ROI of Shadow IT

This article is part of my Better Return On Investment from Software Development series.
These articles are aimed at senior management funding Software Developer or IT Professionals attempting to show the ROI benefits of what can sometimes seem counterintuitive.
This ever growing library is provided free of charge and can be found here.

In this article, part of my better ROI from Software Development series, I look at the ROI impact of Shadow IT.

What is Shadow IT

"Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term "Stealth IT", to describe solutions specified and deployed by departments other than the IT department" Wikipedia

While Shadow IT as a term has gained popularity in the IT community over recent years, it is far from a new phenomenon.

I’ve had plenty of instances where I’m asked to fix a business critical Excel spreadsheet. Something that the business relies on. Something that has been built outside of IT. And somehow it’s IT’s responsibility to fix when it goes wrong. This normally happens when the well-meaning individual who created it leaves the business or goes off ill or simply on holiday. And this leave me trying fix something I have no knowledge on - generally while at least one frustrated manager sits over my shoulder.

The rise of consumer style services over the internet however has definitely led to an increase well beyond those largely impossible to understand spreadsheets.

Look at the trouble that Hilary Clinton has go into running her own email server – some may say it cost her the election.

At this point, it would be understandable that you expect me to spend the next 600+ words ranting on my soapbox on how this makes it difficult for us poor downtrodden IT folk. And while there may well be some of that, let’s start by looking at the benefits.

The Positives

The primary positive is it helps the business get their job done.

You have something you need to do, you want to get that done as quickly and efficiently as possible. So if you see what appears to be a perfectly valid way of doing it, why wouldn’t you? (I tell you why you wouldn't below).

You need to share a large file with a customer – put it onto Dropbox. Job Done.

You need something to manage your sales team – you sign up for Salesforce. A credit card, a few button presses and you have your entire sales team setup by the end of the afternoon. Job Done.

You want to use a new marketing company for your website – you drop their tracking code onto the website using Google Tag Manager. Job Done.

You need your product team to be working closely with your new supplier – get them all to sign up to Skype, create a group and get them chatting. Job Done.

You have a new starter, you need to get them up and running ASAP. Get out the credit card, order them a laptop and phone, you can probably have them picked up by the COP. Job Done.

See how easy and effortless it all is.

There are just so many great and productive systems out there to help you get the job done.

Great work ... take the rest of the day off.

This is not an exhaustive list of positives.

The Negatives

Ok, so what controls and validation have you bypassed in getting the job done.

Putting the file on Dropbox; have you opened yourself up to a security or data loss issue? Should that data have gone through some form of access control? Is that the only copy – how are you handling backups and versioning?

Introducing Salesforce; does it integrate with your other systems? Are your sales people’s laptops & mobiles able to support it? How do you get data in and out? How do you backup that data? Who supports your sales people when they have problems?

Adding marketing tracking code to your website; who is dealing with the problems if that tracking code slows down the user experience or introduces a security vulnerability? Who is keeping track of the relationship with the marketing supplier and remembering to remove the tracking code when that ends? Who is testing the website for incompatibility?

The critical supplier conversation over Skype; is there anyone monitoring to ensure that appropriate conduct is observed? Who is ensuring that only the right people have access? Who is ensuring that critical decisions and conversations are captured and recorded?

The uncontrolled laptop & mobile; who is making sure that the appropriate virus and malware software is installed and maintained? Who is applying the security patches? Who is ensuring that the devices are recovered when the individual leaves the company? Who is making sure that they are not putting the company’s reputation and security at risk?

This is obviously not exhaustive list of negatives either. But hopefully you start to get the idea.

How did we get in this state?

Generally through the best of intentions.

As I say before, the motivation is generally to get the job done. It isn’t to cause problems further down the line.

You want to achieve something, you can see how to do that, you get it done, and you move on.

And of course this situation is also fuelled by bureaucratic and long winded IT processes. If the “approved” process is to raise a Change Request form, for it to go through analysis, prioritisation, delivery, etc, etc over the course of months (even then sometimes with no guarantee of delivery) – it really isn’t a surprise to me that a couple of hours online and a credit card to have the job done by the end of the day can be so tempting.

We then find the IT department (I’d also probably include Legal, Compliance, Risk, etc teams in this) are implementing even more draconian procedures to protect against it.

This just becomes an every growing vicious circle with growing animosity to the point where the whole situation becomes dysfunctional.

(and if I’m being 100% honest, IT can be worst ones for doing it – so not only is the whole thing becoming terribly dysfunctional, we are garnishing it with a good old helping of hypocrisy).

As I’m sure you can appreciate – all of this can lead to additional costs and a very poor ROI.

So what should we do with it?

As with all things communication is the starting point.

If you have Shadow IT, talk to IT about it – work together to get a plan on how to handle it. I’m not suggest that will be a 5 minute conversation or even a particularly pleasant one – but this is one of those things that needs to be dealt with head-on. Note that the “work together”

If your IT processes are encouraging the dysfunction, then again talk to IT about it. At least part of the “bureaucratic nightmare” will be there for a good reason. By working together can you arrive at a better process which enables the “good” bits, but reduces the “bad”?

Within Software Development specifically, I’ve written many times on the Agile principals which would have development and business working hand-in-hand. They help to keep the overhead to a minimum with focus on quality delivery – very much focused on maximising the “good” and minimising the “bad”.

Similar principals can be applied to all engagements.

For more on Agile, see these articles:

About the author:

Mark Taylor is an experience IT Consultant passionate about helping his clients get better ROI from their Software Development.

He has over 20 years Software Development experience - over 15 of those leading teams. He has experience in a wide variety of technologies and holds certification in Microsoft Development and Scrum.

He operates through Red Folder Consultancy Ltd.