In Defense of Shadow IT

The term "shadow IT" refers to the use of software and systems in a way that's not officially sanctioned by the IT department. The name itself, shadow IT, elicits a sense of wrongdoing. But you can trace the existence of shadow IT back to an honest effort to achieve a desired business outcome.  And you gotta love the spirit behind that, don’t you?

Look, we’ve all been there. Your high-level design of boxes and arrows has one particular box with a question mark in it. Do you build a custom module for that? That’s probably a bad idea, for a bunch of reasons. Hey, look at that!  A quick Google search shows that there's a purpose-built tool out there that you can just drop right in! And it’s free! Done and done. Well, actually, not so fast. What's the company line on third-party software? If you’re afraid to ask, you now find yourself in the conundrum that many knowledge workers today are finding themselves in. It's this frustration—asking if it’s OK to use a piece of technology to solve a problem and being told "no"—that gave birth to shadow IT.

On one end of the spectrum, you’ve got the company that allows a total free-for-all. Anyone with a need for a technology can procure a solution as they see fit and bring it right into the fold. Want to send a business email using your personal email account? Go ahead! On the other end of the spectrum, you’ve got an iron-fisted, centralized IT group acting as an aggressive gatekeeper on all technology choices. Need to get a new server provisioned for a test environment? Fill out this form in triplicate and fire it off into the abyss. Then work on your contingency plan while you wait weeks to hear “no.” Granted, these examples showcase two extremes. But most organizations find themselves somewhere on this one-dimensional spectrum, usually moving in one direction or the other in search of the elusive sweet spot.

It's probably obvious why a company would favor a less controlling IT policy: they can move fast. But in the example with the centralized IT, a company is pursuing another useful goal, and that's control. And if you have control of resources, processes, and tools, you're managing the one thing the business really wants IT to control: cost. This narrative meshes well with the traditional view of IT as a cost center. On the other side of the coin, we have the view of IT as a business enabler. Businesses don’t mind a large spend if it means a large return. Speed versus control is the conundrum of so many IT managers today. The line of business wants results. But the shared IT resource just seems like an obstruction. Managers know how pitiful it sounds when they say, “I couldn’t get it done because IT treats me like a patron at the DMV.” When it comes to excuses, Steve Jobs famously opined, “Somewhere between the janitor and the CEO, reasons stop mattering.” So companies can't have zero IT governance—that would be irresponsible. You'd likely hear team members begging for sanity, and the auditors and accountants would be raising eyebrows. Yet an overbearing policy can be a straightjacket on your tech workers. Where is the balance?

The landscape has shifted from business units asking IT for expertise to business units asking IT for permission. IT holds a disproportionate amount of sway over a business leader responsible for profit and loss. If an imperious IT department blocks progress, a determined employee will just go around them. In many instances, this damages the relationship. Most employees, especially tech employees, want to be valued for their expertise. But the lines of business are increasingly staffed with people entirely capable of making sound technology decisions. When we tell IT “I don’t need your expertise here; just push my request through,” it's usually not well received. This causes more friction in subsequent interactions, eventually resulting in a broken business interface. However, if a company gives a line of business more latitude to make their own technology decisions without seeking permission, they can operate in the light without drawing the ire of an overbearing IT group. Imagine a company where every tech-related decision needs to be cleared by an all-powerful IT board.  Being put through that ringer once or twice will beat down even the most resilient of us.  Determined employees will eventually stop asking IT for anything. They will just seize the reigns and navigate their own path. The point here is that sometimes our hand is forced. On occasion, projects succeed in spite of process and organizational rigidity. Shadow IT is an evolutionary adaptation, if you will. It must exist for businesses to function. In many instances, the rigidity of traditional, pyramid-shaped organizations necessitates shadow IT. Oftentimes, the stated directive is “follow the process,” but the subtext is “color outside the lines if you have to.” Wink, wink.

In a business world increasingly staffed with tech-capable people, many organizations are starting to rethink their IT strategy. Maybe it shouldn't be so one dimensional. Sure, regulatory compliance and legal considerations are not going away. Privacy and data security are being brought to the forefront. To that end, businesses gotta do what they gotta do. But when it comes to innovation and time to market, businesses should push technology decision-making authority to the leaf nodes of the organization, not centralized. Furthermore, they should realize that when a company becomes mired in red tape, talent retention becomes a consideration. In a world where a person can no longer sit through a three-hour baseball game, the best and brightest minds may not want to work at a company where it takes three weeks to get a server provisioned. Some proponents of the centralized IT model may think that simply increasing throughput is the answer. Leave the structure as is, and shorten the turnaround time on requests. Then everyone’s happy, right? Maybe. But self-sufficiency is usually better than needing to ask for help. And how would you rapidly scale up and down to meet periods of higher demand? The term “bimodal IT” is gaining traction in the industry, and the spirit behind it is that maybe organizations should take a more nuanced approach to how it leverages technology. Tools and technologies are moving at a breakneck pace, and organizations and processes are struggling to keep up.

If your company’s IT strategy is untenable to you as an employee, the en vogue answer today seems to be “change your organization, or change your organization"—or in other words, “just go work somewhere else.” If you want to “move fast and break things,” then find a startup. If you're an IT worker who longs for the status quo and centralized control, then find a shop that fits the bill. Makes sense, right? The trouble is when big, lumbering enterprises proclaim, “We need to act more like a startup!” and then proceed to double down on their current IT structure. At the end of the day, when every company is now in the software business and every employee is a tech worker with an internet connection, you may not be able to plug every hole. The landscape has shifted from preventing shadow IT to containing it to now potentially embracing it. It’s becoming harder for business leaders to pay lip service to the notion of innovation if they want to place so many constraints on it. And that's a good thing for all of us.