Shadow IT is significant but hidden
Shadow IT consists of IT hardware, software, technology advice and/or services outside the ownership or control of IT organisations. Typically, these are also not funded, procured, owned, managed or maintained by IT.
They are not listed in formal IT asset registers and not necessarily maintained, backed up or secured, according to generally accepted practices.
Shadow IT frequently includes consumer-grade IT and social technologies. It can create risks of data loss, corruption or misuse, inefficient and disconnected processes, and information.
Unfortunately, traditional command and control approaches to address these issues are rarely effective. Worse yet, these approaches are frequently counterproductive in many modern enterprises.
Many CIOs attempting to deal with shadow IT, quickly come to realise that they can't prevent it, even if they wanted to. Attempts at control just makes it move further into the shadows, and draconian measures will further undermine the reputation of the IT organisation. This may harm business agility and creativity, as well as motivation.
On the positive side, highly networked modern enterprises need multiple sources of technology capability and centres of innovation. Outside funding, when budgets are tight, can provide the solution to an overly risk averse culture and/or proscriptive procurement processes.
Shadow IT can certainly be a problem if managed badly or not at all. However, the goal should not be simply to minimise its risks, but to support and exploit its benefits.
Assess and communicate
Ultimately, the CIO is responsible for ensuring that the enterprise uses technology effectively and efficiently.
CIOs need to assess the extent of shadow IT in their organisation, communicate the opportunities and risks to other leaders, and identify appropriate actions to address the issue and the increasing importance of technology to the enterprise.
Some factors that CIOs can use to assess and communicate the problems and risks of shadow IT include the nature of the organisations and its dependency on effective and secure IT, the vulnerability of core systems to collateral influence or damage from non-regulated or non-assured third-party systems, and the potential of external, reputational damage from failure or malfunction of shadow IT systems.
Take a positive approach
While some CIOs may wish to believe that shadow IT is not a significant issue in their agency, or that they have no need to monitor or influence it, failing to properly assess the extent or plan for the response will likely be regretted. The best practice is to recognise shadow IT as an inevitable and, when well-coordinated, positive aspect of a technologically literate workforce in a modern organisation.
The minimum approach is to create a regularly updated assessment of shadow IT to clarify and make visible the issue and its associated risks to agency executives.
Sign up for CIO Asia eNewsletters.