Business-led IT strategy casts shadow IT in more positive light

Shadow IT vs. business-led IT

In an earlier era of enterprise IT, CIOs had no tolerance for such ex parte technology provisioning and usage. They viewed it as "shadow IT" and tried to shut it down whenever it came to light. But that has changed over the past decade. The rise of cloud computing, mobile apps, self-service business intelligence tools, low-code/no-code development platforms and other technologies makes it easier for business units to deploy IT systems and applications on their own, and many millennial and Generation Z workers who grew up using technology now bring an I-can-do-it-myself attitude to the workplace.

IT projects in business units are now out in the open in many organizations. With that in mind, some industry pundits have dropped the shadow IT label and now use alternative terms to describe this type of technology approach. Gartner calls it business-led IT, while others refer to it as decentralized IT and collaborative IT.

In addition, CIOs in forward-looking organizations -- along with their C-suite colleagues -- see the need for continuous business transformation, rapid response to changing market dynamics and consistent attention to customer expectations to survive in today's fast-paced business world. As a result, many CIOs now view shadow IT -- or its modern counterparts, at least -- in a more positive light, as something that they need to accommodate and support.

IT consultants and researchers believe that's the right approach.

"CIOs today can no longer own or control their entire enterprise technology estate -- and honestly, it's dangerous if they try to," said Darren Topham, a senior research director on Gartner's office of the CIO research team.

But as more business users throughout the enterprise become IT buyers and producers, what does it mean for them and the IT department? CIOs and other IT leaders must address that question to maximize the benefits and minimize the risks of increased business-unit IT spending and the growing role of business technologists.

What are the key drivers of business-led IT?

Shadow IT is defined as any technology -- hardware or software -- that's deployed and used without IT's knowledge and approval. It's a broad term that has encompassed everything from unauthorized servers running under desks to USB drives used by employees for file transfers to a SaaS application bought by a business team to meet its specific needs.

Such technologies came into the enterprise partly because employees were seeking to get their work done in a better or easier manner, said Samir Datt, managing director of the technology strategy and operations practice at management consulting company Protiviti.

What has changed between the early days of shadow IT and today is the collection of contributing factors, Datt and others said. Years ago, business users often figured out how to deploy technology themselves because they got tired of waiting for the IT department to address their needs. Now, many don't want -- or need -- to wait for IT's help, even if it's willingly and rapidly given. That trend has accelerated during the COVID-19 pandemic, as employees suddenly working from home deployed all sorts of technologies to help them do their jobs.

"Now, with low-code/no-code and SaaS, the business can just move forward," Datt said. "It's less about that perceived frustration and more about a smarter business that knows more about technology and how to use it to accomplish its goals."

Earlier Gartner research backs up such assertions. When business unit leaders were asked in a 2018 survey why they acquired or developed an application with little or no support from IT, 47% chose that they had a better understanding of their requirements than IT as one of the top three reasons. Next on the list of most-cited responses was that they had the necessary capabilities and resources to do it themselves, chosen as a top reason by 37% of the respondents.

"Business leaders have a closer understanding of what the customers need and what's going on in the market," Topham said, adding that such thinking has business units believing it makes good sense for them to take the initiative on IT projects.

To be clear, he and other analysts said shadow IT, as it traditionally has been defined, and the more deliberately stealthy rogue IT remain issues in organizations. That's particularly true in ones with very low levels of IT maturity; in such cases, they said, business users are deploying technology without much or any regard for enterprise rules.

But more common now is this new variation on shadow IT, in which the business is buying technology in ways that the IT department knows about and with levels of IT governance that can also vary by organizational maturity. As a result, much of the business spending on technology has come out of the shadows, with IT often actively approving of it. That's where the new terminology of business-led IT and the other modern monikers comes in.

An opportunity for CIOs in business-led IT strategies

Topham thinks CIOs should embrace and enable business leadership of IT initiatives. "It's definitely a huge opportunity for CIOs here," he said, noting that business users have a better understanding of what their customers want, what's going on in the market and what they themselves need to do their jobs. "So, the question is, 'Why wouldn't we do this?'"

Thomas Phelps, senior vice president of corporate strategy and CIO at software vendor Laserfiche, has adopted that stance. "There's shadow IT and business-led IT, and from my perspective they're different," he said.

Like Topham and others, Phelps said he knew of shadow IT emerging in organizations where the IT department wasn't aligned with the business strategy or the priorities of individual business units, as well as in ones where IT wasn't given a sufficient budget to be as responsive as it should have been.

Either way, business operations had to wait too long for the IT tools they needed or got technology that didn't provide the functionality they were seeking. Many felt a lack of innovation and inspiration from the IT side. As a result, they went off on their own, partnering with vendors or even building their own systems and applications.

That can create all sorts of headaches, not just for the CIO but for the organization as a whole, Phelps said. It typically introduces security, compliance and data privacy risks because most business teams are neither trained in those areas nor capable of vetting technology for managing them. It often contributes to technology sprawl, too, adding redundancies, unnecessary work and higher costs to the organization's overall IT environment.

On the other hand, with business-led IT, "there's engagement, services and governance from IT, where [IT leaders] have carved out a model of how and where they'll be involved," Phelps said. "You're getting the right level of governance and IT engagement to help the business make technology decisions."

Operating model enables and supports business-led IT

Phelps did find instances of true shadow IT at Laserfiche, a maker of content management and business process automation software that's based in Long Beach, Calif., when he arrived as CIO in 2014. He said he doesn't see any now, though. The IT department uses IT asset discovery scanning technology to help ensure that none sneaks back in under its watch.

More importantly, though, Phelps said he has introduced an operating structure and governance framework that enables his business unit colleagues to make technology decisions so they can move fast and meet their objectives without introducing unacceptable levels of risk. Phelps is a former president of the Los Angeles chapter of ISACA, a professional association that focuses on auditing, governance, risk management and information security, and he built his operating model on the group's COBIT framework for IT governance.

The policy at Laserfiche requires "that anyone who wants to procure software has to start with IT and only IT can sign an agreement," Phelps noted. "That helps ensure that contracts are negotiated, that there are no surprises on what uplift costs will look like at the end of a contract, that security is handled properly and that their solution will scale."

IT's involvement also helps identify which new applications may be applicable across other business units, he said. Meanwhile, the IT staff's ongoing support of such systems varies based on the type of investment, as well as the capabilities that exist within the business unit making the purchase.

"It's a great partnership if IT and the business are both involved from day one," said Phelps, who currently is also executive chair of Innovate@UCLA, a networking and education group run by the University of California, Los Angeles.

Phelps said he believes IT should always be involved in security-related requirements, vendor assessments and data management, as well as other areas that may arise in a specific business-led technology selection process. Such efforts by the IT team aren't only about minimizing risks, he said -- they're as much about enabling and optimizing the benefits that business-led IT brings. The two biggest benefits in his eyes: better technology alignment with business priorities and a higher level of value delivery.

"There are business technologists who exist within business units and can add a ton of value in terms of making technology investments and deploying technology. They know the business, and they should be involved with those technology decisions," he said. "And when you shift to business-led IT, you can take advantage of IT's function in deploying a solution to make sure the investments are aligned with business projects and value is being delivered and that risks, such as continuity of operations and compliance and security, are being managed."

As an example, Phelps pointed to how Laserfiche's marketing department took the lead in finding an event registration platform. The marketing team searched for a technology that delivered the desired functionality. "They know best what they want," Phelps said, adding that the low-code nature of the chosen platform meant that marketing could handle configuration and integration needs itself. However, IT ensured that the platform met the company's security and data privacy requirements.

"To be competitive," he added, "business units need to invest, and IT has to create an operating model where they're considered a business partner and lead with an IT governance framework that invites the business to get involved in IT investments."

What are the benefits and risks of business-led IT?

Consultants and IT leaders like Phelps agreed that business-led or decentralized IT, when happening within guardrails established by the CIO and the IT department, can bring significant benefits to an organization. In addition to putting decisions about required functionality in the hands of the users who best know what they need technology to do, this type of IT approach offers the following benefits:

• more visibility into business objectives and how technology can support those goals, which in turn encourages more proactive discussions about the organization's technology and business roadmaps;
• higher levels of business satisfaction with technology;
• the potential to more quickly deliver ROI by addressing immediate business needs; and
• higher buy-in and technology adoption rates from business teams because they see technologies as their own.

Organizations that embrace today's less shadowy version of shadow IT in a collaborative way are poised to maximize the benefits, said Sanjay Srivastava, chief digital strategist at professional services firm Genpact. "I think there is a distinct set of pluses [to that], because the next set of opportunities for business transformation does not lie on the business side or on the tech side but truly lies at the intersection of business and technology," Srivastava said.

All technology deployments come with some risks, too, even when they're handled entirely by the IT department. But Phelps and others cautioned that deployments done by business units bring even more risks. Despite the presence of some technology professionals in the ranks of business technologists, business users typically aren't experts in IT architecture, engineering, networking and programming -- all of which remain critical skills for ensuring that a technology environment works properly. Nor are they experts in contract negotiation, procurement, vendor management and TCO analysis.

"They look at the functional requirements: 'What do I want to do? What do I want the outcome to be?' But they ignore the nonfunctional considerations, such as compliance, integration and security, which are all still required and have been the focus and domain of IT," Gartner's Topham said.

True shadow IT certainly presents significant risks. But they exist even with business-led IT, depending on the scope of the IT department's governance model and whether -- and to what extent -- IT staffers support the technology brought in by the business. Besides introducing more complexity and redundant technology into IT environments, the downsides include heightened potential for the following:

• underestimating maintenance needs, ongoing resource requirements and how much of those functions can be handled by business technologists;
• also underestimating operational costs, thereby diminishing ROI and increasing time to value on technology deployments;
• having difficulty scaling systems and applications;
• overlooking security vulnerabilities and configuration errors that can expose protected data and other sensitive information, both when the technology is deployed and throughout its lifespan;
• corrupting data due to poor integration done without IT's oversight;
• facing vendor lock-in by failing to adequately consider data migration costs and other issues; and
• overly relying on a single individual within a business unit for technical expertise, a situation that becomes more problematic if that person leaves the organization.

In addition, business-led IT can foster user resistance to the IT department's ideas for technologies that may perform better than the ones favored by the business team. Business-led deployments can also act as a temporary fix to more deep-seated IT problems, such as the presence of legacy technology that can't keep pace with business needs.

The security issues are particularly worrisome because of their possible consequences. Protiviti's Datt recounted one case he saw at a manufacturing company in the B2B market: Its marketing department brought in a data analytics tool without IT's involvement but failed to configure it properly, which exposed data on some 50,000 corporate clients.

"Marketing felt they knew what they needed to do and thought IT would slow them down," Datt said. "In this case, the problem was more of a false sense of security in their knowledge. There were additional considerations that they just didn't [know about] with their limited perspective."

A collaborative approach to IT deployments

Susan Snedaker said she's well aware of the risks that come with shadow IT: As CIO at El Rio Health, she's responsible for ensuring that the nonprofit healthcare provider in Tucson, Ariz., meets significant security and data privacy regulations. As a result, she doesn't allow any technology deployments unless IT is notified upfront and gives its blessing.

"We have a hard-line policy: You shall not go buy IT stuff without talking to IT first. That doesn't mean we have to control everything, but we have to know about it," she said.

Snedaker explained that she can't have business units signing up for SaaS technologies or downloading applications on their own; to her, such actions present a high risk not only of running afoul of compliance requirements but also of ringing up higher-than-expected cloud bills. "Software as a service is a fabulous thing, but it's almost impossible to control the spend," she said.

On the other hand, Snedaker doesn't take a command-and-control approach as CIO. "The way I'm approaching it these days is looking at shadow IT as more of a collaboration," she said. Instead of business users selecting applications in an ad hoc way, the leaders of business teams "come to IT and say, 'We selected this app and we want to work with you. Can you validate it?' Then there's visibility and accountability on both sides."

Although that kind of engagement may sound straightforward and simple, Snedaker said CIOs must work hard to make it work. They need to ensure that they keep pace with fast-moving and ever-evolving business needs, and they must break down any organizational silos and political fiefdoms. That requires executive and people skills -- the ability to listen, influence, strategize and build relationships. "That's where we need to put our focus and to say, 'Let's work together,'" she said.

However, Snedaker pushes back on the connotation that comes with the term business-led IT. "I'm not fully on board for them managing IT assets because they lack the resources to do so," she said.

Snedaker, who's a member of ISACA's Emerging Trends Working Group, said she supports business leaders defining requirements and selecting possible technologies. But she stressed that IT has skills, expertise and experience that generally don't exist elsewhere and are still required to make technology deployments -- even SaaS ones -- work securely and properly within the enterprise. "I hold some vendors accountable for selling the notion that no IT [involvement] is required, because it's almost never true."

Moreover, that mentality has a way of coming back to bite the IT department. Snedaker said she has seen cases in other organizations where CIOs find that the business wants the immediate wins that come with a new technology deployment but then seeks to push responsibility and accountability to IT when costs mushroom out of control, maintenance becomes difficult or there's a data breach.

Gartner's research confirmed such trends: Topham said IT departments on average are asked to take formal responsibility for some non-IT technology every eight weeks. The technology that a business unit decided it had to have "gets big and expensive and out of control, and then they dump it on IT," he said.

To head off such scenarios, Snedaker and her IT team have adopted a consultative process for working with the business units at El Rio Health. Because of that, she said, any technology that gets deployed -- whether identified first by the business or by IT -- has a higher chance of being the right one to meet the business needs. It's also more likely to work well, be successfully adopted and fit the budget.

"We get much better solutions for the organization," Snedaker said. "The fit is better, and there's higher buy-in."

The CIO's role in a business-led IT approach

Based on Gartner's research, Topham said CIOs tend to fall into the following three camps in their response to shadow IT -- whether it's the truly rogue variety or the business-led IT version:

• those who know it's happening, want to embrace it and seek to de-risk it;
• those who know it's happening but don't know yet how to give voice to what it is; and
• those who are still trying to take the command-and-control approach.

The latter is now the smallest group of the three, Topham said. "There are those few who want to shut everything down. We're finding that they're quickly realizing the error of their ways. It quickly goes to chaos, and it decreases visibility because people [on the business side] may not reach out as much as they should."

Yet this new world of decentralized IT doesn't diminish the CIO's importance nor that of the IT function as a whole, Topham added. Rather, he said the CIO becomes a "technology orchestrator" with responsibility and oversight for ensuring that an organization's requirements for technology capabilities are met; advising and guiding the rest of the C-suite and other executives throughout the enterprise on IT portfolio management, including TCO; the delivery of IT services overall; and governance of IT environments.

Others had a similar take on how the CIO and the IT department should operate in an organization that has adopted a business-led IT strategy. Ideally, there should be a collaborative approach to technology selection and deployment, with IT setting guidelines on the maintenance and support it will provide and the business itself taking responsibility and accountability for the success of its choices.

"At the end of the day, all important technology decisions should really involve both the business and IT," Datt said. "But there's a benefit to the business driving those decisions. They're the experts on the business process, they're the ones who really understand the requirements and the technology they're asking for, while IT is in the best position to help support the analysis and manage risk and, depending on what is introduced, the support needed for it."

What CIOs should do to harness the power of business-led IT

The following are some specific steps that CIOs should take in organizations to help keep business-led IT initiatives on the right path, according to the consultants and IT leaders interviewed for this article.

Educate C-suite colleagues, business unit leaders and business technologists on security and related issues. Business executives and workers involved in IT deployments must understand how security, data privacy, compliance and risk management apply to the technology environment, both at the enterprise level and in their individual unit or department, Topham said. "It's to give them enough understanding to make sure they know when they are crossing into risk or need to reach out to IT," he explained.

Establish and define parameters on what is acceptable for business-led IT and to what extent. "It's not acceptable for anyone to play anywhere," Topham said. "Some things can be off-limits or highly regulated. Set those upfront." He added that CIOs should think of an axis or a grid, where systems with both low business criticality and low complexity have the least amount of centralized IT control and ones that are more critical and complex have increasing levels of control.

Use those parameters to develop rules and guidelines that govern the business-led IT process. The IT department should articulate checkpoints that indicate what business technologists can do on their own and when IT needs to be involved. For example, Datt said a CIO may decide to establish a rule that requires business technologists to submit a proposal for a governance committee to review before buying and deploying a selected application.

Train the business on the rules and guidelines. Whatever rules are set must be communicated and explained to business users to make sure everyone is aware of them -- and to ensure that the heads of business units and departments are ready to take responsibility for IT initiatives. "CIOs need to help other leaders to be comfortable with managing their own tech estate," Topham said.