In many companies, in parallel to the “official” Information Systems run by the IT department, there is a “shadow IT” outside of the IT department's control. This "shadow IT", created by business units and elsewhere within the corporate structure, aims to compete with the 'official' Information Systems.

It is typically composed of commercial software, bespoke applications, SaaS solutions and sometimes workstations and servers. It is often tolerated and considered as a work around to company IT constraints.

CIOs often perceive “shadow IT” as a source of multiple risks and problems which increase IT costs. They can also:

  • Increase cyber and information security vulnerabilities with the use of applications and services not security certified or compliant;
  • Increase the risk of non-compliance with the GDPR and internal data policies through the uncontrolled storage;
  • Lead to the duplication of data, which is not consistent with the "single source of data" rule applied by the IT department;
  • A potential lack of documentation for bespoke applications, raising questions in terms of maintenance and sustainability of applications and sometimes IT operations;
  • Integration of “non-IT-controlled” applications with the rest of the Information System, which generates issues when applications are subject to change. 

However, “shadow IT” can contribute to the productivity and agility of organizations by:

  • Leveraging the creativity of non-IT staff (It is common to discover applications developed or sourced to address business requirements that IT departments were unable to address on time!);
  • Taking advantage of the incredible richness and continuous growth of App stores, SaaS services and other no / low code tools and development platforms; and
  • Giving autonomy to new generations of employees who are used to a seamless technology experience between their private and professional lives. This technological autonomy is only going to grow by the remote working mode.

Can we imagine an approach that enables companies to benefit from the best of both worlds? A considered and thoughtful approach that would push some IT activities to business users, relieving IT departments of certain tasks and bringing more autonomy and agility to the business.      

This is possible and some companies have put in place all or part of the following golden rules and policies:

  • Formalization of a "shadow IT" policy;
  • Ringfencing the core Information Systems (Business processes, Data and Functional backs) remaining under the responsibility of the IT department;
  • Defining the responsibilities of the employees and business entities when they want to develop 'shadow' solutions (e.g. informing the IT department before adding or stopping a SaaS service, verifying that no similar  service/application is available within the company before acquiring a new SaaS service / App, .…);
  • Describing the conditions under which an external service can be used (e.g. security management, data encryption, etc.) and integrated into the core Information System;
  • Increased communication to raise the awareness and responsibilities of employees regarding cyber security and information security;
  • Increasing the capacity and agility of the IT department to quickly assist business departments in the implementation of "shadow IT" solutions and the possible integration into the core IT system; and
  • The implementation of simple development and integration environments (e.g. RPA, no code platform) that can be used outside of the IT department with ad hoc support (minimising the temptation for employees to develop bespoke tools using familiar technology with (e.g. Excel) even though this is not the most appropriate solution).

To be successful, these changes require a real transformation for IT Departments, with the development of consulting, rapid development, and smart integration skills.

I look forward to your comments and feedback!