Upside in shadowy world of ad-hoc computing
- 25 February, 2007 22:00
Does your organisation have a Shadow IT department with users taking IT into their own hands? If so, how do you control the big issues like security?
According to a feature by Ben Worthen in CIO magazine, a two-year-old study by Pew Internet and American Life Project showed that 42% of internet users download programs, 37% use instant messaging, 27% have used the internet to share files and 25% access the internet through a wireless device.
“Users have a history of providing their own technology, but the capabilities of today’s consumer IT products and the ease with which users can find them is unprecedented … .The era in which IT comes only from your IT department is over,” Worthen says.
This secondary IT department — the Shadow IT Department — is a challenge to control.
Worthen says CIOs’ first instinct is to fight the shadow department, but he warns that will end in stalemate or defeat and innovation will discouraged (or driven underground).
The experts Worthen spoke to acknowledge security and compliance issues will be challenging but recommend that CIOs deal with them “strategically, not draconically”.
One Gartner expert advises finding out why users have broken the rules and learning from that.
“Successful companies will learn how to strike a productive balance between consumer IT—and the innovative processes for which employees are using these tools—and the need to protect the enterprise,” Worthen writes.
He says the only way to stay relevant is to come to terms with the fact that the IT department will no longer be the exclusive provider of technology within an organisation.
Even if managers try to manage the shadow IT department, they are fighting a losing battle because there is no central authority or hierarchy, as there is in corporate IT. “It has no head to cut off or single channel to dam.”
Worthen recommends a variety of ways to manage Shadow IT. They include finding out how people really work and thinking of the perpetrators as innovators who can help rather than troublemakers.
He says the enterprise will become a messier place, but that that’s better than stagnation. “Controlled chaos is always OK.”
It’s hard to put a cost on Shadow IT spending, but an article from Tom Pisello in Computerworld in 2004 said that in the late 1990s, it was estimated to about 10% of the formal IT budget.
“Recent research estimates that shadow IT spending has doubled from 2000 to 2003 to consume 20% of total IT spending in the average organisation.”
In fact, in rapidly changing organisations where formal IT spending is curbed, Pisello says that shadow IT expenses are as high as formal IT spending.
He says that in several organisations the IT department has turned to collaboration, “working with the business units to assure conformance to corporate technology standards and to develop transition plans to formal IT for ongoing maintenance and support.”
CIOs can even use the evidence of shadow spending to get an IT budget increase.
Pisello says that while shadow projects may seem necessary, they come at a steep cost for the future, when centralised IT will need to “integrate these systems back into the mainstream and provide ongoing evolution and support.”
These future problems are an issue noted in an article on TechRepublic.com by Ruby Bayan.
She says Shadow IT sometimes comes about because people believe it will take the IT department too long to respond. However, problems occur when Shadow IT doesn’t have all the necessary expertise.
"Systems that are procured and provisioned outside of professionally staffed, standardised, and monitored IT processes are far less likely to conform to continuously evolving configuration best practices, security checklists, and patch levels", she says.
The experts Bayan spoke to recommend investing in tools to get a handle on shadow IT and improving the management of existing shadow IT facilities.
Making the initiation of any more shadow IT less likely is also recommended.
“Establish mechanisms for more rapidly adapting IT platforms and processes standards to business needs. This may also mean supporting more sanctioned platforms and more flexible processes.”