What should public sector CIOs do about ‘shadow IT’?

What should public sector CIOs do about ‘shadow IT’?

Don't attempt to restrict or contain shadow IT because such an approach will likely fail, says Glenn Archer

Gone are the days when government CIOs could expect to exercise total control over how their agencies invested in ICT.

A recent Gartner survey found that government CIOs are responsible for only about 60 per cent of technology expenditure and that figure shows every indication of continuing to decline.

Enter the sinister world of ‘shadow IT’ where users buys their own technology services without your approval.

I have discussed this scenario with business leaders who have been quite consistent about their perspective on this shift in how IT procurement decisions are being made.

Typical responses have included, “Excellent news!” and “Can’t happen fast enough.” In most cases, these responses usually demonstrate an underlying degree of frustration - built up over time – that IT is unresponsive, not sufficiently innovative or just doesn’t understand the business imperative.

Clearly if the business unit can avoid having to deal with the CIO – or anyone in IT – by going direct to the vendor/provider they can solve all these problems.

But… and it’s quite a concerning ‘but’, there is indeed a disturbing side to shadow IT.

Gartner believes that in the next two years, more than half of technology procurements initiated outside the IT department will not achieve their intended benefits. Put bluntly, IT does not have a monopoly on making poor technology choices.

Few business leaders, policy staff and program teams have built up the wealth of practical experience that comes from being scarred by one or more technology project failures.

Of course, while that’s usually the headline in the press, the reality is often that IT is only a contributor to much larger issues that compromise successful projects. And shadow IT is more likely to accentuate rather than solve these sorts of problems.

From a risk perspective, IT staff members bring practical experience in system integration and in implementing IT-enabled business change, and possess project management skills and contract management expertise. They have also learnt not to take the claims of vendors at face value.

In contrast, business units often independently acquire and deploy new systems and services without the proficiency or oversight needed to successfully manage IT vendor performance or maintain an asset for the duration of its contract.

For instance, there is often little understanding about the need to comply with privacy legislation or with digital record keeping obligations. This situation also becomes particularly problematic where there is a need to integrate the new capability with existing systems.

As a consequence, there is a significantly heightened risk that these IT-enabled initiatives will not achieve the benefits anticipated by the original business case or, when failure becomes the most likely result, will be abandoned. More often, however, the business will seek help from IT to provide its knowledge and expertise to overcome problems.

Shadow IT is significant but hidden

Shadow IT consists of IT hardware, software, technology advice and/or services outside the ownership or control of IT organisations. Typically, these are also not funded, procured, owned, managed or maintained by IT.

They are not listed in formal IT asset registers and not necessarily maintained, backed up or secured, according to generally accepted practices.

Shadow IT frequently includes consumer-grade IT and social technologies. It can create risks of data loss, corruption or misuse, inefficient and disconnected processes, and information.

Unfortunately, traditional command and control approaches to address these issues are rarely effective. Worse yet, these approaches are frequently counterproductive in many modern enterprises.

Many CIOs attempting to deal with shadow IT, quickly come to realise that they can’t prevent it, even if they wanted to. Attempts at control just makes it move further into the shadows, and draconian measures will further undermine the reputation of the IT organisation. This may harm business agility and creativity, as well as motivation.

On the positive side, highly networked modern enterprises need multiple sources of technology capability and centres of innovation. Outside funding, when budgets are tight, can provide the solution to an overly risk averse culture and/or proscriptive procurement processes.

Shadow IT can certainly be a problem if managed badly or not at all. However, the goal should not be simply to minimise its risks, but to support and exploit its benefits.

Assess and communicate

Ultimately, the CIO is responsible for ensuring that the enterprise uses technology effectively and efficiently.

CIOs need to assess the extent of shadow IT in their organisation, communicate the opportunities and risks to other leaders, and identify appropriate actions to address the issue and the increasing importance of technology to the enterprise.

Some factors that CIOs can use to assess and communicate the problems and risks of shadow IT include the nature of the organisations and its dependency on effective and secure IT, the vulnerability of core systems to collateral influence or damage from non-regulated or non-assured third-party systems, and the potential of external, reputational damage from failure or malfunction of shadow IT systems.

Take a positive approach

While some CIOs may wish to believe that shadow IT is not a significant issue in their agency, or that they have no need to monitor or influence it, failing to properly assess the extent or plan for the response will likely be regretted. The best practice is to recognise shadow IT as an inevitable and, when well-coordinated, positive aspect of a technologically literate workforce in a modern organisation.

The minimum approach is to create a regularly updated assessment of shadow IT to clarify and make visible the issue and its associated risks to agency executives.

A better approach is to acknowledge the existence of shadow IT, create and promulgate appropriate policies, provide recommendations for managing the associated risks, and offer in-house or externally-sourced support services around contract negotiation and management, backup, security updates, virus checking, firewall, and intrusion prevention.

CIOs should also encourage business unit heads and others to ensure that their staff takes the necessary action to follow the policies.

The best approach is a combination of:

  • Regular, active monitoring
  • Offering advice that enables and, where appropriate, encourage safe, effective, efficient, and connected deployments
  • Scrutinising where shadow IT could affect critical aspects of enterprise performance, such as security and strategic or reputational threats.

Typically, people create shadow IT because some need isn’t being met by the IT organisation, and the users just build or find their own solutions.

Shadow IT can be used as a teachable moment to understand why that happens, and to decide whether the IT organisation’s service portfolio or the extent and type of its resources need to be changed. The desired outcome may not be to transfer the resources and power to the IT organisation but to better understand business needs by observing the behaviour.

Beyond shadow IT

Read more: CIO Upfront: Independent Assurance on ICT projects: A legal perspective

In reality, most CIOs recognise that IT exists – to varying degrees - in multiple places across the organisation, inside and outside the IT department. In part, this follows from the increasing consumerisation of IT.

The emergence of cloud is also opening up new and simpler procurement opportunities. CIOs needs to take a constructive role that ensures everyone is aligned to a common plan and to educate business leaders on the value of engaging with IT to assist in these acquisitions.

Vendors also have a good reason to support this approach. Commercial technology providers’ long-term interests still reside in ensuring that their relationships with IT and CIOs are not damaged as a consequence of undertaking a shadow IT project.

While IT’s proportion of the technology budget may be in decline, the opportunity to build long-term supply relationships across various business units is likely to be far more challenging and potentially less rewarding in the long term than maintaining or establishing such a relationship with IT and/or the CIO personally.

In summary, CIOs should not attempt to restrict or contain shadow IT. Such an approach will likely fail. Instead, look to educate your executive and business colleagues on the challenges they will likely face and offer to act as an advisor, broker, or source of technical and project support in the implementation.

Glenn Archer is research vice president in Gartner’s public sector team, advising Gartner's senior government technology and executive clients globally. His research focuses on digital government. Prior to joining Gartner, he was the Australian Government's chief information officer and led the Australian Government Information Management Office (AGIMO).

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags consumerisation of ITGartnershadow ITgovernment CIOGlenn Archer

More about Australian Government Information Management OfficeGartnerindeed

Show Comments