IT in the Shadows: Why Shadow IT Is a Concern (and How to Address It)

ITSM practices enable organizations to transition away from shadow IT as a solution by providing a framework for sourcing services or solutions from the best provider, whether that’s an internal IT resource or a cloud service. It takes more than a framework, however: Shadow IT is just a new flavor of outsourcing, empowered by the cloud and mobility. For IT to address it, it needs to build powerful relationships, but first, it needs to be seen by the business as a partner in the organization’s success.

Shadow IT is just a new flavor of outsourcing, empowered by the cloud and mobility.

Why Is the Business Turning Away?

At HDI 2015, Malcom Fry summarized some of the reasons why shadow IT has developed, including:

• IT lag 
• Poor business processes
• The Us vs. Them mentality
• A poor track record of investments and implementations

Let’s take a closer look:

• IT lag: When the business requests a new service from IT, it takes too long: too much bureaucracy, and too much lead time required to specify and charter a solution. If the business can purchase a solution from an external provider—and if this type of purchase requires no approval from IT—it can meet its own needs relatively quickly.
• Poor business processes: If IT is seen by the business as inefficient and ineffective, the business is more likely to trust an external provider, especially if the service is critical to the success of the business or a strategic initiative. Poor business processes, resulting in unstable services, and a lack of knowledge concerning who to speak to about a new service or how to engage IT, make it easier to engage a third party.
• Us vs. Them: If we’re still talking about IT and the business, we’re really talking about an Us vs. Them mentality. IT needs to shift its thinking: IT is the business, and the sooner we realize this, the better. The more we talk about the difference, the more likely the rest of the business is to view IT as just another service provider, one it simply has to tolerate. From this standpoint, internal IT is likely the worst service provider other business units deal with: they struggle to keep services running, they don’t talk about how well they’re running or seek ways to improve, they take too long to implement change, and they eat up so much of the organization’s budget!
• A poor track record: Many IT organizations have a poor track record of investments and implementations. This includes selecting and implementing tools that don’t quite meet the business’s needs, leading to higher cost and lower engagement. With a track record like that, the business is better off serving itself.

So, why is this a problem? Among other things, organizations could experience some of the following problems:

• Difficulty integrating cloud services with internal services when IT is involved at the last minute 
• Exposure to potential risk and security issues 
• Ineffective or poor SLAs
• Unclear terms regarding turnover or usefulness of data, if the agreement is terminated
• Cookie-cutter implementations of out-of-the-box solutions that don’t quite meet expectations

This doesn’t mean businesses will definitely run into these issues. It depends on the vendor, the product purchased, and the due diligence performed by the customer. Many cloud solutions offer great value and functionality with few problems, if any, during and after implementation, especially when properly managed. The fact is, many problems can be avoided by involving IT in an implementation and performing sufficient due diligence throughout the implementation. The message here is that internal IT and shadow IT can succeed or fail equally well. For this reason, it’s time for IT to establish a relationship of partnership with the business, bringing shadow IT into the light.

Bringing IT and the Business Back Together

The most important aspect of shadow IT to realize is that, like outsourcing, shadow IT can be a sign of IT’s failure to the business. Instead of encouraging shadow IT to continue, IT needs to rebuild its reputation with the business and own the relationship with third-party providers. More of the same is not the answer. So, how can you make this happen?

Step 1: Shift your mindset and become a service broker

Shadow IT grows out of an IT mindset that is overwhelmed with keeping the lights on and is unable (or sometimes unwilling) to look beyond the day to day. While this mindset is prevalent at lower management levels, CIOs and VPs are thinking more strategically, trying to address the issue of an overwhelmed workforce.

Thus, the first step to addressing the issue is shifting IT’s mindset from service provider to service broker. IT typically has the mindset that they must directly provide all services used by the organization. Yet there are great turnkey solutions on the market, often being purchased directly by the business without IT’s involvement when IT doesn’t come to the table willingly.

One way IT can begin to take advantage of these solutions is to include a sourcing decision in every request for a new service, new system, etc., enabling it to determine whether it’s better to build or buy the solution. If a mature market leader exists to deliver the desired functionality, it will likely be more effective to procure the solution than to try to replicate it. This small change in how projects are initiated shifts IT into the broker role and demonstrates IT’s willingness to consider external services, reducing the need for them to contract services directly and in secret.

Being a broker doesn’t really take that many people; it can be achieved with existing staff members. But there are a few changes to existing roles that will enable IT to act effectively as a service broker while still providing services internally.

The Service Level Manager 

• Review all underpinning contracts or vendor SLAs, ensuring they meet the organization’s minimum standards for service and documenting them for the business. This review should include a discussion with the vendor on formulas or criteria used to calculate specific measures, like availability. 
• Work together with the service desk and ITSM tool administrator to set up the SLAs in the ITSM tool used by the organization. They should use the same criteria or calculations used by the vendor.
• Run and/or analyze SLA achievement reports for each external vendor and raise issues or concerns with the business relationship manager responsible for vendor relationships. Also, recover SLA penalties when SLAs aren’t met.

The Service Desk 

• Establish a relationship with the vendor to ensure all customer-facing issues are reported to the internal service desk, unless the internal service desk opts to take the first call on all system-level issues.
• Voice-menu (IVR) systems can be used to forward functionality/help calls to the vendor and access issues to the internal desk.
• All issues covered by SLAs should be logged and tracked internally. 
• Issues tracked by the service desk are validated with the vendor and used as the basis for SLA availability reports (although the vendor should be producing its own reports as well).

The Vendor/Contract Manager(s) 

• Use information provided by the SLM and service desk to manage the relationship with the vendor, seeking penalties when owed and managing contract negotiations, changes to SLAs, etc. The idea is to ensure an ongoing dialogue and build a powerful relationship that works for both parties. 
• Works with technical management and IT security management to validate vendors’ technical environments and security. Take appropriate steps to ensure data is protected and any security risks are mitigated. 
• If the vendor and contract managers are not the same role in the organization, the contract manager should work with the vendor to ensure successful contract negotiations and renewals when the contract term expires. They need to work proactively, ensuring they are in communication with business’s customers and the other vendor-facing roles in IT to make certain everyone is aligned with renewal and to address any concerns that may have arisen during the operation of the service during the existing contract period.

If shadow IT is a problem, it’s time to face facts: IT's relationships with other lines of business in the organization have been damaged.

Step 2: Build and maintain your relationships with the business

Once IT has retooled its roles and processes to be able to manage relationships with third-party providers, it needs to face facts: IT’s relationships with other lines of business (LOBs) in the organization have been damaged, and it’s time to engage them with the goal of repairing the relationship and driving the overall success of the organization. One way to achieve this is by establishing a business relationship management practice and working with the business to implement it. While IT could build the process itself, this is an area in which early business engagement makes a significant difference.

In addition to appointing or establishing an individual to work with each LOB as a business relationships manager, IT and the business should consider adding some of the following activities (some of them to be conducted jointly with the service level manager and vendor manager): 

• Define and agree on the services that IT provides to the LOBs
• Review existing service levels and determine if they meet the needs of the business
• Collect requirements for service levels that do meet the needs of the LOBs
• Negotiate and agree on internal SLAs for the services operated and delivered by IT
• Provide and charter a program of improvements (if needed) to enable IT to meet the new SLAs
• Review SLAs for externally hosted services and discuss the LOBs’ satisfaction with the service and the provider
• Schedule and hold regular service reviews with the LOBs to continue to build the relationship and improve service delivery

The most critical aspect of this program is the last point: holding regular meetings with the LOBs. This is where the relationship will get built and be maintained. It’s important that this meeting include a regular review of the services’ operation and ability to meet service levels and include open and honest communication about what needs to improve (as well as how IT is progressing once improvements are underway). A strong relationship will go a long way towards regaining the trust of the business, even when there are unanticipated service interruptions.

Step 3: Declare amnesty and integrate shadow IT providers into IT operations

This final step in eliminating shadow IT involves working with the other lines of business to inventory all external services. The goal is not to eliminate the services provided by third parties, but rather to begin managing them jointly with the LOBs that purchased them. This is where you will begin to bring these services under the umbrella of service management within the organization, by performing some of the activities mentioned previously. This is also a great springboard for investigating other services these organizations might provide and working jointly with the business on new initiatives that might include third-party providers. The concept of declaring amnesty is a little tongue in cheek, but it’s a good marketing approach that will help you put the business at ease when you approach them to discuss these services.

Along with bringing these services under IT’s umbrella, it’s also important to establish a policy of involving IT in all engagements with third parties offering IT solutions. This needs to be rigorously managed throughout the organization, with a zero-tolerance approach to working outside of the policy. Once this has been done, however, IT must keep up its end of the bargain, performing any and all oversight activities quickly and becoming a true partner, not a bottleneck.

Final Thoughts

As the de facto head of the service management office in my old organization (before the concept existed, back when we were simply called ITIL champions), I was involved with an IT organization that acted as a service broker for 70 percent of the organization’s services. We basically operated email, file and print services, and a small number of homegrown services; most of the critical business services—websites, ERP systems, payroll, HRIS systems, facilities systems, etc.—were vendor-hosted in a cloud environment. The LOBs were extremely good at working together on the successful delivery of these services, and LOBs using a specific service were often grateful for the partnership, especially when a vendor failed to meet its SLAs. When this happened, they knew they could rely on IT to address the situation on their behalf, leaving them to successfully manage their own operations. We achieved this by working with each and every vendor closely, treating them as true partners. They, in turn, observed all of our internal service management processes—in particular, change management, incident management, problem management and service level management.

This level of trust and partnership is the real difference between businesses using shadow IT to work around their IT organization and organizations that work together to deliver services, whether they’re sourced internally or externally. The latter offers great potential, for any organization.

Phyllis Drucker is an ITIL-certified consultant and informational leader at Linium, a company that provides strategic advice, process consulting, and tools. With more than twenty years of experience in ITSM as a practitioner, manager, and consultant, Phyllis has contributed knowledge to the profession through numerous presentations, white papers, and articles. Since 1997, her goal has been to advance the profession worldwide by providing experiences and insight on a wide variety of service management topics and trends.