Emerging from the Shadow

Half a decade ago, shadow IT—as the phenomenon of adopting systems and applications in an organization brought in without explicit approval of the IT is described as—became one of the biggest challenges for CIOs. 

While enterprise IT managers rued that it would bring in a lot of security and integration challenges, there was also a sense of loss of control.  

That sense of fear and insecurity is changing surely, but slowly. Before we get into the whys and hows, it is important to reiterate that some of the challenges envisaged by enterprise IT, do remain, though newer ways of tackling those challenges have come up. 

So, the shadow IT discourse is changing. Broadly speaking, the focus has moved from chasing shadow IT to legitimizing some of it through rules and collaborative approach.   

 

What has changed?

To start with, the interpretation of shadow IT as a term has gone through a big change. Earlier, shadow IT was an IT managers’ phrase—for anything that was purchased, deployed and used without the IT team’s involvement. 

Today’s business reality demands that not everything can be routed through one central department—IT or any other. It is not just viable. 

Two things have changed this. One—on the demand side—today, all business functions, including strategy formulation is getting digitized. When business models get changed through technology, technology decision does not remain an outside intervention but gets naturally interwoven with business decision. So, business problem solving and translation of that solution to technology are not two stages of a sequential decision chain. It is often an integrated decision. The two are practically inseparable. 

In a few more mature businesses, the integrated biz-tech decision is taken jointly by business and tech teams. 

In India Glycols, tech chief Atul Govil, designated Chief Transformation Officer, works in a formal collaborative model where the decisions are taken jointly by SBU and functional managers along with IT. “It has worked for us,” says Govil. 

Lalit Popli, Head - IT, ICICI Prudential also swears by this model.

“The co-owning model is an opportunity,” says Kishore Ranjan, CIO, Birlasoft. 

“The collaborative approach is the only way going forward as large-scale digitalization happens,” says Sunil Pandey, CIO, Sterlite Power (Manufacturing & EPC). 

Vedanta Group of Companies adheres to this model. The same model is in place in Sterlite Technologies too.

“CIOs must come to terms with this shift and focus on collaborating with other departments rather than trying to take full control over decision making,” states Saloni Vijay, GM - IT, Vodafone Mobile Services Limited.

 She believes that by bringing about a change in mindset and rapidly building up necessary skills in the areas of cloud, mobile and big data technologies, it’s possible that IT leaders would be better off reacting differently to the big shifts already taking place in today’s landscape. 

 Kamal Karntak, CIO, RJ Corp, calls it ‘hybrid empowered’ model. The two words capture the mechanism and spirit of the new approach. The collaborative or co-owning model is certainly becoming vogue.  

But in most businesses, that kind of formal collaborative decision making is yet to debut. So, the business ends up taking technology decision concerning business technologies and applications while the infrastructure technology decisions do remain with the enterprise IT team. So, it often gets initiated by the business and IT takes it up.

“Seven years back, when the ERP decision was taken in IFFCO, it was primarily by IT. IT then started selling it to the users. Recently, an HR system automation decision was initiated by HR and IT supported them,” says Satyanand Shukla, Head - IT, IFFCO MC Crop Science.

In some industries, it has happened always. “In technology companies, that has always been the case. Business does lead the IT discussion,” says Ravi Maguluri, CTO, Sify Corp.

In a tech company, that is understandable. But the practice is not restricted to tech companies alone. “In our company, business has dictated IT, always,” says Anil Chinnabhandar, Senior Vice President at retail major, Landmark Group India.

With digitalization, the trend has only accelerated. While the demand side reality has been drive by large scale digitization, it has been made possible by a revolution in the technology model—the all familiar, all pervasive cloud. On one hand, cloud changes the IT decision from a capex to an opex decision. And often, that is the dividing line for who takes what decision. But more importantly, cloud based apps do not need IT people to deploy and maintain them. It is practically plug-and-play. That helps business take technology decisions independent of IT.

CIOs are coming to terms with it. In a way, with a lot more expectations from them from the top management, the initial feeling of loss (of control) has been replaced by more practical reality of availability of bandwidth to make more valuable contribution to the organization. 

As Yogesh Dadke, Head - IT, Asia says, “Today, shadow IT is aimed at the transformation of business functions without the IT department being involved. The idea is to ultimately benefit that department by providing specific functionality that empowers digital transformation initiatives by allowing them to work better, faster and more effectively.”

Agrees Rajiv Gupta, Chief Technologist at AirOne, “For CIOs, shadow IT is both a blessing and a curse. It becomes problematic when hardware and systems are brought on board without anyone centrally administering them for security, or tracking purpose.On the positive side, it shows that users are actively engaged in technology and are willing to put some of their budget dollars into technology investments.”

“It is definitely an opportunity,” says Vivek Verma, CIO, Varroc Engineering. Prasad Pate, Head - IT & Systems at BP Ergo Ltd agrees. “It makes the decision cycle that much shorter,” 

he says. 

Surely, things are changing. 

However, all that this change denotes is that more and more decisions are being taken by business. 

With that, the traditional definition of shadow IT which meant anything that IT is not involved in is falling flat. 

But that does not mean that shadow IT has gone away. Just the definition has changed. Today, it is ‘shadow’ with respect to organization rules and guidelines, not with respect to IT’s involvement in the deployment/purchase decision.

 

The challenge remains

Make no mistake. Shadow IT as a challenge remains. The toughness of that challenge does remain—in fact, it has grown. 

Gartner estimates that 40-50% of cloud and enterprise application consumption is already happening over uncontrolled and unaccounted for sources, as businesses can no longer rely on slow procurement processes from Central IT. By 2020, half of all IT spending at large enterprises with digital business aspirations will occur at the business-unit level, it says. Also, a 2017 survey by NTT Communications found 83% IT professionals reporting that employees stored company data on unsanctioned cloud services.

 This suggests how the increase in cloud adoption and prevalence of SaaS and mobile applications, have further facilitated the rise of shadow IT. With Internet of Things (IoT) and other emerging technologies already underway, analysts believe this to be an even starker reality.

While shadow IT is used usually without ill-intent, owing to either negligence or for the sake of convenience, it poses a serious threat to data security. In most cases companies are unaware of their use and hence do not know whether their data comes from secured sources or not. It is also not surprising that shadow IT is capable of causing serious security risks to organization through data leaks and subsequently potential compliance violations for which ultimately the CIOs are held accountable.

Needless to say, not all cloud apps are built and maintained with the same level of security and poorly-secured cloud infrastructures are highly susceptible to attacks. Those that have weak security mechanisms or are hosted on vulnerable systems are susceptible to data breaches. If a company uses such services to store sensitive information like customers’ personal and financial data, data breaches are inevitable.

Often, misuse or mismanagement by employees themselves can also contribute to these risks. Experts also point out inadvertent deletion of data, loss of login credentials, zombie accounts set up by former team members – can all heighten data exposure dangers. It’s also likely that a number of these applications overlap in functionalities, and redundant tools only contribute to unnecessary spending.

Moreover, recent data regulation regimes have posed new challenges for CIOs. This is especially prominent, with the EU’s General Data Protection Regulation (GDPR) coming into force on 25 May 2018, and more legislation on the horizon, the uncontrolled IT shadow poses an even greater risk.

 Sharing confidential information with a third-party, where the company has no consent to process their information, is a clear violation of the GDPR’s rules. Therefore, companies must now, more than ever, deal seriously with shadow IT or risk the consequences of being financially penalized under the new regulation. And this is where CIO’s role cannot be ignored.

 Naveen Gulati, CIO at Girnar Soft, observes, “While shadow IT is empowering companies to drive rapid digital transformation, there are inherent dangers in not involving the IT department in the purchasing decisions.”

 He believes, while this may enable some immediate business process improvements, it could also end up impeding the organization’s long-term digital transformation journey. The problem arises when line of business managers do not involve IT department in their tech decisions at all. In turn, the biggest mistake non-IT departments often end up making is around integration and security.

In some regulated industries, even though business initiates the discussion, it has to go through IT before a final decision is taken. Says Saloni Vijay of Vodafone, “Every such discussion has to go through the approval 

of IT.”

Naresh KumarPathak, CIO - India & South East Asia, Andritz Hydro echoes similar sentiments. “In the second meeting, IT gets into the table even though business may take ownership of the project. It is thus a win-win for both and the organization.”

What has changed is that the magnitude of shadow IT has considerably come down—not because users have stopped buying and using applications without the involvement of enterprise IT, but because some of it has now been legitimately authorized. 

 

Getting around the problem

In such a scenario, the best and the only way to confront shadow IT is to deal with it. CIOs believe that it is essential for them to develop new strategies for working collaboratively and cooperatively with users. Here are some of the things they are doing. 

 

Promoting standardization 

Promoting standardization is the first step in taking control of your IT. Standardized solutions that are company-based, often solves the problem of shadow IT. A McKinsey report points out in the post GDPR era, enterprise organizations must make an outsmart decision to restrict personal information and employ solutions that offer mechanisms for control of information sharing.

 For example, if employees are relying on Dropbox, CIOs need to identify an enterprise file sharing solution that meets their needs and implement it companywide. One approach to the problem is by implementing a zero-trust network that requires users to abide by corporate security rules. A zero-trust network does not allow a user to access the network until all security criteria, predefined by IT and business management, have been met. The CIO’s job here is to assist employees in performing their duties. 

 

Using the right tool/practices

Shadow IT often arises due to a company’s inability to provide employees with the tools they need. IT teams must be given some authority over the choice of these digital solutions since they have the responsibility to integrate them into workflows and ensure their security, believe experts.

“To ensure that synergy across digital tools and system is achieved, companies must have clearly defined IT policies. These guidelines should steer end users towards making the right choice of tools. Also, constant conversation is vital around long-term versus short-term gain, with CIO playing a key role in the process,” says Gulati.

 Dadke agrees, “In choosing these solutions, you should strive for a balance of privacy and operational tools. The idea should also be to make things simple, and not too complicated. If your tool set is too confusing for the end user, mistakes will be made and you may find yourself in violation of GDPR guidelines.”

 Constant reviewing of current practices, establishing effective guidelines and implementing necessary tools and perform enforcement measures moving forward.

 Today, many companies are hiring data privacy officer to deal with GDPR and other data security related issues. While the DPO should 

be responsible for necessary changes taking place in data security and compliance related matter, a constant flow of communication with CIO is necessary to achieve the desired result, believe experts.

 

Educate and empower users

Finally, proper education and training is the key in the GDPR era. Employees need to be made aware of implications of these new regulations and what they mean for their workplace practices. Employees can take care to handle information more carefully if they understand the implications of doing otherwise. Beyond education, however, enforcement is also necessary. This means that employees require clarity around any IT sidestepping, what exactly unauthorized use is and how to go about asking for solutions that they want to use.

Ankit Aggarwal, Head - IT at PI Industries, mentions, “Users must also be trained to follow the best and most secure practices. CIOs can use management solutions that provide them with visibility.”

“Also, there is a lot of human emotion about ownership, such as, ‘Who owns the tasks?’ ‘Or the systems?’ ‘What does this mean for my job?’… So, there is a need to ensure IT teams are not only comfortable with the use of shadow IT, but embrace the growth mindset and learning opportunities that should be instituted alongside it, explains Aggarwal.

 Gupta further observes that shadow IT is no longer simply a security risk, but also one that can bring about severe financial repercussions to your business. With the existing and upcoming strict data regulations, unapproved software and unaware users can damage your bottom line. “To tackle this issue, CIO must collaborate with HR to implement workplace guidelines that focus on the important threats while educating employees about their responsibilities in the long term,” he tips off.

 To conclude therefore, while it may appear that shadow IT is relegating CIOs control over IT and infrastructure, in reality they can take a realistic approach to get out ahead of this, or at least wrangle it back under their control. So, instead of attempting to block employees from using cloud computing and SaaS applications, experts believe, spending more time with employees, understanding their overall needs, and delivering simple yet compelling solutions that address those needs, can make a difference.

 When this changed mindset empowers IT to evolve their skillset and become strategic advisers to their organization and business managers, CIOs will no longer feel the pinch of shadow IT. 

 

Read the ITNEXT August 2019 Issue