Citizen development is a growing trend in many companies. Here’s how IT departments can maintain security while letting users create their own business solutions – so called Shadow IT.
In the past, I have suggested ways to minimize shadow IT through active vendor and project management. But consumerization of IT has expanded to the point where many IT departments no longer know how many apps are running in the organization. According an article on cybersecurity site Dark Reading, CIOs report that shadow apps used within their companies can often number in the hundreds.
There are reasons why shadow IT has flourished.
One is that IT application request logs are too long. Given the rapid pace of business, users can’t afford to wait.
Another is that users don’t want to deal with IT because the department is perceived as overly controlling and its professionals are perceived as condescending, particularly when they use jargon that’s unfamiliar to people without a tech background.
“The downsides of Shadow IT are well documented,” said Lumagate CTO Stefan Scorling, in a blog post. “First, it can cause severe security issues, due to unsupported and unverified technology being used in the company as users bypass standard IT security procedures. Second, if an employee stores sensitive data on a personal Dropbox or Google Drive account, the threat of violating compliance and data protection policies is omnipresent.”
This, of course, is the IT point of view. It doesn’t mean much to users who have no direct accountability for governance, security—or whether the apps they develop or subscribe to work with other applications and systems in the company.
Moreover, once dotted lines on contracts are signed with vendors, users don’t have much interest in managing vendor relationships, either.
Consequently, the growth and sustenance of shadow IT is a quandary for users, for IT and for the CEO. At the end of the day, it is also true that the only lens through which to view these challenges and concerns is through the lens of the company itself, and what the company needs to be successful.
Most corporate CEOs would likely say this:
The business needs to be agile, innovative and responsive to ever-changing business conditions to overcome the competition;
Users are in the best position to understand business needs, and if they can develop apps, great;
Concurrently, companies can’t afford to overlook governance, security, data safekeeping and technology spend. A central business unit needs to do this, and the core competency for the task clearly rests in IT.
How do companies bring these seemingly conflicting forces together?
Aside from issuing directives, CEOs can’t do this—so they turn to their most centralized source when it comes to overall knowledge and administration of technology—IT.
This reliance on IT comes with new stipulations, because today’s companies and CEOs don’t want IT to dominate application development if users are doing or sponsoring it. Instead, they want IT to facilitate it by ensuring that apps are safe, reliable and able to work with other apps.
How do CIOs and IT managers learn to walk this new line for shadow IT?
1. Embrace end user innovation—don’t discourage it
End users are becoming more comfortable developing apps without the knowledge and assistance of IT. This can strike fear into the hearts of CIOs, who are ultimately responsible for security and governance. But on the flip side, end users know the business and app needs best. With the aid of user-friendly app development tools, users can likely bring new apps to market faster. What’s not to like about this new paradigm—provided the appropriate governance, security and app reliability are there?
2. Publish application guidelines for end user app developers
One way CIOs can encourage end user development is by publishing a set of guidelines that address elements such as governance and security. The guide can include an IT help line to answer questions. This guide does three things: 1) it establishes a cooperative relationship between end business app developers and IT; 2) it educates end users on important governance and security standards; and 3) it gives IT and the company better knowledge about how many apps are being built so they can be logged into a central IT asset portfolio and tracked.
3. Manage the corporate app portfolio
IT is best suited to manage the company’s overall app portfolio. This portfolio should include every app—whether it is developed in IT or by an end user. Annually, an internal IT auditor or librarian should check the network log to review resident apps and to cross-check them against the IT asset management system to ensure that the two match. If there are discrepancies, the IT or the end business area that authored the app should be visited to acquire any additional information needed for the app, and to stress future compliance with a policy that requires new apps to be reported to IT for entry into the asset management system at the time they are developed.
4. Be hard-nosed on governance and security — when you have to
As news continues to pour in about data and security breaches, no company concerned about its brand or reputation can afford to take shortcuts on security and governance of apps and data. Shadow IT is an obvious risk—and IT department has every right to take a hard line on breaches of protocol. However, there is also room for temperance. For instance, many end user apps and reports are built within the framework of a third party software that has comprehensive governance and security standards in place. An example is a commercial CRM package that provides users with easy ways to build dashboards. These are apps IT doesn’t need to police.
5. Accept vendor management responsibilities
End business users are notorious for signing up with vendors, and then forgetting about the vendor agreements that they signed. Focused on the business, they are more than happy to cede these vendor relationships to IT, which can worry about compliance with SLAs. Many CIOs don’t appreciate this, given that they had no role in vetting and signing with the vendors in the first place. This is something CIOs should get over—because no department in the company manages tech vendor relationships more effectively than IT.