One of the most common challenges facing IT organizations today involves shadow IT. The words themselves tend to strike fear in the hearts of senior IT leaders. After all, if the business units purchase applications, hardware, or cloud services outside of the control of IT, that could impact security, compliance, workflows, process, etc. But is this fear overblown? The core of the issue is really about control. And this is where good governance plays a role.
Many internal IT organizations are recognizing a shift toward being technology and service brokers and away from the management of discrete technology or applications. In one sense, this is good as it requires a basic IT competency throughout the organization. The more proficient the user base becomes, the more time and energy IT can focus on innovative solutions. In another sense, this means that IT needs to have strong service management practices that are business-focused and mature. IT Service Management really was never about IT anyway.
When IT seeks too much control of the tools, services, applications and technologies the business uses, the business is often left with inferior solutions. The balance is to enable the business to use effective resources while ensuring proper controls and accountabilities are in place.
Fire Extinguishers and Shadow IT
A large, widely dispersed organization needed to track fire extinguisher certifications for health and safety reasons. There were several hundred fire extinguishers in more than 100 locations across the organization’s footprint. Historically, an annual check was performed by on-site staff, paperwork was completed, and mailed or faxed to a central office for record keeping. To gain greater efficiency, the checks were moved to a monthly basis and became part of a broader list of monthly checklist items undertaken by site managers, each of whom were responsible for several locations. This monthly routine worked reasonably well, aside from the necessity of occasional prompting by the central management to ensure checks were performed and routine paperwork was submitted.
Over the course of time, IT implemented new tools and technology to increase the efficiency of site operations. Many of the monthly checklist items could be completed using automation or addressed through the use of technology. One by one, monthly checklist items were removed and more robust, automated processes took their place.
The day came when the manual monthly checklist had only one item – the fire extinguisher check. One of the site managers, annoyed by the monthly checklist, found a fire extinguisher inspection app in his mobile phone app store. The app was only a few dollars and it met his immediate needs. He informed the other site managers, who each downloaded the app. The compliance department adjusted the audit process to request to adjust to the new app. Everything was in order and working fine for over a year – until IT found out about this “unauthorized” app.
The IT department immediately labeled this app as a security risk and forced the removal from all the site manager’s mobile devices. The sudden action was akin to hitting a hornet’s nest. The site managers immediately objected accusing the IT organization of being heavy handed. The CIO and CISO met with the compliance department and assured them the action was healthy and necessary – but, in order to respond, IT would launch a project to find an approved tool for the job.
The project consumed hundreds of man hours across the organization. The ongoing dialogue between the CIO, CISO and compliance department led to a decision to internally develop an application that integrated with the organization’s ERP. Since the ERP was now in scope, this meant other standards now applied that would govern the way the app was developed.
The organization didn’t have the requisite skills for development of this app internally, so a team of contractors was hired to gather requirements and ultimately develop the app. In the end, the organization spent hundreds of hours and more than $20,000 on external resources to create a replacement for an app that cost less than $10.
The organizational discussion that followed focused heavily on whether the right decisions were made and if the company’s resources were spent wisely. There were many lessons learned. In a future post, I’ll tell you why the organization ultimately decommissioned the new app and reverted back to the app the site manager initially downloaded. It completes the story of why IT ultimately needs to embrace shadow IT.
Yes – there is a need for control. But, control doesn’t mean IT has to provide every solution. And control is part of the excellent governance required in a good IT Service Management solution. When we teach our ITIL courses, we demonstrate the value of what IT can provide and also show how IT needs to be more than just a manager of technology and services.