Essential Guide

IT services management and best practices: An enterprise CIO guide

A comprehensive collection of articles, videos and more, hand-picked by our editors

Getting a grip on shadow IT in the age of self-service technology

Shadow IT should be a serious concern for all CIOs in an age of self-service technology. Here's how to get a grip on it.

Dwight Smith takes full responsibility for shadow IT. "We regard shadow IT as a failure to explain the value of...

architecture, of securing the data properly and of data consistency," said Smith, senior vice president for information resources at Orlando, Fla.-based Marriott Vacations Worldwide Corp.

At many companies, money sits in various budgets for technology and there is a strong desire to avoid or bypass IT governance. Organizations with potentially risky shadow IT operations have "not done a good job communicating the value of governance," Smith said, adding that IT departments must tread firmly but lightly.

Lynden Tennison, CIO at Union Pacific Corp. in Omaha, Neb., seconds that. "The worst thing you can do is a turf grab. If shadow IT crops up, it's because I can't deliver, either because it wasn't a priority or the funding was out of my control," he said. "You need to figure out what it is you are doing wrong."

Most CIOs, however, tend to simply look the other way when it comes to the services, software and consumer devices that exist -- nay, flourish -- outside the control of their IT organizations.

Nevertheless, in an age of self-service technology and technologically literate employees, shadow IT should be a serious concern for all CIOs, technology experts warn. The issue will only grow as cloud computing, mobile IT and user-owned devices put IT in the hands of nearly every employee. Making matters worse, the a la carte computing menu is hardly limited to consumerized business apps with user-friendly interfaces; it includes powerful, heavy-duty enterprise apps that run parallel to enterprise systems.

Falling down on CIO responsibilities

CIOs who ignore the issues of shadow IT or rogue IT not only fail to address the obvious risk -- jeopardizing the corporation's data assets, regulatory obligations and brand reputation -- but they also undercut the business's ability to compete, said Gartner Inc. analyst John Mahoney. "The worst risk comes from disconnected information or disconnected processes."

Organizations with potentially risky shadow IT operations have not done a good job at communicating the value of governance.

Some CIOs are reluctant to take on the issue of shadow IT because they take a narrow view of their function. They see themselves as the head of the IT department, not as the person in charge of defining the company's effective use of technology, Mahoney said. Or perhaps they've been pigeonholed by the business as the person who just runs IT. In either case, a CIO turning a blind eye to shadow IT is tantamount to dereliction of duty, as is the failure of a CFO to lay down standards for spending the business's money.

"I, myself, would not be surprised to see CIOs being fired because they have failed to put in place the mechanisms, advice and policies whereby the organization's data is kept safe," Mahoney said, noting the opinion was personal and not held by his Stamford, Conn.-based research employer.

CIOs coming to grips with shadow IT

On the flip side, however, CIOs who use all means to lock out shadow IT are depriving their enterprises of the potential benefits associated with employee-procured IT-- from better business apps to winning new customers through social media, to worker productivity gains. A hard-line approach will anger employees. It's also likely to drive them underground, CIOs agreed.

The problem is that managing shadow IT is not easy even for tuned-in and strategic CIOs, as Warren Ritchie, CIO at Volkswagen Group of America Inc., can attest. His biggest surprise when he became CIO in 2008 was the proliferation of rogue IT in the business. Equally disturbing was the general ignorance of the havoc that rogue IT can wreak on complex enterprise systems, even among sophisticated business leaders. "I had an inkling of it. I didn't realize the magnitude of the issue," he said.

Ritchie responded by launching a major initiative to educate users on the inherent risks of shadow IT and the potential business benefits of a cohesive and coordinated IT strategy. Rogue IT solutions could get business employees fast access to customer data on computerized vehicles, for example, but "we'd be slow, as a corporation, to take advantage of the data" if it were not integrated with existing business systems, he said.

Gartner recommends the following first steps for CIOs who realize they need to get a jump on shadow IT:

  • Analyze and communicate the problems of shadow IT: Understand the enterprise business model and assess its dependency on connected and secure IT. In addition, assess its core systems' vulnerability to unregulated or registered third-party systems. Explain to management the potential damage to the company's reputation if shadow IT systems malfunction or fail.
  • Assess the extent of shadow IT: This can be a hard task, because it's not clear whom you should ask. Start by checking purchases with the finance department. (CFOs can be your best friends in this, provided they are not champions of shadow IT.) Ask business unit heads about shadow IT operations (assuming you have earned their trust). Examine requests to the IT organization for support or for interface connections to technology you have not purchased. When you meet with business colleagues, keep your eyes open in order to see the IT tools they use. Ask your IT relationship managers for formal and informal assessments.
  • Combine active monitoring of shadow IT with policy and expert advice: Keep tabs on rogue IT. More importantly, advise -- and when it's appropriate, even encourage -- the safe, efficient and integrated deployment of shadow IT.

IT as the go-to resource for self-service technology

CIOs who fail to acknowledge and manage shadow IT are missing out on a broader trend in enterprise computing, said Marc Cecere, a Forrester Research Inc. analyst. The Cambridge, Mass.-based research firm has long preached the transformation of IT to BT, or business technology. In this hybrid IT environment, the business will take on a lot of the job of procuring and developing business apps, and the IT department's most important job will be putting "the guardrails in place so people don't make bad mistakes acquiring technology," he said.

Gartner's Mahoney agreed: "It's part of a much broader transformation of the role and status of the IT organization." Instead of IT focusing mainly on building, delivering and policing all IT, smart IT departments will focus on how the enterprise as a whole uses technology effectively, he said.

The real goal of CIOs in dealing with shadow IT, Mahoney said, is to make the IT department the go-to resource for the business. "CIOs should aim to create an environment in which everybody in the business wants to engage the IT organization in positive ways, rather than creating a situation of policing and forcing everyone to do it by IT's rules."

Let us know what you think about the story; email Linda Tucci, Senior News Writer.



Find more PRO+ content and other member only offers, here.

Essential Guide

IT services management and best practices: An enterprise CIO guide

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I've made a survey with 131 IT practitioners, and ask their point of view regarding Shadow IT in their company. have a look at the result with this infographic :
I've read the article, twice now, and clicked a few of the links, and I'm still not sure what Shadow IT is supposed to be?  I want to care about what it is, but because of that, I'm left wondering, is this article real or just FUD?
My understanding of shadow IT is that it refers to technology solutions that the organization’s employees have identified and started using to meet their needs without it being sanctioned and supported by IT. This could be applications, devices, whatever. For example, many employees where I work started using their personal Dropbox accounts, or creating an account for their team, to share and collaborate on documents. Later, IT comes lumbering along and announces that they’ve decided Box is the solution that the enterprise will use. So, Dropbox is considered “shadow IT.”
Thanks for that example, Mcorum.  That's roughly what I thought, from the context, they were referring to.  A lot depends on how a given application is used, and whether its actually exposed to the real world.  There's a lot you can do with firewall rules to hide these things, but I didn't feel the linked article gave a solid definition of what Shadow IT was, which is why I asked.
Can we really afford to move from BYOD to BYOTechnology...?

While I'm usually a major proponent of free-lancing of every stripe, I think we're looking at a vast array of dangers when we open our company to everyone's favorite bit of technology. That said, locking down or forbidding or ignoring the phenomena is a surefire recipe for disaster. Ideas and passions won't damp down that easily.

Instead of letting it in or fighting it off, why not nurture it? Whatever you do, change is coming, for sure. Hell, change is always coming. So anticipate it, prepare for it and learn from all that incoming wisdom.

Adopt it all unseen? Hell no. Incorporate the best of it, bit by bit. Absolutely. There's lots of good stuff worth learning and adding to your own corporate mix. Takes a bit of effort and investment, but the payoff can be huge.
I can't image that companies can afford to jump from BYOD (which we've barely begun to control) to the unknown of BYOTechnology. But, that said, like most innovations, this one is probably unavoidable, too.

Those who are still trying to "block, forbid or ignore the Shadow IT phenomenon" might as well double down on their stock in buggy whips. It's only possible to stave off the inevitable for a short time. And innovation has always been a demanding master....

Instead of digging in our corporate heels, it seems a far wiser choice to slowly and cautiously incorporate this new demon. It's huge and it's complex; getting it wrong can be a real disaster. But the benefits of getting it right are equally massive.

The wiser course would be to invest in command and control. Know this new enemy and incorporate the best bits of all its myriad technologies. In the short term that's a much more complex, more expensive approach. But the long-term benefits can be huge. That's worth the investment. And, be realistic. That change is inevitable - it's best to be prepared.