Through some of the work that I do for my Clients, I’ve helped to identify and reduce Shadow IT as a part of better aligning IT delivery with strategic business goals. It has been sort of a mantra, that Shadow IT is a bad thing and must be eliminated. Over the past couple of years though, I’ve increasingly found myself second guessing that mantra.
While governance and security are even more important now than in times past, the characteristics of IT services have changed around us. Take end user devices for example. The product life of a desktop or laptop system, several years ago, could be argued to be three years or more. While the device can certainly function for that long and even longer, most users are “out-using” the device long before that now. Device manufacturers are developing products that are well dialed-in to what users want… even if the users don’t know they want it. The product cycles for these innovations are measured in months rather than years. Furthermore, usability of the products themselves has significantly improved beyond what used to create routine help desk tickets. The product marketplace has slanted heavily in the direction that users are disgruntled by someone suggesting they have to use some particular make and model of computing device. Users are eagerly willing to switch to B.Y.O. IT
Offerings available through SaaS and PaaS cloud providers are very sophisticated and robust. They are moving to the point of commoditizing IT services that not long ago were considered quite complex. Some of the development work that consumed IT cycles in creating a new service has been already done and done well by these providers, bringing into question the cost justification of a new service creation project at the very least.
Changing Views of Shadow IT
So what does this mean to our traditional view of Shadow IT? Well, if one is still reticent about letting go of the notion that Shadow IT is always bad, then it means the job of managing the proliferation of Shadow IT is becoming harder than ever. If one is coming around to a model in which some Shadow IT may even be beneficial, then the focus of the work comes around to how to ensure governance and security.
Some may address this by trying to establish an approved list of BYO services. In my opinion, this may be just as steep a treadmill as trying to eliminate Shadow IT. Others have addressed this through what I call the “Walk a Mile in My Shoes” approach, through which the IT leader will try to make users appreciate what IT actually goes through to bring a service to the enterprise, in hopes that they will take with them an eye for good security and governance concerns. To me, this is a roll of the dice, and given the typical success (or lack thereof) we usually have with communication plans in the IS security context, my hopes are not high for that one.
An argument can be made that Shadow IT, framed in the proper context, can even offer relief to IT services planning and delivery. However, the aspects of governance and IS security are even more open ended in such a model, which requires a shift of attention to that area.
We’d greatly welcome your thoughts on Shadow IT in your organization, and in particular to hear about examples of how the changing marketplace has reinvigorated Shadow IT proliferation in your firm.