As part of the Thought Leadership Partnership between Telus and CIOCAN, the first meeting of the Telus Advisory Board was held recently. Designed to create a community of CIOs who discuss common issues such as trends and challenges faced by CIOs in navigating their firm’s digital transformation and technology choices, the Board’s first meeting succeeded in bringing out a number of different perspectives, and stimulating interesting and relevant debate.
Here are some brief insights from the discussion about Shadow IT:
The topic ‘Shadow IT and its contribution to the decentralization of IT led to a sharing of some fascinating experiences, and consideration of some very important questions. Is IT at a risk of losing its strategic mandate? How prevalent is shadow IT?
Opinions ranged significantly. One CIO noted that when he became CIO of a large company, IT was not engaged with the business and the business had lost confidence. He did not see shadow IT as a threat but rather to be embraced. After two years of working collaboratively, he was asked to take the shadow IT staff into the main IT department but declined. He felt they belonged in the business and this allowed for a more agile and responsive organization. As long as everyone was rowing in the same direction and there was a relationship of trust, it worked very well.
An opposing opinion was voiced by a CIO who had experienced a shadow IT team that created a new master database, but missed capturing data from entire sites. In addition to significant errors that resulted in incorrect purchasing volumes and management reporting, compliance rules were not being followed. The whole organization was put at risk. In this instance, the shadow IT group was brought back into the main IT department over a period of nearly 2 years. The team continues to struggle with expectations from the business that the IT needs of the company can be met within a decreased budget.
A more positive story about a collaborative approach came from a company whose shadow IT department had developed a website under their marketing director which was ready to go live. The CIO called security to see how long it would take to hack. While they were still on the phone, security hacked the site and the CIO was able to clearly demonstrate the risk to the company.
Participants recognized the advantages of shadow IT: the cost doesn’t come out of the IT budget, and they are often agile and unencumbered. It was thought that speed is a significant factor – why go through a formal provisioning through IT, taking up to 2 weeks, when there are easily accessible tools (Google etc) that can be set up in 30 seconds?
A consensus emerged in favour of CIOs moving out of defence and into offense. CIOs need to gain credibility and the trust of the business and become an enabler not an adversary. Several noted that combined ‘scrum sessions’ were very effective for generating ideas. Pilot projects designed to be measured within 30, 60 or 90 days allow for real life findings upon which a board can make decisions, although it was noted that this has proven challenging when project managers haven’t been able to keep up to date with documentation. It has happened that the project specifications have been incomplete when the pilot is delivered.
A number of participants reported that Marketing often went outside when looking for a new sales and marketing tool thinking that IT’s job was only ERP systems. One company created a bi-modal IT department with one group working exclusively with sales and marketing. Another had daily meetings with the marketing department.
A big issue with shadow IT revolves around security. The advent of cloud computing has changed the way we manage equipment. Instead of waiting weeks to provision new equipment, now new capacity can be achieved in hours. However, not all clouds are secure. It is important for IT leaders do their due diligence to ensure that the vendor is really providing what they offer. Many shadow IT departments are looking for a quick fix and their expectations need to be tempered. There needs to be a well thought out security policy that identifies where the data will be stored, what level of encryption will be used, how it is backed up, and whether or not IT sign off will be required.
What has your experience been?