Is "Consumerization of IT" really "Shadow IT" in disguise?
What is the difference between Consumerisation of IT and Shadow IT? Both are user driven IT purchases (or free services) being brought into the enterprise, quite often without IT involvement.
Is the Consumerisation of IT just a politically correct way of saying Shadow IT?
CIOs have long battled against Shadow IT and how to prevent, control, deal with or remove it. The arguments for doing this have usually revolved around security, compliance, supportability and business risk. Although IT's fear of losing control has been an underlying theme.
A couple of recent articles got me thinking about the changing world of technology and what the Consumerisation of IT really means to companies and their IT groups.
How bad are things?
Scary statistics on the future increases of Shadow IT were highlighted in the recent ComputerWorld article "The upside of shadow IT" (or should that say the growth in Consumerisation of IT?) by Julia King:
Gartner predicts that in less than three years, 35% of enterprise IT expenditures will happen outside of the corporate IT budget. Employees will regularly subscribe to collaboration, analytic and other cloud services they want, all with the press of a button. Others will simply build their own applications using readily available cloud-based tools and development platforms.
If you believe those statistics are bad, think for a moment about all of those free Apps and cloud storage utilities like Dropbox, Box.net etc that your staff are using (by the way, that includes your own IT staff who are probably the worst offenders!). Whether you believe Gartner's 35% prediction or not, it can clearly be seen that consumer driven IT in the enterprise is growing rapidly and there is little or nothing IT can do to prevent it.
Should the CIO be Worried?
The quick answer is yes, very worried. The ComputerWorld article goes on to say:
.... the corporate IT department will be bypassed. As one industry pundit put it, "it will feel like the inmates are running the asylum."
A recent Enterprise CIO Forum article "Unmanaged IT consumerization opens the door for compliance and cost concerns" by Paul Muller explains:
Sending end-users marching off unsupervised to procure their own devices and services willy-nilly will lead to a massive duplication of cost and business-crippling compliance problems.
The root of the problem with unmanaged consumerisation is “shadow IT”
Business customers already complain that IT is not responsive and lags in delivering what the business really needs. This dissatisfaction and unfulfilled need encourages people to find alternative solutions. This is particularly true within Sales and Marketing departments where they often require very fast turnaround times to react to changing situations. These groups can easily ask their marketing agencies to procure or create an IT related service as part of a marketing campaign. Whilst this is done with best intentions, is this new micro-site or App compliant with appropriate legislation? Is it capturing personal data in a secure manner?
CIOs are caught in what Martha Heller refers to as the CIO Paradox. The CEO holds the CIO accountable for all IT related matters in the company, including security, compliance, performance and availability, yet increasingly the CIO is unable to control all of these aspects.
The bottom line is that it is becoming easier than ever for the business to procure cloud based services without IT involvement and more worryingly without IT even knowing about it. Unless IT adopts a different approach to servicing the business they risk being sidelined.
What can IT do about it?
Most CIOs accept that they can never prevent all Shadow IT and that staff will always undertake some activities outside of the core systems, be it via Excel, Access or more recently via cloud based applications or services.
IT must find a way to put in place standards, tools and frameworks that allow the business to take advantage of cloud based services whilst remaining secure, compliant, avoiding waste and duplication etc. These frameworks must also take account of, and provide opportunities for, integration with existing core systems.
IT's role will fundamentally change from being the implementer of everything, to becoming the overseer of standards and frameworks, facilitator of implementations and integrator of cloud services, and adding value through continued innovation.
The Bottom Line
CIOs must accept that IT cannot control everything and need to embrace the Consumerisation of IT given the massive benefits it can provide. They must find a way to help the organisation whilst still preventing it from doing something stupid.
See my blog for more on IT, Business and Change Management.
___________________________________________________________________________________
Related articles
- Lightening the depths of shadow IT (blogs.gartner.com)
- The Consumerization of IT...putting IT Departments back on the offensive... (socialfromthetrenches.wordpress.com)
- A pragmatic look at the Consumerization of IT (martindavis01.wordpress.com)
CIOs must accept that IT cannot control everything and need to embrace the Consumerisation of IT given the massive benefits it can provide. They must find a way to help the organisation whilst still preventing it from doing something stupid
Consumerization of IT has certainly raised a huge challenge for CIOs today and also for senior security officers within the corporation. With the arrival of this cultural behavior of "Instant Access", IT organizations whether prepared or not are being pulled into dealing with various flavors of cloud environments. Without trusted advisory governance solified by concrete performance contribution as validation, CIO's will experience and already are what was prevalent in the late 90's and early 2000's with "shadow support". Shadow support was any IT type of support maintained within the business unit orgaizations outside the scope of governance of Corporate IT. Maverick spending was a serious concern in that era. Today, that spending will translate to cloud subscriptions and unless IT plays ahead of the culture to evaluate and set standards on cloud subscription SW and other IT releated services like subscription storage they open themselves to the same risk vulnerabilities they faced around SW Compliance, lauch into internet access and the virtualization revolution. Without control in place cost always escalates, risk always becomes a concern and visibility always decreases. That spells danger in my book to IT organizaions, because it breeds distrust and lack of satisfaction that reflects direclty on CIOs and is one of the primary reason CIOs on the average don't last more than 5 to 6 years within their position. The tendancy is always over-reaction by the corporation that drives poor decisions such as hastily negoitated outsourcing agreements, over reduction in labor forces and permitting valuable talented employees who create IP and innovation for the corporation to exit out the back door.
So what's the answer? CIO's must establish cloud governance and treat the movement to converged cloud environments as they would existing IT environments, negoitate enterprise cloud subscrition and support agreements and establish existing infrastructure environments that are complimentary to the coverged cloud evolution but protective of the corporate IT assets that contain and hold data that is crucial to the success of the enterprise. We play in a global access world and corporations need to embrace and leverage the advantages of that global world to their benefit and revenue generation. Those that do so and do it well will emerge stronger, healthier and be models for cost effectiveness is a very complex and evolving new infrastructure paradigm.
Policy, platform and management only one part of the puzzle. That's because it is a band-aid. Isn't the answer application modernization, with an emphasis on protecting data, in any form, wherever it goes? Isn't this the best path to prevention?
(note: I work on projects sponsored by EnterpriseCIOForum.com and HP)
Prevention? Will modernizing applications really prevent people finding new opportunities to use cloud tools to make their jobs easier?
Perhaps you could explain further what you are suggesting.
No, I don't think modernizing apps will prevent people from using cloud tools, rogue/unapproved devices/etc. What I'm suggesting is on making specific apps secure at their core ... and designed to be connected with by a variety of clients and devices, including those not even on the radar (not the case for most today). Should the devices be managed? Yes. But many threats are at the origin, within the app and/or data itself. One deterrent to what I'm suggesting is that getting a BYOD budget, for many, is easier and less expensive to the organization than addressing the larger modernization issue. Key to any decision isn't just budget or technology, but also risk management.
(note: I work on projects sponsored by EnterpriseCIOForum.com and HP)
See also the CIO forum discussion on LinkedIn.
I am far from expert in security, but the experts I do follow maintain that securing the whole BYOD movement and mobility in general (which is most of what we are talking about with consumerization today) should not involve policies and governance that is any different from existing policies, modified of course for the anytime, anywhere compute model. I believe I read something recently on this very thing and will search for the article and then post the link if I can locate it.
I think the bigger issue is around users procuring their own Cloud services,
Is that happening in your company? Would you even know? And what is potential damage not that I couldn't speculate. But I'd like to hear from a CIO...does this keep you awake nights? And what safeguards are in place to make sure a rogue cloud does not burst?
Funny you should ask John, I just spotted this article about IBM banning Dropbox
http://www.informationweek.com/news/smb/security/240001032?cid=nl_IW_cio...
They are quoted as saying "The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence"
Personally I think this is the tip of the iceberg, things continue to develop at an ever increasing rate and will cause CIOs increasing headaches unless they can find a way to embrace them.
That was an interesting story. It didn't seem like any one incident triggered the DropBox ban...that it was a pre-emptive strike. A deeper exploration of the story would be interesting. It seems clear that IBM sees a flood of its data assets leaking out to clouds over which it has no control. A lot of enterprises will takes it cues from large IT vendors like IBM and HP....
When I think about "shadow IT" and "consumerization of IT", I see two very different phenomenon. Consumeriziation of IT is a broad trend that is focused on the user and usage. Widespread innovation and availablity to applications, services like social media, collaboration and sharing tools represent a fundamental shift in the way we work and play (at home) with technology. Additionally, an explosion of devices and form factors have arisen to help people (at work / home) access the services and solutions that best fit their usage and location. All of these trends are good for the business, employees and IT.
"Shadow IT" is more about the governance of the environment and who is deciding what. This is a dangerous discussion, and I think the wrong one, because it is about who has control and who doesn't. At Intel IT we believe strongly in the partnership between IT and the business. Having more choices means this partnership must grow stronger with business leaders identifying business goals and IT helping select and guide best services and technology to meet those goals and enable a cost effective, secure, productive employee base.
This does imply that IT's role is changing from a previously centralized command/control where we dictated what services are available and how you had to use them (and then measured as a cost center / service provider) to one where we are a trusted advisor and integrating a variety of services and technology to enable success.
At Intel IT we enable BYO but in a controlled vashion, we spend time educating employees about their choices. In addition we partner with and end up advising business leaders on the best solutions for Intel - sometimes that is an off-the-shelf solution - other times a custom solution that engables competitive differentiation.
So I see IT consumerization and Shadow IT as different but equally important trends and dialogues for IT Leaders and Business Leaders alike
Chris #IntelIT (more at www.intel.com/IT)
I would say that as security issues inevitably do arise as consumerization expands like the universe, conumerization will become a whole lot less 'shadow IT' because, as we all know, someone has to secure it. They key it seems is for IT to promulgate what are essentially extensions of existing security and governance policies and be sure users adhere to them. Consumerization may well remain shadowy if IT doesn't leap to insert prudent controls.
Bill - do you think this requires a different approach to security or extensions to existing?
I wonder if Shadow IT is becoming IT and whether it is it the threat many in IT make it out to be. Or does it provide the innovation and true business support that IT fails to provide.
I know this sounds like heresy and I am just posing the question....not saying I believe it, but it did occur to me.
Consumerization of IT and "shadow IT" might be only one step away, but effective governance may help stop crucial mis-step, I like what you put:The root of the problem with unmanaged consumerisation is “shadow IT”
Today when we talk about IT governance, which is integral component of business and corporation governance, I think IT also need support from her or his fellow executives, and see such a trend as a good opportunties to re-enhance data goverance, application goverance, and enforce the overall busienss GRC. thanks.
One way a CIO can address this problem is by simply making a change to the governance structure of IT. In particular, reallocating the decision rights for a certain stack of IT related decision rights, so the CIO is no longer responsible for them. That doesn't mean control of key IT assets need to be put at risk. The entire domain of IT does not need to be run as a monachy. Shadow IT may be perfectly in line with an evolving corporate strategy that IT is failing to address because it is clinging to a political model that doesn't fit that strategy any longer. The need to have absolute control is one of the main reasons people work around IT.
When deciding upon a decision rights allocation, political metaphors are used. For example, one talks of business or IT monarchies, federal, feudal, duopoly or systems of anarchy. These in turn get cross referenced to various IT functions, such as IT goals or principles, infrastructure, architecture, business applications and IT investments. A different political system can be used for each function in a single organization. For example, it may be a monarchy when it comes to setting goals, infrastructure, data and reusable business components and anarchy when it comes to applications and application devices. I read an example recently where a single business unit made the initial investment in wireless infrastructure and was then paid back when the entire organization began sharing it. We are also starting to hear about BYOD (bring your own device) policies being implemented. Therefore, shadow IT may or may not be a problem, depending on corporate strategy and how decisions are being governed as a result. If every IT function is a monarchy and the King has not adopted iPads or Cloud apps as part of his strategy, then I suppose it is a problem. However, a system of Anarchy may be pefectly fine for certain things and in fact, may be a source of innovation.
Doug - it is not uncommon for a CEO to hold the CIO responsible for all IT regardless of who sourced it. How would you recommend that situation would be handled?
Hi Martin
I think I would answer that question in the same way, make sure decision rights are clearly defined. It is totally unreasonable to hold a CIO responsible for decisions being made outside of his or her domain of responsibility, which he may not be aware of. Clearly defined decision rights translate into clearly defined lines of responsibility. If the CIO is required to assume responsibility for the poor and/or secret decisions of others, then the organization ought to understand the requirement for additional resources and budget to do so. Because of the nature of the work I do, automating governance processes, I realize my answer may appear naive because I am assuming certain things. For example, I am assuming the organization has a clearly articulated corporate strategy and is committed, from the top down, to governance and aligning IT to the desired outcomes of that strategy. I am also assuming that the IT activity taking place outside the domain of IT is part of the strategy and decision rights reflect it. For example, the business has decided that growth producing innovation comes mainly from remote business units, who are given the freedom and responsibility to pursue it. Now that freedom is very likely going to be conducted within certain parameters and in cooperation with other decision stacks that the CIO may still have control over, such as data or application architecture. Therefore, there is less of a tendency to put responsibility on the CIO, since the responsibility clearly lies somewhere else.
In organizations where governance is not yet a priority I can see where your scenario can easily arise. In that case, one of the first tasks I would undertake, I suppose, is to try and understand exactly why so many people feel a need to do IT outside the domain of IT and then plan a response based on that information. It will help justify the case for the response as well. There are ways to lower corporate risk without being too dictatorial, for example, by using private or hybrid clouds, rather than public, or by adding more flexibility on the application and device front without lowering data security or integrity. I think one of the easiset ways to manage change is to be the one leading it.
Doug - agree that its easier to manage change when you are leading it. But coming back to the original article, one of the key aspects is that the CIO is no longer able to lead everything and the Consumerision of IT means it is far easier for non IT staff to go off and do their own thing, and the CIO is trying to retain some form of order.
Hi Martin
Depending on what you mean by "trying to maintain order" the answer may be why so many people are trying so hard to avoid the IT department. There may be perfectly good reasons why IT has become a speed bump, but the fact is they are perceived as a speed bump in many organizations, rather than the vanguard of change. Consequently, efforts to try and control innovation are perceived as efforts to try and justify one's existence, by people fearful of losing control, rather than efforts to protect corporate assets.
It is hard to talk in generalities about the issue but let's take cloud security as an example. Some IT people just automatically assume the public cloud is not secure, without really investigating whether it is or not, or without finding out if the cloud provider offers options for making it more secure, beyond the out-of-the-box features. Bringing order may be a case of directing the anarchy toward the best secured cloud providers, who offer the best SLAs, have the better disaster recovery procedures, and who are fully integrated to your single sign-on system, for example, as opposed to trying to stamp it out altogether. As I exlained earlier I tend to address these issues from the perspective of a specific corporate/IT strategy, and service management, so the answer depends on what that is. In some cases the CIO is simply not responsible for all the decisions.
It will be very interesting to watch how this issue plays out going forward. Thanks for the interesting blog.
Doug - appreciate your input. By maintain order I refer to the need to maintain security, compliance etc.
How about maintaining order (aka control) cost wise? Is that a concern? How is that managed?
"How about maintaining order (aka control) cost wise? Is that a concern? How is that managed?"
I tend to think of cost control as two-pronged, one is an operational issue and the other concerns new IT investments. The first is an ongoing process of evaluation fed by measurement and variance reporting. One should always be looking for better and cheaper ways of doing things, without giving up anything on the utility (features and functions) or warranty (quality of service, SLA) front.
Cost control on the IT investment front is relative to return on investment. If investing in certain technologies is driving tremendous new revenue -- rapidly expanding into new markets for example -- then cost control is not seen in an absolute sense. One still looks for the most efficient way to spend money but within a context of possibly spending a lot of money.
Generally speaking, I see no reason why new investments should not be justified in terms of value creation and strategy alignment even if the decision rights are moved outside of the IT department. Governance is a top of the house function, not strictly an IT function.
if you can buy centrally and negotiate better pricing then that is often the ideal situation, for example putting in place a framework agreement that still gives business units flexibility to do their own thing. Is that a later step which follows on with maturity?
I just bumped into a fellow IT journalist who is working on a story that says the days of enterprise buying employees cell phones are coming to a close. Is that what you are finding?
Thanks for the post Martin. I believe a key differentiator between the “consumerized” IT and shadow IT lies in the ownership of the data – more so than the ownership of the applications. An excel spreadsheet oftentimes referred to as a typical "shadow app" contains business data. At best it gets synchronized by some automated batch process or humans remembering to update it. With all its obvious bad consequences... If there is a bridge ever to be made from the shadow app to enabling business use their choice of tools and technologies, it would be by defining the data ownership: by IT. If IT has firm ownership of the data and the robust APIs for the corporate users to consume their data any way they choose, we solve most of the "shadow app" problem. Of course there still remain legitimate issues about the data existing on user devices, etc. But clarity around user app ownership will allow IT to focus more on its core: few enterprise platforms providing most of the company data via IT-owned robust APIs. This is how I would measure the maturity of an IT organization: what percentage of the company data is owned by IT. And out of that, what percentage of it is consumed via standard IT-supported APIs.
If interested, check out my post at ithorizons.wordpress.com on this topic. Here is a direct link to the post: http://ithorizons.wordpress.com/2012/03/08/secret-sauce-for-a-successful-mdm-mobile-device-management/
Dmitri, thanks for your reply whilst I agree with you about owning the APIs, I would be very concerned about IT owning the data. In the same way that we should only ever have business projects, if IT owns the data then all of a sudden we become responsible for the incorrect data for reporting etc etc etc.
Hi Dmitri and welcome to the Enterprise CIO Forum. Indeed, Excel spreadsheets are technically a form of Shadow IT, but since IT corralled the PC, they really have not been Shadow IT.
The data is only meaningful to the end user...sometimes, it's IT's job to store, secure and make sure it's accessible. But many of those spreadsheets reside only on the end user device - an accepted practice? So I guess that would qualify as Shadow IT, but management of company data falls under corporate policy.
Would you hazard a guess on how much data is owned by IT versus how much is controlled by end users. is that the question? Data ownership has often been a question no wants to answer although I applaud your efforts to outline steps in your blog post about how to do it.
