Every now and again, I see articles, posts and comments about “Shadow IT“, nearly always cast as a negative phenomenon–something to be avoided, challenged, even eliminated. As an example, Information Week recently published an article entitled “Shadow IT: 8 Ways to Cope.” While all the suggested ‘coping mechanisms’ make sense, I’m always concerned that Shadow IT is treated as an evil force to be eradicated as opposed to a powerful capability to be encouraged and leveraged.

What Do We Mean by “Shadow IT?”

Sometimes called “Stealth IT”, Shadow IT usually means work that ‘should’ be performed within the ‘formal’ IT organization but is instead performed by non-IT professionals inside business units. The implications of Shadow IT can include systems that don’t meet requirements of security, privacy, integrity, or compliance with standards, such as Sarbanes-Oxley, Basel II or PCI DSS.

The degree to which Shadow IT solutions violate such standards, and the implications of such violations is rarely considered. Shadow IT is considered a scourge on the landscape that must be eliminated.

The Other Side of Shadow IT

The problem with tarring any form of IT work handled outside the IT organization with the “Shadow IT” brush is that it misses a key trend, and ultimately, a powerful opportunity. This is something I’ve referred to in this blog over the years as “Business-IT Convergence.”

The reality today is that:

  • Information and IT are pervasive–everything can and is being digitized in some way.
  • IT literacy is increasing–people enter the workforce expecting the same level of connectivity and user friendly tools they have at home.
  • Demand for IT solutions continues to far exceed supply–it is frustrating to have a need stuck in a ‘backlog’ with the knowledge that it may take months or even years to deliver valuable functionality.
  • Cloud services such as Software as a Service and Infrastructure as a Service are proliferating–there are a growing range of low entry cost and effective solutions available for almost every apparent business need.

As a result of these forces, the “high priests and priestesses of IT” are no longer the only source of IT talent. In some ways, the cat was out of the proverbial bag with the invention of the minicomputer, and given free reign with the invention of the PC and of spreadsheet tools like Visicalc. These tools enabled a non-programmer to quickly do the work of a highly skilled FORTRAN programmer–usually in a fraction of the time!

When Does Shadow IT Become Embedded IT?

The real danger with Shadow IT is when it truly is hidden in the shadows–when the real costs of IT are buried, when the risks associated with legal or regulatory compliance is real, or when solutions have low integrity.

The best ways to head off this danger is to go ‘with the flow’ inherent in business-IT convergence and encourage embedded IT by providing the infrastructure to safely support it.

Without meaning to introduce politics into my blog (something I’ve managed to avoid since the first post in 2007) President Obama is pursuing engagement with Cuba with the argument that 55 years of embargo have not been effective. Whether or not this is the right policy, I believe IT professionals have to reach out to Shadow IT groups, learn why they exist, and find ways to embrace them and bring them ‘out of the shadows.’

Bringing Shadow IT into the Light

There’s a ton of valuable information in the existence of Shadow IT:

  1. What needs does Shadow IT fulfill and why weren’t these needs fulfilled by ‘official’ IT groups?
  2. How are Shadow IT groups and activities staffed and funded, and how can this activity be legitimized?
  3. How can an infrastructure be established that includes appropriate governance and funding mechanisms that clearly delineate ‘departmental’ needs and solutions from those that should be leveraged across departments or the entire enterprise?
  4. What is the best way to connect Business Relationship Managers into embedded IT groups?  What is the nature of the BRM role with these groups?

There’s also a ton of valuable knowledge within the Shadow IT groups:

  1. What types of knowledge exist in the Shadow IT groups?
  2. Are there ways to better capture and tap this knowledge?
  3. Are there other groups that don’t have access to this knowledge that could benefit from it?
  4. What other knowledge could these groups benefit from, and what is the best way to make that knowledge available to them?

So, I suggest looking at Shadow IT as a positive rather than a negative force–as a source of information and knowledge and as an early form of business-IT convergence. If you can’t beat them, embrace them.  Bring them out of the shadows and help establish them as a part of a highly effective enterprise-wide IT operating model.


Cartoon courtesy of Enterprise Efficiency