What is Shadow IT?

15 August 2014

Until an event a few weeks ago I was blissfully unaware of the phrase “Shadow IT”. It crept up in a presentation given by a Service Provider who was trying to explain the risks to a set of IT Management client staff regarding their job security. And despite the dark undertones of the phraseology, it’s a valid and interesting concept which is probably still fairly unknown or unused in the nomenclature of day to day IT management, however its prevalence is definitely scary.

Shadow IT, by my definition, is the process of people outside of the IT department making decisions relating to the delivery of technology within a business without consultation to the IT department or other organisational sign-off body. Also known as Stealth IT, it’s the age old “I’m bored with the IT team not giving me what I want so I’m going to go and buy my CRM system on my credit card” phenomena. And its very real.

I had direct experience of this on client site in the last few weeks. A specific team were going through a business process re-engineering workshop and identified a need for a new data repository to track jobs that they were performing. In fairness, they attempted to engage the IT team but the response was far from adequate, so they engaged that well-known IT advisory service, Google, and found a cloud based solution for their specific need. They actually found more than one, short listed three, trialled all three, picked one, accepted the t’s and c’s and started to use it - before the IT team had even noticed.

Now they were clearly pleased that they had found a solution to their problem, and it appeared to be perfect. For a few tens of pounds per month they were able to track their jobs in exactly the way they wanted, over the internet, without having to deal with IT to stop them having their fun. All seemed rosy in the garden…… but…..

Interestingly in this example however, IT were aware. They performed some rudimentary checks on the cloud supplier, and alarm bells started to ring about business size and shape (and viability), data protection and security processes, and other things that IT guys (who ultimately in this instance were responsible for Data Protection and Risk) tend to worry about. After much toing and froing, it was decreed that the application should be re-evaluated and implemented using internal IT developers to conform to the organisations security posture more appropriately – which was the right answer.

So where does this lead us to. I think the client in question found this whole experience very enlightening. Firstly, the IT team need to be as well engaged as they can with the business to help them fulfil their requirements NOT be seen to hinder the business in their endeavours (“Computer Says No”). Secondly, the business need to use the IT team’s expertise in mitigating some of the risks of the myriad of providers in the marketplace today, especially around security and data protection. Finally, and probably most profoundly, IT need to be in a position to articulate its value in the business more readily in the context of much external competition – internal IT is now very much a service provider and will be booted out if they can’t provide the right solution (internal or externally) and manage it thereafter in line with the business expectation.

Shadow IT may not be a nice term, but it’s valid in its scariness. If IT had not intervened in this specific example, client sensitive data could be sat in a server in someone’s garage, sold to marketing agencies, not disposed of properly and probably without anyone in the business being even aware until the law suit hits. IT need to stop the business from needing to “go dark”, and explain proactively why a bit of expertise in our world of complexity can be a very valuable thing.

We use cookies and other technologies to allow us to remember you, improve our service and display relevant ads to you. To accept cookies, continue browsing, or view our Cookie Policy to find out more, including how you may withdraw your consent.