As mentioned in part 1 “Shadow IT” is an unstoppable phenomenon. But by definition “Shadow IT” works “under the radar” and many CIOs see it as a threat. Indeed there are some risks to consider…
- Unmanaged servers: If the software and the data are installed on specific servers without security policy, backup, etc. they are time bombs. Furthermore, it can lead to anarchic “silos of data”.
- Non-compliance: Very often a specific software is based on its own business logic (definitions, formulas, rules, etc.) and even with few inconsistencies it can lead to major inefficiencies. What about tests and qualification?
- Costs: There’s always a moment when the hidden costs emerge from the shadows
- Loss of control over sensitive data: Obviously the most important risk is a dispersion of the data : on specific devices, on the cloud, etc.
- Legal aspects : shadow IT creates uncontrolled data flows and then it can be difficult to comply with laws or standards like “Sarbanes–Oxley Act”, “Basel II”, “COBIT”, etc..
So what can CIOs do to identify shadow IT, and how to manage it?
- Propose alternatives: a shadow IT solution is very often a response to a real need. Sometimes a similar service can be offered by the corporate IT (if it’s not too late)
- Identify the risky cloud services: all the services offered by the cloud are not harmful. The infrastructure can be used in order to prevent access to the most risky services, but it’s impossible to filter everything
- Monitor the network: a continuous network monitoring can help to identify new devices and suspect data exchanges
- Define a list of approved applications for BYOD: clearly define what is permitted and what is not, and above all promote best practices.
But be pragmatic, a defensive attitude is not the only response to Shadow IT.
Shadow IT also comes with opportunities. It’s time to consider other approaches to embrace shadow IT and to re-think the role of IT.
- The cloud is an opportunity to embrace Shadow IT: If the cloud provides the best service for the users then why don’t use it?
- Think OPEX rather than CAPEX: it’s possible to improve the global cost with a pay per use approach.
- Shadow IT favors innovation: don’t forget that very often “innovation is a disobedience to a convention”. Hence the “Shadow IT” disobedience can be a good vector for innovation. It can be considered as a kind of prototype (or Proof of Concept).
- The “citizen developer” : as defined by the Gartner “a citizen developer is a user who creates new business applications for consumption by others using development and runtime environments sanctioned by corporate IT”. Gartner Research released a study that states that by 2014 25% of new business applications will be delivered by Citizen Developers (see Flavien Boucher’s article).
Hence it seems that Shadow IT and Citizen Development are a significant part of the IT’s future…