You are here

Shadow IT lift gets heavier: How IT Ops can get a grip

public://pictures/johanna.jpg
Johanna Ambrosio, Freelance writer and editor, TechBeacon

If you believe shadow IT is no big deal, or that it will go away on its own, you'd best stop that magical thinking. The implications for IT operations, and IT in general, are too dire to continue doing nothing about it. And shadow IT, those projects that take place outside of IT's direct control—often, without its awareness— will not ease up anytime soon.

In fact, the problem is getting worse. According to Dion Hinchcliffe, vice president and principal analyst at Constellation Research, over half of all IT-related spending is now controlled outside of any IT authority in most companies, up from just 10% two decades ago, and 33% 10 years ago.

"The tipping point has arrived."
Dion Hinchcliffe

And shadow IT is going to get even bigger. IDC's most recent Worldwide Semiannual IT Spending Guide: Line of Business forecasts that technology spending by business decision makers will overtake technology spending by the IT department in 2019.

"It's been a situation of benign neglect," Hinchcliffe said. Unless something affects security, creates regulatory issues, or has a negative effect on customers, it's relatively easy to ignore the trend.

But IT organizations overlook the situation at their own peril. Security, monitoring, and cost controls go out the window when at least half of all applications and systems are managed by people outside of IT. Not to mention that other pesky issues, such as connecting or integrating these "outside" apps with the rest of the corporate infrastructure, become much more difficult or outright impossible.

But there are ways to take back control of shadow IT. Here are keys steps to help mitigate the problem.

The Forrester Wave: Continuous Delivery and Release Automation

Major IT ops ramifications

Software as a service has done more than most other technologies to push the issue of shadow IT forward. One of Micro Focus' customers was paying Amazon $30,000 per month in IT-related charges that the IT organization had no knowledge of, said Michael Procopio, product marketing manager at the enterprise software company.

"People were just taking out their credit cards."
Michael Procopio

The same situation exists with other types of platforms that millennial workers in particular have a lot of comfort using. Hinchcliffe said that at one large organization he spoke with, 15% of its apps were built using WhatsApp.

And just wait until the Internet of Things and edge computing take off in a big way for corporate America. "There are real [IoT] apps around healthcare, retail, and industrial processes," said Glenn O'Donnell, a research director at Forrester Research. "More of that is being owned by the business. These devices are becoming the 'digital' part of the digital business."

Shadow IT circumvents security

Simply put, IT can't possibly guarantee the security of any application or data that it does not control—or that it does not even know exists. "IT organizations have guidelines to how new software is introduced to the environment. There is a process in place where proper testing is done in a sandboxed environment before it is introduced into production,” Christopher Frank, an IT administrator, wrote in Forbes. "When we bypass these procedures, we risk potential threats and attacks to the environment, increasing the potential for data loss and compromise.”

Shadow IT kills cost controls

One major role of IT is to keep costs in line by pooling the corporate spend and taking advantage of volume discounts. Buying three seats of an app generally costs more per person than buying a license for 200. But if individual departments are doing their own thing and circumventing spending controls and budgets, there's no way to achieve those economies of scale.

Perhaps even more important long term, the business no longer knows what it is truly spending for all of its tech, according to Procopio.

Shadow IT bypasses monitoring and controls

If you don’t know shadow IT exists, you can't monitor or fix any of the apps or systems that exist outside of IT's purview. You certainly can't back up the data created from these rogue systems, and analytics become difficult, even meaningless, by having separate pockets of information instead of one version of the truth.

Additionally, in the coming age of AI and machine learning-based systems that will start to heal issues before they shut down production, anything outside the IT fold will not be party to these advances, either.

How to cope with shadow IT

Suggestions on how to deal with shadow IT range from the strategic to the tactical. Rhonda Vetere, the new CIO of infrastructure at a major bank, has some advice for hands-on IT Ops pros. "If you're in a shadow IT organization and know it, I would raise the issue and ask about the strategy of the team and whether it will be integrated into a more global technology organization."

For a career techie, it's likely not satisfying to be on the fringes of IT, she said; this can be discussed in a one-on-one meeting with your boss or during a performance review, for instance.

Another idea comes from Christopher McLaughlin-Brooks, the CIO of TaskUs, a provider of customer service and back-office support for tech companies. "Develop a great relationship with the accounting department," he suggested. If you find out about a charge that's related to IT, you can "get on top of that and get it sorted right away."

Another suggestion, he said, is to rely on systems analysts "as your eyes and ears. They are there to support the business, but they can help shake out" different apps to make sure security, infrastructure, and other technical aspects are sound.

To help figure out where the shadow ITers are lurking, get with your security group. "Cybersecurity is very aware of shadow IT and can tell when a computer is using an unauthorized IT resource," Constellation Research's Hinchcliffe said.

The bigger issue, both Vetere and McLaughlin-Brooks said, is not getting in the way of the business.

"If people are buying their own instances of products, either they don't like what you're doing, or they don't know about it. You want to get in front of that."
Christopher McLaughlin-Brooks

He reviews service-desk tickets to see where the trouble spots are and spot trends, then escalates the most common issues as one way to fix problems before people go out of the fold.

Shadow IT is your conversation starter

Companies can have a difficult time figuring out the balance between too much control—the old "Department of No" problem IT has historically had—and no guard rails at all, Forrester's O'Donnell said. But the first step is not to view shadow IT as the enemy. "You have to investigate what they're doing and why," he said. A dialog needs to take place.

At the end of the discussion, the shadow IT group will decide to come in from the cold and let IT manage things, or it won't, Vetere said. But even if the group doesn't come around initially, non-IT groups often give it up eventually as they become tired of dealing with security, patches, and the other "belt and suspenders" type of work that IT has long provided.

However, even if the shadow IT group doesn't come around, at least you'll know what the issues are. IT and the business can work together toward incorporating security, monitoring, and other guidelines to help turn the rogue app into a better corporate citizen.

The smartest approach is to use shadow IT as "an on ramp to better IT," Hinchcliffe said. One CIO he knows went around to all of his company's divisions and business groups and asked them to give the internal IT group a chance to meet their needs before going to outside vendors. And he said, "Even if you don't pick me, I'll help you do the right thing." That helped him retain a lot of the work he would have lost.

Another approach is to find a shadow IT group that's doing something awesome and use them as a model for innovative technology, he added. And, at the same time, IT can help bring the project into the corporate fold.

The bigger fixes really have to do with corporate culture and avoiding the "them-vs.-us" construct in the first place. If everything is considered business tech, then everyone is in the same boat and all are working together to serve the needs of the business, O'Donnell said.

[ Report: The Forrester Wave: Enterprise Service Management 2018 ]

Watch for the red flags

"If there is shadow IT, that's a big red flag for the future of the business. That's telling you there's a disconnect between the business and IT staff."
Glenn O'Donnell

The CIO must then step up and recognize why the problem exists. They have a fiduciary responsibility as a CIO to address this, Hinchcliffe said. After all, shadow IT is really just another form of technical debt.

"You kick the can down the road and don't fix it until you have to. It's a drag on the organization's future."
—Dion Hinchcliffe

[ Webinar: IT Infrastructure in the Containers Era ]