Tuesday, 15 May 2012

How should CIOs deal with Shadow IT?

What is shadow IT? IT devices, software, IT advice and services outside the ownership or control of the IT department. Funded, procured, owned and management outside the IT department. Not listed in formal asset registers, and not maintained, backed up or secured according to central standards and policies. It frequently includes consumer IT and social technologies. Often only comes to light when it breaks, or causes a security issue, or when someone leaves. It is neither inherently bad or good, but it's a growing issue that needs action to ensure the integrity and efficiency of enterprise technology and to prevent fragmentation of information and processes.

We need to look at shadow IT in relation to how vulnerable are our core systems, how much does our organisation depend on this shadow IT, and the potential of external and reputational damage from failure or malfunction of shadow IT systems. To the outside world, it's the University's IT, even if it's a server under a desk. And the CIO will get the blame.

How can we find out what there is out there? Look at procurement records, talk to heads of department ( assumes a level of trust of CIO), look at support requests through helpdesk, looking around when visiting departments, a formal assessment.

We had a workshop format discussing the issues, positive and negative. Our group's main issues were:

Data centres under desks (or in labs etc)
Positive impact
Flexibility, proximity, control, provides specialist services
Negative impact
Security, Risk of reputational damage, green IT (power, space), waste of resources

Cloud based services eg Dropbox
Positive impact
Easy to use, convenient, reduced printing
Negative impact
Making sure users understand the risks especially around security

Consumerisation of IT, BYOD etc
Positive impact
Decreased central,costs, drives central systems to improve, to be delivers to standards, different devices etc
Negative impact

Duplication of effort and inappropriate use of resources
Eg maintenance of servers, professors acting as web managers

So, what should we as CIOs do about it?

Know about it. Be aware. Make visible the risks

Acknowledge existence, but choose battles carefully. Create policies for minimising the risks. Provide support services.

Regular, active monitoring. Provide advice and enable safe, effective, efficient connected deployment of IT irrespective of organisational boundaries. Careful scrutiny and control of how shadow IT can affect critical aspects of the University's performance.

More round table discussion.
What doesn't work in managing shadow IT?
Control, banning, big sticks.
What works?
Talking to people, selling the benefits, offering a service, making it easy for people to use our services, finding out what people want, flexibility.

IT will always exist in multiple places across the organisation, inside and outside of the IT department. It's not always negative. Good shadow IT can drive innovation. We as CIOs need to take a constructive role and ensure everyone is aligned to a common plan, encouraging flexibility and innovation.

- Posted using BlogPress from my iPad

No comments: