I pride myself on being an IT geek who is fluent in “business”—someone who makes a living helping non-technical executives use technology to drive business success. I was surprised when twice last week I used terms I thought were well-understood, then got puzzled looks and requests to explain. Today’s IT term of art is “Shadow IT.”
Let’s start with a definition: “Shadow IT is IT that’s done outside the auspices of the IT department.” Sounds pretty innocuous, eh? It’s not! As you’ll see, the apparent benefits of Shadow IT are overshadowed by its risks. That’s why I prefer calling it “Rogue IT.”
Let’s consider why Shadow IT came about. When computing meant mainframe, every IT (or data processing) request went through the IT department. We were the gatekeepers of technology, with the arcane skills to coax green-bar-paper reports from punch-card inputs. Pretty quickly, demand for reports—and eventually, online applications—outstripped the budgets that CFOs had pre-allocated to IT (see footnote below). To control this supply/demand imbalance, two dysfunctional processes were born: Demand Management and its especially pernicious implementation, the IT Steering Committee.
Putting 10 Pounds in a 5-Pound Sack
Demand Management (a.k.a. 10 pounds in a 5-pound sack) is one way to handle demand for a product exceeding supply. In a free market, prices rise to a “market-clearing” level that balances supply with demand. Except that corporate IT isn’t a free market. Most firms limit IT supply by deciding upfront how much to spend each year (often as a percentage of revenue or SG&A, or based on prior-year spend), then constraining business demand to match the predetermined supply.
Get that? Some central C-Suite staffer decides what the folks running your profit centers can collectively spend on investments vital to their businesses. If you’ve ever run a profit center you know how forgiving the CEO is when you say, “I missed my targets, boss, because ‘corporate’ wouldn’t cooperate.” Ummm, no.
A popular way to manage demand is the IT Steering Committee. A Steering Committee is an assigned group, or a hierarchy of groups, of IT and non-IT employees who collectively steer (direct) the backlog of IT projects, deciding which projects get funded and in what order they commence. Steering Committees are awful for several reasons, including:
- Political games – “I’ll vote for your project if you vote for mine”
- Poor participation – delegating to junior employees or just not showing up
- Sub-optimal decisions – members don’t understand individual project risks & benefits or the corporate priorities that should drive prioritization
- Showboating – a great presentation can defeat a great project presented poorly
Business Executives Take Action!
Enough about what’s bad and how it got that way. The question is, “What’s your response to dysfunctional IT if you’ve got a business to run?” In the mainframe-only days, execs could only play the Demand Management game. Once mainframes weren’t the only option, execs started end-running corporate IT. They bought minicomputers and called them “office equipment” or “lab instruments,” and found eager, often self-taught, business employees to install and program their new departmental tools. Then PCs, Local-Area Networks, and Client/Server systems made it easier, cheaper, and faster to acquire and implement this kind of departmental computing.
And today’s cloud solutions need just a departmental PO or even a credit card to get full-blown application suites running in days or even hours. Sounds like a great solution, right? Because the CFO got to report an IT spend in line with their budget numbers and business executives got the solutions they needed.
Shadow IT is a terrible solution for many reasons:
- Security exposure: Securing the interlocking pieces of an IT solution takes skill, experience, planning, tools, and ongoing attention. Even a modern cloud application can be insecure depending on how it’s implemented and what it’s used for (i.e. does the very secure database tool bought by a department hold mundane part numbers, or HIPAA-protected patient data?).
- Information fragmentation: The holy grail of data is a single source of truth that’s timely, accurate, secure, and available. Even with centralized IT planning and architecture, few firms achieve this goal. There’s too much data, coming in too quickly, from too many sources, to get one’s arms around it all. But multiplying the problem with disjoint Shadow IT systems takes the firm further from that noble goal.
- Audit/compliance: Most firms I’ve worked with underestimate the costs of audit and compliance. You incur ongoing Internal Audit costs and pay significant External Audit fees to ensure the data coming out of your IT systems reflects the data that went into the systems. Shadow IT systems often introduce additional interfaces and “desktop-quality” tools that add complexity and cost to audits. These costs aren’t usually charged to IT for hard-to-audit systems, or to business departments for even harder to audit Shadow IT solutions. They get charged to a corporate account somewhere else. Not only can Shadow IT add $ millions to the audit bill, but senior IT and business staffers are often called on to help auditors dig out data and tease out process information when running audits—taking them away from productive work.
Are you a CFO or CEO who signs SOX 404 “go to jail” attestations? Dig into the Shadow IT systems that feed your external reporting and I guarantee you won’t sleep very soundly the night before you sign! - (Inevitable) Fire-drills: As a CIO my first inkling of a Shadow IT system was usually a call from a C-Suite peer: “Our XYZ application that we need to close our books is down and the only person who can fix it is on vacation/quit last week.” I’d then discover that the person named wasn’t an IT staffer, but a business employee—and that the “application” was a 50K line Excel file tied to an Access database that ran on that employee’s PC. I’d scramble a team and discover a maze of similarly haphazard apps that needed to be untangled ASAP to get them back in business, and then have to add a project to that dreaded corporate backlog to properly remediate the vital process that was jury-rigged over months or years by business users.
There Is Hope
I hope this helped readers make sense of Shadow IT. What it is, why it came about, why it’s a bad idea. But what should a CEO do about it? The good news is that modern software tools and a new approach to IT governance and budgeting can turn Rogue IT into a powerful IT/business collaboration tool. What’s needed:
- SaaS ERP/CRM/EHR suites built atop cloud databases
- Introduction of modern integrated low-code & BI tools for building apps and analyzing data
- Changing the IT mandate from “doing” IT to “overseeing” IT
- Building a connection between IT Professional Developers and Business Unit Citizen Developers
- Budgeting business IT projects in the business and not in IT
In upcoming columns, I will address each of these fixes, so keep an eye out for them.
Footnote: 50+ years ago, there was an excuse for CFOs and CEOs to push back against ballooning IT budgets. Name another business function that appeared from nowhere to quickly consume millions of (1960’s!) dollars. But after three generations of CFOs and CEOs, you’d think we’ve learned how to budget IT. Since most haven’t, I’m writing a CFO column with advice for Acceleration Economy IT budgeting! ↑
