7 steps for turning shadow IT into a competitive edge

Ask IT leaders about their challenges with shadow IT, and most will cite the kinds of security, operational, and integration risks that give shadow IT its bad rep. But for a select few, the deeper challenges of departmental technologies being funded, procured, and managed without IT involvement are the missed opportunities to better engage and fulfill departmental technology needs.

That’s not to downplay the inherent risks of shadow IT. There are ample reasons why 77% of IT professionals are concerned about shadow IT, according to a report from Entrust. After all, 41% of employees acquire, modify, or create technology outside of IT’s visibility, and 52% of respondents to EY’s Global Third-Party Risk Management Survey had an outage — and 38% reported a data breach — caused by third parties over the past two years.

Still, there is a steep divide between rogue and shadow IT, which came under discussion at a recent Coffee with Digital Trailblazers event I hosted. Whereas rogue IT occurs when business leaders do not trust IT and deliberatively circumvent collaboration and compliance, shadow IT is often less confrontational, stemming from a lack of knowledge on how to engage IT or, as Kissflow CPO Dinesh Varadharajan put it, “a lack of support and IT bandwidth to solve specific challenges faced by business users.”

That’s where an IT strategy that frames shadow IT as an opportunity for improved collaboration can have a profound impact. By no means a quick and easy transformation, it requires addressing two sides of the equation at once: the demand side in how IT manages technology requests and the supply side in how technology requirements are vetted and reviewed against appropriate solutions. Following are seven steps to guide this transformation for competitive advantage.

1. Expand your business relationship programs

“Organizations often seek to address shadow IT not necessarily by eliminating it, but by finding ways to bring these unsanctioned IT solutions into the fold through official channels, ensuring security, compliance, and effective management while still allowing the innovation and agility that drove employees to shadow IT in the first place,” says Brian Platz, CEO and co-founder of Fluree.

But to do so, IT leaders must first shine a light on what’s occurring in the shadows by expanding the scope of business leaders they engage with, increasing the frequency of their dialogue, and diving deeper into employee workflows.

As part of those efforts, larger enterprises often staff business relationship managers to play key roles in understanding and translating department technology needs into requirements and business cases. Smaller and midsize organizations can address the gaps by developing a communications program to engage businesses and stakeholders, establishing an ideation process to capture new business needs, and leveraging design thinking methodologies.

2. Set parameters and emphasize collaboration

To address one root cause of shadow IT, CIOs must also establish a governance and delivery model for evaluating, procuring, and implementing department technology solutions. Equally important is communicating with stakeholders how to onboard technology requests, sharing how departmental technology needs are prioritized, documenting stakeholder responsibilities when seeking new technologies, and providing the status of active programs.

Without a strong delivery model and communication plan, frustrated business stakeholders are likelier to buy and try implementing a technology solution without IT’s involvement. Buying and implementing technology solutions takes time, so the CIO’s easiest tool to combat shadow IT is providing stakeholders the confidence that collaboration is in their best interest.

And to do that, IT leaders must recognize the importance of connecting with people and providing confidence that IT is ready to collaborate with them.

“The human element is the most important,” says Brian Suk, associate CTO at SADA. “People generally want to comply with policies, but being too stringent and creating too much friction often leads to shadow IT. Communicate clearly and often about policies and their reasons and benefits, create a culture of feedback and collaboration, and be agile and willing to adapt policies as user needs evolve.”

3. Catalog risks, prioritize opportunities, promote financial controls

Shadow IT gives IT leaders an opportunity to reassess their strategies around departmental technology solutions. This should include IT’s plans for:

• Addressing existing shadow IT implementations
• Partnering with business teams on new solutions
• Enhancing and supporting existing applications and technologies
• Increasing utilization and improving employee experiences
• Capturing metrics and demonstrating business value delivered

A formalized and transparent prioritization process is also important. CIOs need a way to capture lightweight business cases or forecast business value to help prioritize new opportunities. At the same time, CIOs, CISOs, and compliance officers need to establish a risk management framework to quantify when shadow IT creates business issues or significant risks.

CIOs should partner with CFOs in this endeavor because when departments procure their own technologies without IT, there are often higher procurement costs and implementation risks. CIOs should also elicit their enterprise architect’s guidance on where reusable platforms and common services yield cost and other business benefits.  

“Shadow IT often wastes resources by not generating documentation for software that would make it reusable,” says Anant Adya, EVP at Infosys Cobalt. “Insightful and far-reaching governance coupled with detailed application privileges discourage shadow IT and helps build collaborative operating models.”

Creating technology procurement controls that require CIO and CISO collaboration on technology spending is an important step to reduce shadow IT.

4. Establish low-code and no-code governance models

The first three steps help bring shadow IT into the fold but they do not address the fact that IT departments rarely have sufficient staffing, expertise, or budget to fulfill all prioritized programs.

Here, CIOs can reduce the IT supply-side gap by promoting citizen development technologies and establishing governance models for low-code and no-code solutions. No-code governance models should cover processes to review app ideas, roles and responsibilities, integration requirements, release management practices, documentation requirements, and other requirements to ensure reliable and secure business processes.

No-code solutions offer significant advantages in addressing shadow IT as they shift the implementation and support work into business responsibilities. No-code solutions can help business users convert spreadsheets into workflows, develop knowledgebases, and build SaaS integrations.

To succeed, however, CIOs need a governance model and a solution architecture plan to help select low-code and no-code platforms, provide guidance on when to use these platforms, establish a development lifecycle, and ensure ongoing support.  

“A strategic framework should categorize use cases based on three criteria: business complexity, technical complexity, and security and compliance requirements,” says Varadharajan. “Any use case that ranks high in any of these criteria should be managed by the IT department, while the remaining can be delegated to the business units.”

5. Develop citizen data science and self-service capabilities

CIOs have embraced citizen data science because data visualization tools and other self-service business intelligence platforms are easy for business people to use and reduce the reporting and querying work IT departments used to support. The most successful programs go beyond rolling out tools by establishing governance in citizen data science programs while taking steps to reduce data debt.

Citizen data science reduces shadow IT when CIOs promote proactive data governance and establish data integration, cataloging, and quality practices. There may be times when department-specific data needs and tools are required. But having strong data capabilities and standardized data platforms that enable employees in business, data, and technology roles to leverage data in decision-making helps reduce tool proliferation and shadow programs.

6. Iterate and communicate a generative AI strategy

Shadow AI is the next front line where departments and their employees are already exploring generative AI tools and risk exposing proprietary and other confidential information. Recent charts from venture capital firm Sequoia Capital help show just how many generative AI tools are coming to market to support sales, marketing, design, software engineering, customer support, legal, and other departmental needs.

It’s an area ripe for shadow activity, especially because executives are hungry to see their organizations identify breakthroughs and efficiencies using generative AI capabilities. What’s to stop a department head or an employee from trying a new tool and starting another shadow program?

Where appropriate from a regulatory perspective, CIOs should avoid saying no to experimenting with generative AI. When department leaders hear no repeatedly, they consider exploring shadow solutions without IT, security, or compliance collaboration.

CIOs should also create, communicate, and iteratively update a generative AI strategy that captures short- and long-term outlooks. Short-term plans should specify which departments should experiment, toward which business outcomes and opportunities, as well as what tools can be used, what data can be involved, and where they should report their experimental learnings. CIOs should also update their digital transformation strategies to consider how large language models will impact their industries and where customer experiences need AI-driven overhauls.  

7. Foster a co-creation culture

The last step is probably the most important and should be managed parallel to the other six steps.

Shadow IT is more than a risk and missed opportunity — it represents an operating and cultural gap between “business” and “IT” that top CIOs aim to eliminate. Closing the gap requires expanding the business acumen in the technology organization by building relationships with business stakeholders, developing empathy for customer and employee needs, and improving communications. It also requires CIOs to shift left technical capabilities so that digitally savvy employees working in sales, marketing, HR, and other departments have sanctioned tools and a governed process for self-servicing their technology needs.

CIOs following these seven steps can turn shadow IT into a competitive edge by fulfilling more departmental technology needs, reducing the risks of shadow programs, and empowering more business people to self-service their workflow and data needs.