus departmental IT. Line-of-business managers who make technology investment decisions must be held accountable for those decisions and any ensuing privacy matters, compliance and security issues. Of course, the executive team must buy into this accountability and ensure it is supportive of governance mechanisms that enact that accountability. Otherwise, behavior will not change. In this scenario, the CIO remains accountable for all technologies sourced and managed by enterprise IT as well as the overall corporate IT strategy, including guiding departmental IT in a direction that increases the likelihood of creating value and reducing risk. To succeed here, departmental policy infringement must result in an appropriate intervention — this means empowering the CIO with the capacity to intervene appropriately with the necessity for additional CxO or board escalation. Embracing departmental IT does not mean any laxity here. The goal is to allow greater freedom in areas where there is less risk and to ensure greater accountability and transparency in those areas of most concern. The rules need communicating and services need to be created to provide advice and guidance. And, as above, clear accountabilities need to be in place.
The third approach, and the one I propose, is for IT to offer unconditional support for departmental or consumer acquired and developed initiatives, with the goal of helping line-of-business owners create the best solutions they can. That includes helping them understand the technology and vendor options via workspace analytics, architectural choices and trade-offs via collective intelligence benchmarking, and opportunities to leverage and share. The key is that IT must do this via a genuine compact — it must create value for the owner and not have this support merely be a smokescreen for a veiled audit. Resist the temptation to revert to traditional behaviors and force technology choices.
The critical goal is visibility
To gain visibility, coax business users toward good, longer-term outcomes. If end-users believe that they’re being forced to make particular technology choices or sub-optimize a solution for the benefit of others, it will increase the likelihood that they will head into the “shadows.” Visibility is key here, because as device drivers, operating systems and applications increasingly move to the cloud, delivered as SaaS offerings, organizations lose significant visibility of the availability and performance of their applications. Whether managed by IT or not, the endpoint becomes a privileged vantage point from which to monitor the digital user experience and the only way to gain visibility to the endpoint is by garnering the trust of the person using it.
Yes, initially this will seem like a less than efficient solution from an IT department’s perspective but consider it an evolutionary trade-off for mitigating other risks around privacy, security and compliance.
This article is published as part of the IDG Contributor Network. Want to Join?