“Shadow IT” remains one of the most hotly debated topics in technology. Is it okay for the business to directly consume technology services outside of Technology organization? The answer is nuanced. It can be good, it can be bad and it can be both, similar to how there are both Good and Bad Cholesterol levels. We have to acknowledge that businesses have legitimate needs to contract for technology services directly and that we can’t just label all IT spend outside of Technology as Bad Cholesterol. However, we should get concerned if the amount of Shadow IT in use becomes disproportionate and/or if there is insufficient monitoring (governance) of these arrangements, as it may seriously impact the health of your enterprise.
The Good Shadow IT Cholesterol
The definition of “IT” itself has shifted. Technology-enabled solutions are now embedded as part of many services we consume. You may purchase a managed service, but it’s a technology platform at its core. Since the line of business is responsible for P&L impact, customer retention, and other outward KPIs, it’s understandable that the business requires a degree of autonomy. IT brings value to the business not as gatekeeper, but through technical expertise as a Line 1 Risk responsibility partner. It’s important to recognize that a healthy business-IT partnership is a critical success factor to business agility. Having business drive technology-enabled innovation shouldn’t even be referred to as “shadow IT” as long as it’s done with an appropriate level of collaboration and risk controls.
The Bad Shadow IT Cholesterol
When the business bypasses IT to procure third party technology services or software, it’s usually a sign of a larger issue. By going it alone, businesses expose the firm to potential for inflated costs, disappointment with project delivery, high total cost of ownership, enterprise technical debt and a series of technology-related risks. The Catch-22 is that cloud-hosted platforms make it easier and more likely than ever for non-technical decision makers to contract with third party technologies. Indeed, unless there is some sort of integration required, chances are that your IT department has no systemic way of knowing about this procurement arrangement. Vendors are all too wise to this loophole. In many cases, they prefer to sell their services outside of IT, since that improves their sales cycle and margins.
The Ugly Shadow IT Cholesterol
Many of the new and shiny toys of today become the rusty disappointments of tomorrow and the pace at which technology solutions become obsolete is accelerating. Unfortunately, once integrated, technology solutions are expensive to unravel, creating a major dependency on third parties to keep up with patches, upgrades and security. As a result, the inherent risk of third party arrangements is often underestimated and because most companies focus their risk assessment programs on the most critical third-party providers, the hidden risks in the long tail of technology-related third parties is slowly rising up, just like the Army of the Dead in the Game of Thrones.
The remedy is similar to treating high cholesterol:
Identify the problem - take a baseline health check of your Third Party Risk Management (TPRM) program. Useful indicators of Shadow IT Cholesterol include:
- Ratio of IT spend outside of IT organization
- Ratio of third party IT spend in key spend categories not recently risk assessed
- Ratio of IT Service Provider applications not tied to a record in the TPRM platform
You may need to partner with your CIO, CPO and head of TPRM to collaboratively get some of the data if it’s not already available.
Stop the bleeding - just like cutting burgers and fries from the diet, having an enterprise Risk and Financial control for new purchases helps the problem from getting worse.
- Establish an enterprise control that reviews IT procurement requests with the IT organization, even if the spend is coming directly from lines of business. It is critical that vendor risk assessment is performed and reviewed with the right stakeholders in addition to the actual requester of the service.
- Stack-rank your technology vendor portfolio and, based on risk thresholds, perform risk assessments for each of the existing vendors that haven’t been risk-assessed within the time frame dictated by your risk policy. Pay close attention to your lower tier vendors – it’s important to perform some level of risk assessment on that portfolio as well.
- Identify qualified vendor managers for each high and medium risk third-party service and make their responsibility clear.
Change the lifestyle – just like most diets are not sustainable without a lifestyle change, the TPRM program needs to change enterprise DNA to optimize risk posture and cost structure. A comprehensive TPRM program includes an uplift of all phases of managing the third-party life cycle, especially risk assessment and monitoring, and requires commitment across all levels of the organization. If done right, it will improve risk posture, regulatory compliance and deliver savings in third-party spend.