Saturday 15 November 2014

Shadow IT

Final session of the conference was a workshop looking at Shadow IT. Lovely defined as investment in acquiring, developing or operating IT solutions outside the control of a formal IT organisation. If nothing else we were clearly told to take away the message that Resistance is futile! IT is now son engrained in everything we do, and the consumer IT space so pervasive, then "IT" is going to happen everywhere. And given that many sessions I've been have been about digitalising the business, we are actively encouraging it. That's not to say that there should be controls in place, and many business critical systems, support and infrastructure should still rest with the central IT department.
So how do we adapt our role to cope with it?
First thing we need to do is take it out of the shadows. Enter a discovery phase, find out what is going on. Then have a plan.

We had a group discussion on our tables, and I was sitting between the CIO of
the European Parliament and the CIO of Europol. We had some interesting debates about what was appropriate. They couldn't really get their heads around our very open attitude!

Then we looked at some examples of good practice, summarised below:


Engage
Need to engage. Will change the role of the IT department.
Get some visibility, find out how much is going on. Share it .

Redefine accountability.
If people are developing or implementing shadow IT they have to be accountable for it. For support, security etc. Put in place processes to do this.

Guide.
Provide guidance to the organisation

Establish boundaries
What areas is it legitable and sensible to allow end user development. What areas are no go areas.
Use this 2 by 2 grid



Things can start in one quadrant and move. Need to keep under review.

Create red lines.
Privacy, security and compliance. Lines which must not be crossed, and there must be consequences.
Requires clarity, training and education.

Exploit Bimodal IT
Become more agile and flexible.

Offer services
Eg vendor and contract management. Hosting. Project management.

Offer tiered support.
Different levels of support for different systems.

Consider accreditation
Train staff, bring them into central organisation and teach them. Then might trust them more.

Have an end user board.
Not just IT department policing things. Let a board come up with polices etc. are risks though!

Use Audit!
Get them on board. Put the policing action on audit, not us.

All very interesting and useful. And reflects closely what we're trying to do in our IT as a shared service project.



- Posted using BlogPress from my iPad

No comments: