Bench International

When the CIO is Shadow IT

When the CIO is Shadow IT

Insight by: Tracy Donegan

My Chief Information Security Officer recently approached me with a persistent issue he was seeing in the organization. He identified an employee who was going rogue by procuring cloud apps that weren’t thoroughly vetted by IT. The security risk was minor, but he warned that the practice could get out of hand. When I heard about this, I could feel my blood pressure rise and demanded the employee’s name. I wasn’t prepared to learn that I was the offender. Upon reflection, I realized that I was exploring innovative solutions prior to committing the organization to a substantial, long-term investment and that our governance processes were obstructing rather than supporting innovation.

Shadow IT is the practice of using applications, devices, and cloud services outside of IT’s governance processes. Although solutions exist to identify and monitor Shadow IT, it would be naïve to believe that the practice can be or should be stopped. The only control IT has in impacting Shadow IT is the role it chooses to play in the practice.

Business leaders have a variety of reasons why they seek technology solutions. Remote work spawned by COVID-19 is a good example of leaders seeking cloud apps to maintain a semblance of normal operations. Shadow IT proliferated during this period because cloud apps were easy to implement and solved an immediate need.

However, the implications of unconstrained Shadow IT are too serious to ignore. The most apparent is the inability to enforce information security policies that were designed to protect the organization against cyber criminals. IT can’t manage what they can’t see.

Shadow IT can also be costly when technology is procured in silos across the organization. The additional costs could arise from unfavorable contracting terms, unforeseen interoperability challenges, and duplication of functionality with an existing solution. If IT plays a consultative and advisory role in supporting business leaders with technology investments, issues like these can be avoided. In contrast, if IT plays a controlling role business leaders will find ways to circumvent their processes.

The healthcare industry is facing unprecedented disruption that is testing the viability of conventional operating models. Gartner, a leader in technology research and advisory, found that “the best enterprises compete in the digital economy by harnessing the expertise and ingenuity of all their employees”. Modern technology leaders have concluded that IT governance processes that exert a high degree of control over technology purchases will stand in the way of rather than support an organization’s ability to compete in this environment. As I discovered, these processes need to be agile, yet mindful of policies that traditional IT governance was meant to support.