BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Dwight Smith takes full responsibility for shadow IT. "We regard shadow IT as a failure to explain the value of architecture, of securing the data properly and of data consistency," said Smith, senior vice president for information resources at Orlando, Fla.-based Marriott Vacations Worldwide Corp.
At many companies, money sits in various budgets for technology and there is a strong desire to avoid or bypass IT governance. Organizations with potentially risky shadow IT operations have "not done a good job communicating the value of governance," Smith said, adding that IT departments must tread firmly but lightly.
Lynden Tennison, CIO at Union Pacific Corp. in Omaha, Neb., seconds that. "The worst thing you can do is a turf grab. If shadow IT crops up, it's because I can't deliver, either because it wasn't a priority or the funding was out of my control," he said. "You need to figure out what it is you are doing wrong."
Most CIOs, however, tend to simply look the other way when it comes to the services, software and consumer devices that exist -- nay, flourish -- outside the control of their IT organizations.
Nevertheless, in an age of self-service technology and technologically literate employees, shadow IT should be a serious concern for all CIOs, technology experts warn. The issue will only grow as cloud computing, mobile IT and user-owned devices put IT in the hands of nearly every employee. Making matters worse, the a la carte computing menu is hardly limited to consumerized business apps with user-friendly interfaces; it includes powerful, heavy-duty enterprise apps that run parallel to enterprise systems.
Falling down on CIO responsibilities
CIOs who ignore the issues of shadow IT or rogue IT not only fail to address the obvious risk -- jeopardizing the corporation's data assets, regulatory obligations and brand reputation -- but they also undercut the business's ability to compete, said Gartner Inc. analyst John Mahoney. "The worst risk comes from disconnected information or disconnected processes."
Organizations with potentially risky shadow IT operations have not done a good job at communicating the value of governance.
Some CIOs are reluctant to take on the issue of shadow IT because they take a narrow view of their function. They see themselves as the head of the IT department, not as the person in charge of defining the company's effective use of technology, Mahoney said. Or perhaps they've been pigeonholed by the business as the person who just runs IT. In either case, a CIO turning a blind eye to shadow IT is tantamount to dereliction of duty, as is the failure of a CFO to lay down standards for spending the business's money.
"I, myself, would not be surprised to see CIOs being fired because they have failed to put in place the mechanisms, advice and policies whereby the organization's data is kept safe," Mahoney said, noting the opinion was personal and not held by his Stamford, Conn.-based research employer.
CIOs coming to grips with shadow IT
On the flip side, however, CIOs who use all means to lock out shadow IT are depriving their enterprises of the potential benefits associated with employee-procured IT-- from better business apps to winning new customers through social media, to worker productivity gains. A hard-line approach will anger employees. It's also likely to drive them underground, CIOs agreed.
The problem is that managing shadow IT is not easy even for tuned-in and strategic CIOs, as Warren Ritchie, CIO at Volkswagen Group of America Inc., can attest. His biggest surprise when he became CIO in 2008 was the proliferation of rogue IT in the business. Equally disturbing was the general ignorance of the havoc that rogue IT can wreak on complex enterprise systems, even among sophisticated business leaders. "I had an inkling of it. I didn't realize the magnitude of the issue," he said.
Ritchie responded by launching a major initiative to educate users on the inherent risks of shadow IT and the potential business benefits of a cohesive and coordinated IT strategy. Rogue IT solutions could get business employees fast access to customer data on computerized vehicles, for example, but "we'd be slow, as a corporation, to take advantage of the data" if it were not integrated with existing business systems, he said.
Gartner recommends the following first steps for CIOs who realize they need to get a jump on shadow IT:
- Analyze and communicate the problems of shadow IT: Understand the enterprise business model and assess its dependency on connected and secure IT. In addition, assess its core systems' vulnerability to unregulated or registered third-party systems. Explain to management the potential damage to the company's reputation if shadow IT systems malfunction or fail.
- Assess the extent of shadow IT: This can be a hard task, because it's not clear whom you should ask. Start by checking purchases with the finance department. (CFOs can be your best friends in this, provided they are not champions of shadow IT.) Ask business unit heads about shadow IT operations (assuming you have earned their trust). Examine requests to the IT organization for support or for interface connections to technology you have not purchased. When you meet with business colleagues, keep your eyes open in order to see the IT tools they use. Ask your IT relationship managers for formal and informal assessments.
- Combine active monitoring of shadow IT with policy and expert advice: Keep tabs on rogue IT. More importantly, advise -- and when it's appropriate, even encourage -- the safe, efficient and integrated deployment of shadow IT.
IT as the go-to resource for self-service technology
CIOs who fail to acknowledge and manage shadow IT are missing out on a broader trend in enterprise computing, said Marc Cecere, a Forrester Research Inc. analyst. The Cambridge, Mass.-based research firm has long preached the transformation of IT to BT, or business technology. In this hybrid IT environment, the business will take on a lot of the job of procuring and developing business apps, and the IT department's most important job will be putting "the guardrails in place so people don't make bad mistakes acquiring technology," he said.
More about shadow IT
Gartner's Mahoney agreed: "It's part of a much broader transformation of the role and status of the IT organization." Instead of IT focusing mainly on building, delivering and policing all IT, smart IT departments will focus on how the enterprise as a whole uses technology effectively, he said.
The real goal of CIOs in dealing with shadow IT, Mahoney said, is to make the IT department the go-to resource for the business. "CIOs should aim to create an environment in which everybody in the business wants to engage the IT organization in positive ways, rather than creating a situation of policing and forcing everyone to do it by IT's rules."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.