Should Shadow IT be redefined?

It is time shadow IT is defined with respect to organization policies and not central IT department

A couple of days back, we all got an email from our CFO, urging us to hire app-based cabs for local travel in all locations and use admin-booked agency cabs only when it is absolutely required.

What prompted him to do this? No one reading this piece needs to guess answer to that one. The app-based cabs like Uber and Ola provide a cost-saving of at least 30%—sometimes going up to 60%. While that was presumably the CFO’s reason for batting for them, it is not that the employees are not using them already. Except when it is too critical to be left for last minute, most employees—there’s still a small but significant tribe of appo-phobics—use it anyway.

Now, go back by 10-15 years. Hiring cabs on your own without going through the admin/some central department, that too at your will would have been unimaginable in many organizations. What has changed the logic upside down is the availability of models that are more convenient and costs far less.

Now, think of It. I mean IT. Is it so different? Yes, it is far more complex to understand and it does far more than just transfer us from one place to another. However, at the end of the day, it does facilitate completing a business process—much the same way as a cab does. So, if something new and disruptive is helping make that process better while enhancing employee satisfaction, what is wrong in embracing it?

 Well, IT services and cab services are not exactly similar. So, we probably need different approaches when dealing with them. Different approaches, mind you, not different business principles. They—or for that matter, all business processes—still need to be more efficient and more effective.

The Disruptive change in IT

Take what the IT fraternity calls shadow IT. Gartner defines it as “IT devices, software and services outside the ownership or control of IT organizations.

”Studies after studies have shown that the use of this practice is on rise. A recent NTT Europe study says that as many as 77% of respondents in a survey of 500 IT and business executives admitted that cloud services have been commissioned in their organizations without the involvement of IT department. As many as 83% respondents felt it would rise in future.

It may be mentioned here is that though the Gartner definition is a little broad, the rise of cloud services has really accelerated the trend. Few non-IT departments would actually create their own data center!

Many studies last year—by Cloud  Security Alliance, Canpoy/Atos and Cisco—tried to estimate the  extent to which shadow IT has penetrated enterprises. Most of those left with a mild warning and pointing the security threats that could arise out of it. Most of these studies were targeted at the CIOs and IT departments.

Of late, the narrative of the shadow IT discourse is changing. The voice is getting more patronizing. Often, it is being touted as something that “spurs innovation”; that is backed by “sincere intention” to do things in the interest of the business.

The reasons for this change are multiple.

One, it is not just widespread, it has started to be perceived as irreversible. Many of those non-IT people are no more buying just specialized apps; they are buying core IT infrastructure services as well.

According to the new NTT study, as many as 48% say that cloud based servers and storage (IaaS) is being used by departments without the involvement of IT department while 39% said the same is being done for public cloud. And it does not just run deep; it is  fairly widespread too. The same survey says 57% admitted that the half or more departments are using these services.

So, in effect, these non-IT buyers are now a serious target market for IT vendors. And they cannot afford to enrage them.

Two, a few senior IT leaders realize that this is irreversible and they want to be seen as progressive. So, they too take a similar stand.

And finally, there is the genuine realization that it is a practice that has merit and needs to be worked with—and not be opposed.

Interestingly, those who are doing this—purchasing and installing IT without corporate IT—are not really bothered too much about what is being said. They are not part of the debate. Many of them do not even know that there is something called shadow IT. They are buying the cloud services as they do any operational expenditure.  


Whose Shadow?

With the changed reality, it probably makes sense to probe a bit on the appropriateness of the name, shadow IT.

Shadow as an adjective is usually used in one of the two ways.

One, as in shadow cabinet, shadow prime minister (leader of opposition) used in UK.  A shadow defense minister is expected to be the defense minister if the opposition is in power.  He would also deal with policy issues of that ministry.

In that sense, going by the definition of shadow IT, it would look that the non-IT executives involved in purchasing IT services want to challenge the IT department. In reality, they hardly think like that. They just want to get their work done and  do whatever is required for that. It is not a control game against IT department.

The other usage of shadow as an adjective is to use it in place of “shadowy”. A shadowy person or thing is something whose identity is suspicious. Maybe, the applications that first got installed without were—or were perceived to be—of suspect origin and identity. But as the NTT study shows as many as 39% respondents said the services that have been bought include services from Amazon Web Services, Windows Azure and GoogleCloud Platform. They are anything but shadowy.

The problem with current definition of shadow IT is that it is with respect to IT department. As more and more of IT gets woven with operation, it will be impractical to involve IT with all purchase decisions. With Internet of Things (IoT), it will be an even starker reality.

But free-for-all cannot also be a stated strategy with all the cyber security risks looming large. The need is to find a balance. One approach could be to create an organizational governance policy in which IT could be an important stakeholder.

Then, the ‘shdow’ness could be defined as those flouting this policy rather than those not involving the IT department. Today, it is the other way. If 3-4th of the people flout a law, then that law has an issue.

Of course, it is easier said than done. How do you ensure that there’s right balance between flexibility and risk mitigation, between speed and efficiency?

As businesses change radically to leverage the new technology, finding that middle path could becoming the holy grail of managing enterprise technology. 

Add new comment