By Konrad Rogers
Many business users want to adopt cloud technology not sanctioned by corporate IT. Here’s how to reduce the risk and build a culture of collaboration.
The proliferation of enterprise cloud software is threatening to exacerbate the war over “Shadow IT” that’s long been simmering between corporate IT departments and line business units.
“Shadow IT,” of course, refers to any device or software used in a business that the central technology department does not sanction. It’s been the bane of CIOs since the 1980s, when business units started buying IBM PCs because Lotus 1-2-3 could do things that mainframes couldn’t.
Corporate technology leaders then saw Shadow IT the way facilities heads look at mice: a pestilence to be exterminated.
Decades later, the objections to line executives taking technology into their own hands are much the same:
It wastes time and money.
It’s not protected by corporate backup and disaster recovery procedures.
It fragments the company’s information into multiple conflicting versions of the truth.
Indeed, if a careless worker builds a jury-rigged solution that connects to a company’s network, it could leave an electronic opening through which anyone on the Internet could cause far more damage than could ever be made with a purloined floppy disk.
Still, while the average hacker may have better tools and more technological sophistication than ever before, so too does the average business executive. And many are using them in innovative ways.
The communication and collaboration services that many companies now rely on—think: Slack, Trello, Zoom, and the like—were first introduced by rogue teams. Now a new generation of tools is enabling nonprogrammers to easily create analytics dashboards, automation workflows—even full applications.
There’s much for a technology executive to like in these developments. Cloud applications, especially low-code and no-code tools, allow business units to move quickly, experiment, and free up resources of the central IT organization to handle more complex projects.
Research giant Gartner has termed these applications “business-led IT,” encouraging corporate technology departments to support the trend while ensuring the appropriate level of security and reliability.
“Business-led IT is open and transparent from start to finish, whereas Shadow IT is hidden and under the radar for all or part of its life cycle,” wrote Gartner analyst Jason Wong.
I’ve worked with a lot of corporate IT departments over many years, and I’m seeing the best of them change their culture and approach to working with the rest of the company. Gone is the insulated, know-it-all attitude and the draconian edicts.
IT departments should start by providing business units with enough information to assess the risks and benefits of a possible new system. They should assume that everyone in the company is invested in preventing disruptive glitches and embarrassing data leaks. But they also need to acknowledge that a system used to schedule team meetings may not need the same level of security and reliability as one that stores customer credit card numbers.
This approach could organize a conversation about a possible new project around four topics/questions:
It's helpful to engage the company in ranking the level of sensitivity of each type of data, much as the government classifies its secrets.
Top protection goes to trade secrets, personal information about customers, and anything else that would damage the company’s reputation if it got out.
Some types of information may be more sensitive than they appear. For example, the specific software programs used in a company’s internal systems might offer a roadmap to potential hackers.
The IT department can show business users how it would approach assessing the security of a new technology and whether it is appropriate for the sort of information the system will handle.
Most users these days understand that any system on the open Internet that simply asks for a user name and password is vulnerable to phishing and other kinds of attacks. The locks get stronger if there is two-factor authentication. Better yet are systems that don’t ever store passwords and instead use the corporate single sign-on service.
It’s harder for a business user to assess how vulnerable a cloud system is to other kinds of attacks. After all, the news is filled with reports of major hacks at well-known companies. IT departments can help explain the meaning of external audits of a service provider’s internal control, such as the SOC 2 standard of the American Institute of Certified Public Accountants.
The goal here is to help users scenario out the consequences if their new system stopped working. Would it be just an inconvenience that could be worked around, or would it interfere with the ability of the company to do business and serve its customers?
If an outage would be a problem, show how to evaluate the resilience of the technology and identify weak links. Does the service provider guarantee availability? Is there more than one person who knows what to do if a bug is found in the system? And what if there is a blackout or natural disaster? Is this new technology compatible with the company’s overall backup and disaster recovery plans?
Anyone in a business unit deploying technology needs to know the regulatory frameworks the company operates under. For example, securities firms are required to keep records of all communications with clients. That rules out discussing trades through many encrypted chat apps. And any system that stores data about customers will need to comply with the growing list of privacy laws.
If your company sells its services to the government or large corporations, it may have to certify its own security procedures, using a standard like SOC 2. Some Shadow IT projects could throw the company out of compliance, perhaps jeopardizing its client relationships.
No team is an island these days (at least not in healthy companies). So groups should consider whether adopting a nonstandard tool will make it more difficult to communicate with other departments. Is someone going to have to do extra work moving information between the two different systems?
Warn users about the insidious problem of data fragmentation. Projects can grind to a halt as different groups battle over whose numbers are correct. That’s why designing systems to be a “single source of truth” has become a rallying cry for so many technologists.
The latest crop of cloud services is designed to exchange data in real-time with other systems. If these connections are used well, they can keep information synchronized and prevent fragmentation.
A corporate IT department that adopts this partnership approach can use its view of the entire technology landscape to help business units understand when the new applications they are developing need to integrate with existing systems and how to integrate them. They may even encourage innovation by adopting an extendable platform for enterprise application development. While some platforms still require traditional coding to use, many now enable development through low-code and no-code environments. The right platform or platforms for your organization depends on the capabilities of your IT organization and employees, the technologies you already use, and many other factors.
A company can extend these benefits across the enterprise by adopting a core Cloud ERP system designed with a platform-based approach. Nextworld's ERP system, for example, was built with the Nextbot no-code enterprise application platform that simplifies process orchestration with built-in security and disaster recovery. This same no-code platform can be used both by corporate IT departments and business users to develop new applications that seamlessly share the ERP backbone.
Used smartly, in fact, the new generation of integrated cloud platforms can help solve many of the problems traditionally associated with Shadow IT. I’ve seen IT departments at Nextworld clients use our platform to dramatically simplify the web of systems used across their companies. They give business units the power to develop applications that meet their needs without having to skirt corporate standards for governance, security, and business continuity. Indeed, it becomes much more cost-effective for a business unit to take the initiative because they can build a custom solution connected to its core systems with less risk than traditional development.
This may be the way to replace the war between IT and business units with a lasting peace.
Chief Operating Officer
Konrad Rogers is the Chief Operating Officer at Nextworld. He began his career in 1995 as an Application Develop with J.D. Edwards. After Oracle acquired PeopleSoft, Konrad owned the platform components of a new Social CRM product that was one of the early offerings of the Oracle Sales Cloud. He then built a SaaS enablement organization that developed delivery processes, support models, and new products. As Vice President of Engineering, Konrad also built the Sales Cloud Industry organizations. He is passionate about creating highly productive, healthy teams. Konrad is passionate about challenging organizations to respond to the growing problem of technical debt.