Are you running along with excessive Shadow IT?

"We're?not spending that much on IT."

"Shadow IT" is often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational awareness and approval (be it the IT, Information Security, or the Cyber-Security groups). It is hardware and software within an enterprise that the organization's IT department does not support. It is alternatively termed "Stealth IT" or "Distributed IT" to describe solutions specified and deployed by departments other than the IT department. Like many CIOs, we likely recognize the underlying challenges in our role regarding Shadow IT. When we read the latest State of the CIO reports, we see Shadow IT / Stealth IT is recognized and growing in many organizations. Although the label is neutral, the term often carries a negative connotation. It implies that the IT department has not reviewed or approved the technology or doesn't even know that employees are using it. Shadow IT comes about when the organization's IT department can promptly meet a business unit/department's request. Subsequently, they search and find a solution (such as a cloud-based SaaS (Software as a Service) solution) that meets their 'immediate' needs.

Often, Shadow IT is unavoidable and must be accommodated by IT - but you really need to know what you're dealing with from many aspects (cost, security, efficiency, and more).

Shadow IT can be a vital source for #innovation by many, introducing systems that may be prototypes for future approved IT solutions.? On the other hand, Shadow IT solutions are often not in line with the organization's requirements for sourcing, control, documentation, security, and reliability/maintainability/serviceability - although these issues can apply equally to authorized IT solutions.? In addition to the security and legal risks of Shadow IT, some of the implications can be:

• Inconsistent business logic - may encapsulate its definitions and calculations.
• Inconsistent approach - the methodology itself can be flawed.
• Wasted investment – likely prevents total Return On Investment (ROI) and has hidden costs.
• Inefficiencies - can be a barrier to innovation by blocking the establishment of more efficient work processes.
• Higher risk of data loss or leaks - Shadow IT data backup procedures may not exist or be auditable.
• A barrier to enhancement - can act as a brake on the adoption of more innovative enterprise #technology.
• Organizational dysfunction - creates a dysfunctional environment leading to animosity between IT and non-IT-related groups within an organization.

Typical scenario: several groups within a company are securing IT resources & personnel without proper considerations for the technology strategy, privacy/security, maintainability, backups, functional redundancy/duplication, risks/reliability, and more. Compounding the risk includes the fact that most Shadow IT operations use "Click Agreements" (simple, convenient contracts) and, as a result, the IT and Legal departments have no idea of where the organization's data is, where it's stored, and if/where it's backed-up, nor what legal risks and rights may exist. The risks can be enormous and costly (both financially & reputationally.)

If there is a cyber breach or ransomware event, the organization may have no clue about what data is stored where.? Worse, if a crime occurs, they won't know to let PCI (Payment Card Industry Data Security Standard) hosting provider, DoD (Department of Defense), or CMS (Centers of Medicare and Medicaid Services) know promptly.??

• Leverage Strategic Sourcing to obtain economies and mitigate risks, especially security & privacy.
• Enhance procurement practices and policies to require privacy, security, and IT review of all IT-related materials (e.g., printers, servers, software, and other hardware).
• Evaluate business unit licensing and staffing on a case-by-case basis to assure compliance with the regulations as mentioned earlier and initiatives.

There's usually a history.

Shadow IT doesn't happen overnight and is often the result of an impatient employee's/leader's desire for instant gratification & immediate access to hardware, software, or specific web service without going through the necessary steps (controls) to obtain the technology through the proper procurement channels. With one client, only ~58% of the total IT spend was actually under the control of the IT division, leaving ~42% under other divisions and vendors (and buried in budgets as paper, miscellaneous services, consulting, hardware, and more. - resulting in duplicative spending, an inordinate amount of data risk, and lower than expected productivity.

With the pervasiveness of IT and cloud computing, the meaning of Shadow IT expands to include all sorts of technology that employees use at work or niche technology that meets the unique needs of a business division. Whereby support comes from a third-party service provider or in-house group, instead of by the IT division.

Shadow IT can inadvertently introduce risks when unsupported hardware & software do not have the same #security rigor. Technologies circumventing the IT department's processes/knowledge can negatively affect its user experience and introduce other bandwidth, application, and network protocol conflicts. As mentioned previously, Shadow IT can become a compliance concern when an employee stores corporate data in their private/personal online account. CIOs across all industries are elevating #business and IT alignment to improve cost performance, enhance security, and improve working relationships among divisions. Committing to continue nurturing the Business-IT relationship not only achieves alignment but fosters trust.?

Shadow IT includes many forms of IT-related activities and purchases that the IT organization (i.e., division, department, or unit) isn't involved in selecting, sourcing, installing, or maintaining. These purchases may consist of hardware (e.g., servers, PCs, laptops, tablets, and smartphones); Commercial-Off-The-Shelf -COTS) software; and, Cloud Services (e.g., Software-as-a-Service [SaaS], Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS).) Cloud Services, especially SaaS, are the most prevalent form of Shadow IT. The number of services & applications & systems has increased, and business units routinely install and use these without involving IT or Information Security / Cyber-Security groups.

There are notable benefits of Shadow IT SaaS which enables users can quickly & easily get tools to increase productivity and interact more efficiently. The challenges of Shadow IT SaaS include the potential of security gaps, such as when IT/InfoSec departments don't know the services & applications in use, often affecting compliance and financial audits.? In addition, it promotes "Application sprawl," wasted time and money, and collaboration inefficiencies.

Across industries, many business enterprises contend with an ever-increasing IT budget - due to the growing bare minimum of IT services needing to be in place to perform critical business tasks. As this number increases, it paves the way for making IT purchases around official channels. These purchases can be one of the main contributors to runaway IT/technology spending.

The Challenge

Corporate risk increases since the IT department did not develop it or was unaware of it and did not support it - increasing the likelihood of 'unofficial' and uncontrolled dataflows, making it more challenging to comply with the Sarbanes-Oxley Act (SOX/SOC2) and other compliance-centric initiatives (e.g., COBIT, FISMA, ISO-27001, GAAP, HIPAA, PCI DSS, TQM, PPACA, HITECH.

• Shadow IT can put the entire organization at risk. They are bypassing many of the controls (security, financial, and technology) and introducing novel information technology capabilities. These unique capabilities expose the organization to many unknown risks, revealed when things go wrong.
• Shadow IT is here to stay.??With the accessibility and availability of cloud-based/SaaS technology resources and more business staff knowing how to use it, stealth IT will continue to expand - we shouldn't kill it; it requires management.
• Shadow IT is political.? Shadow ITers are often considered persistent 'star performers' because of the innovative solutions introduced. They won't take no for an answer and will likely welcome IT in helping to quickly deploy a solution if it also meets the broader risk, security, and integration needs of the organization.? If not, they'll build it, buy it, get it without IT involvement.

Shadow IT can present legal and compliance issues, putting established system relationships and business processes at risk. According to Gartner, more than 50% of all businesses have Shadow IT - with estimates ranging from 30%-100% of the total known IT spend. In 2015 the estimate was 35% of business and only 30% of the known IT spend - the situation will only increase because demand for new applications and services are needed to expand an organization's business and digital transformation - wildly outstripping the capacity of IT to provide meet the demand. As we're also seeing, cloud services are maturing, and employees are becoming more tech-savvy and intolerant of the pace of traditional IT - many of whom have honed their skills to find and support their own IT solutions.

Organizations need to work hard to locate all Shadow IT to protect themselves. The question is, how to tackle, or even capitalize, shadow IT?

Solutioning

When rationalizing these expenses, it is essential to include both the output and the outcome of the applications through business processes and capability delivery. Achieving such understanding can be challenging without an enterprise-wide portal/knowledge base. Accessibility to the data and meaningful analytics is essential - making it much easier to improve the application portfolio genuinely, as both the number of applications and the complexity in the business reduce through collaborative #business & #technology transformation.

If properly managed and in the right hands, Shadow IT can be a benefit to the organization. Some business uses of ShadowIT are advantageous and readily justified - not harmful to the organization and should be controlled as the business unit's operational technology spend - but with the proper #riskmitigation. We work with your team to find Shadow IT using a proven methodology, inventory, & rationalize its presence and evolve Shadow IT into partnered innovation opportunities.

Leveraging our Application Rationalization framework, we work to understand the best alternatives and set out to acquire a great toolset to improve the management of Shadow IT; it is necessary to:

• Establish an enterprise-wide portal/knowledgebase – serving as a platform for common understanding across business, IT, and strategy.
• Apply a proven application rationalization process and use discovery tools to reveal traffic in your technology environment.
• Set up a simple process for handling application purchases in the enterprise-wide knowledgebase.
• Involve the business in all technology transformation initiatives (and vice-versa) - converging them into a collaborative business transformation initiative.

We can help

Together, we'll help improve the management & monitoring of Shadow IT - by documenting its presence through refined processes that include provisions for standard and fast-path technology (Information Technology and other technology purchases.) It also helps the organization manage costs and focus on the desired business outcome, ultimately strengthening it against associated cyber risks.

• Our adaptive approach helps you build a comprehensive Shadow IT strategy that serves as the foundation for ongoing IT & technology asset discovery, identification, and assessment across the organization.
• Our approach is not about saying "no" to the business but instead is "how can we help?" - to improve operational efficiency, strengthen security, build trusting relationships, and ensure IT implements proper IT controls that mitigate risks.
• Our focus is on using data to articulate risks for the organization (especially IT-related risks) of each Shadow IT incidence. Communicating the specific costs and risks enlightens the business and enables making suitable technology investments.??
• We're grounded in interpreting business needs and appropriately leveraging Shadow IT to foster innovation and facilitate competitive advantage for the organization.

If you're interested in understanding how DGCpartners can help or just knowing more about accurately reflecting technology budgets and supporting the organization's technology needs more accurately, reach out to me here on LinkedIn or at DGCpartners here on LinkedIn or through our website .

DGCpartners, LLC is an independent management & technology consulting firm offering business & technology advisory services.?DGC brings experienced resources and makes the critical difference at the beginning of the Business-IT turnaround, strategic program, or business startup / rescue / expansion.