When you hear the phrase, “shadow IT”, what comes to mind? Visions of ominous, dark, or secretive information technology pockets operating outside of the CIO’s control or visibility? Worries that the software purchased or developed by these rogue IT groups will end up in the CIO’s lap when support becomes a challenge? For many CIO’s, this is their experience and reality.

Rather than viewing shadow IT as an issue, a better approach is to see it as an opportunity to collaborate more closely with business leaders. Rather than focusing on why shadow IT is a problem, jointly focus on the business challenges to be addressed.  IT is evolving from a function or department  to a business-enabler helping companies to compete effectively, no matter where IT is located organizationally.

Business leaders generally have a good understanding of what they need, but may lack a full understanding of all the non-functional elements necessary to deliver a robust, technology-enabled solution.  Engaged CIOs will advise business leaders on IT best practices that ensure high levels of security, interoperability, compliance, performance, resilience and usability – turning this into a win-win situation. The shared goal is to quickly deliver a solution that addresses an intended business outcome.

An open and candid conversation among business and IT leaders to discover the reasons for shadow IT can go a long way in improving the relationship between these  groups and deliver solutions that create new business value. To be certain, there are clearly upsides and downsides with shadow IT. Understanding and addressing both and learning from and applying the insights gained is the starting point for delivering this new business value.

The Dark Side of Shadow IT

Let’s begin with a quick review of the downsides of shadow IT since much has been written on its potential risks. Keep in mind, many of these risks result in increased complexity, cost and extended time-to-value. The downsides of shadow IT generally line up around the following risks:

• Duplicate effort and energy expended among business and IT teams
• Redundant applications and related support costs
• Poor application alignment with enterprise architecture and associated standards
• Poorly performing applications relative to response times and reliability
• Software and hardware contracts lack needed business protections (e.g., cybersecurity liability)
• Disaster recovery and resilience not considered in infrastructure investments
• Multiple application integration methods that are inefficient and costly to maintain
• Application and infrastructure information security exposures
• Data integrity and protection issues
• Regulatory non-compliance challenges (e.g., GDPR, PCI DSS, HIPAA)
• Non-integrated interactions across multiple systems resulting in poor customer experience
• Cumbersome and non-intuitive user experiences with custom developed software
• Potential brand degradation

As mentioned above, escalating IT costs are often an early warning sign there is a problem.  The first stage to shining a light on shadow IT is to determine where it is operating and estimating how much it is costing the company.

Shining a Light on Shadow IT

Talk to people. IT professionals in the corporate IT organization often know where the pockets of shadow IT are in the business. They know because they have had to say “no” to internal customer requests for hardware, software or services due to constrained resources or time. And so, the internal customer must either wait or pursue their own solution. Unfortunately, this happens far too often.

Talk to operational and functional decision-makers. These are the internal customers who are often forced to seek out their own solutions. They tend to be eager to share how they have solved a specific need with a custom-developed application or SaaS solution – and how they are supporting their specialized application through a super-user or programmer on their team.

Talk to Finance. Finance personnel typically have access to general ledger account-level detail across the business to gain insights into shadow IT spend. In companies with a common ERP system, standard chart of accounts and fixed asset system, this is relatively straight-forward. In companies with heterogeneous financial systems and inconsistent general ledger accounts or account definitions, data cleansing will be needed to capture accurate shadow IT spend.

Excluding any allocated corporate IT expenses, shadow IT costs in non-IT functions, business units or subsidiary operations may be recorded in:

• Salaries and benefits – costs of employees or full-time equivalent (FTE) employees performing IT functions.
• Software purchases and related maintenance or subscriptions – costs to support niche applications or SaaS agreements.
• Hardware subscriptions – costs related to cloud-based computing platform usage (PaaS, IaaS).
• Computer hardware and software depreciation – allocation over time of the cost of on-premise hardware and software assets.
• Computer supplies or non-capital equipment – hardware expenses below the capitalization limit.
• Professional, consulting or outside services – professional fees incurred to support software or hardware assessments or project management.
• Telephone and communication expenses – mobile devices or audio/video conferencing technologies.

Some of these costs, such as FTE salaries and benefits, may have to be estimated. Other cost categories, such as professional services, may have to be reviewed in further detail to eliminate non-IT services.

Many CIOs are surprised at the level of expense and inefficiency generated by shadow IT – we have seen over 30% of total IT spend occurring outside the traditional IT organization.

Igniting Shadow IT

A recent client CIO commented, “Shadow IT isn’t always bad. We just need to figure out how to use it to our company’s and customers’ advantage.” This is the right attitude.

Developing relationships with non-IT decision-makers and understanding their pressing business needs is the first step to unleashing the potential of shadow IT organizations and leveraging shadow IT spend. Organizationally, using business relationship managers (BRMs), individuals that liaise between business and IT (and understand both), is one way to ensure changing business plans and actions and resulting technology implications are understood. Discussions among BRMs and their business partners will highlight business problems to be resolved with IT solutions. Decisions can be made jointly as to how best to provision these solutions – either through custom-developed software or commercially available applications. And, BRMs can educate their business partners on how to control, manage and support IT solutions in compliance with appropriate company IT standards, best practices and policies.

The second step is learning the business so IT can be proactive in identifying and delivering impactful solutions. IT can shift from saying “no, we can’t” to  “yes, we can.” Becoming a trusted business advisor elevates the role of IT, enables transparency and encourages creativity.

IT’s enhanced understanding of the business will ensure proposed IT solutions are more closely aligned – whether focused on delivering a compelling customer experience, improving operational productivity or reducing the time to market for new products and services. The narrower the knowledge gap between business needs and IT capabilities the more relevant and effective IT solutions will be in meeting these needs. This will dissuade business leaders from pursuing their own solutions by seeking the advice and support from the corporate IT organization.

Step three is accepting that, in some circumstances, speed and agility of solution deployment are more important than developing or finding the “perfect” solution. Our clients tell us one of the key reasons shadow IT is created is due to IT’s inability to respond with urgency to help the business meet new and rapidly evolving customer requirements. Measured experimentation and iteration are good – as long as the business and IT are working together to deploy solutions that address the needs of the market without exposing the business to the risks mentioned previously.

Having a framework for deciding when a company-wide solution needs active IT involvement versus when a workgroup solution can be developed by a shadow IT team is critical. We recommend an approach called “guided autonomy”, which establishes guardrails around which IT projects or services require IT involvement, approval and support and which IT projects require only IT awareness.  See Cimphoni’s upcoming blog post for further information on guided autonomy and how it can help your organization exploit the benefits of shadow IT while mitigating the risks.

Performing a shadow IT assessment, including the use of automated hardware and software discovery tools to estimate the total IT spend in the company is a great starting point. This assessment will provide visibility into current state of computing assets, particularly those that fall within the realm of shadow IT. This will then create the basis for a discussion between business and corporate IT to reduce total IT spend while also improving the effectiveness and value delivered by these assets.

If you are interested in identifying how to exploit the benefits of shadow IT spend while mitigating related risks to your company, Cimphoni can work with your team and walk through the necessary steps. We can start with a SnapShot Assessment across the business to discover and prioritize opportunities.  Additional information can be found on our website regarding digital transformation.