IT governance in the era of shadow IT

The latest CW500 Club invited IT leaders to discuss the challenges of governance with the rise of 'shadow IT' outside the IT team

By 2020, 35% of organisations’ technology budget will be spent outside the IT department, according to estimates from analyst Gartner.

This trend will have profound implications for the role of IT professionals and the IT team.

The growth of “shadow IT”, as it has become known, has been given impetus by the growth of consumer technology and cloud computing, which make it increasingly easy to deploy technology without going through the corporate IT department.

At the same time, businesses are under pressure to adopt new technology quickly, and realise they can often deploy more rapidly by bypassing the IT department.

IT suppliers are also part of the shadow IT problem because they will bypass the CIO if they can, said John Harris, chief technology officer of Aimia, which runs loyalty card programmes, such as the UK’s Nectar.

“We will have our marketing people go out and talk to clients' CMO [chief marketing officer], and talk to them about loyalty and about how data services can help them,” said Harris at a meeting of the CW500 Club for senior IT professionals.

John Seglias, group IT director of transport firm Abellio Group, said he learned from a chance conversation with a supplier that his company was spending a six-figure sum on an IT system.

“I said OK, who is your point of contact? I though he was going to say it’s your head of IT, but he said: 'Oh, I spoke to someone in procurement',”  said Seglias.

Find out why shadow IT exists

Ensuring that shadow IT is managed and governed properly is a challenging task for CIOs.

Christoph Burtscher, CEO of Be2Change Consultancy and former head of corporate and IS governance for, advised CIOs to find out why people in their organisations are buying their own IT.

“If you know why there is shadow IT, you can do something about it,” he said. “Make sure you put the tools in place to address that root cause.”

If the IT department provides the right solutions and services, it becomes easier to discuss with other business departments why they are not happy with the IT they have, said Burtscher.

“And then, as long as they apply the reference architecture, marketing services, HR assistance or whatever it might be, it all works together and you still deliver the best possible value,” he said.

Don’t ban shadow IT

Banning shadow IT is not the answer, however.

For several years, pharmaceutical company GlaxoSmithKline (GSK) struggled with how to manage employees’ use of mobile phones at work, said Harris, a former IT executive at the firm.

“I remember when telephones with cameras first came along,” he said. “Because there were sensitive places – laboratories, factories, the rest of it – you were not allowed to take photos and that was a fairly explicit rule.”

GSK tried to enforce the rule by banning phones with cameras, but the policy fell down when cameras became a standard fixture in mobiles.

Watch CW500 Club speakers discuss shadow IT

  • CW500 video: IT governance in the era of 'shadow IT' – John Harris, Aimia
  • CW500 video: IT governance in the era of 'shadow IT' – Christoph Burtscher, Be2Change Consultancy

The company realised it was better to educate employees not to misuse phones than to ban them.

“We got back to it being a behavioural thing,” said Harris. “Don’t take photos and let’s all collectively enforce it as a policy.”

He also recalled a discussion with a CIO at one company about employees’ use of the Yammer social media service.

“He said, John, this Yammer thing – I have made a decision; I am going to shut it down,” said Harris.

The pair happened to be in a pub, watching news coverage of Libya during the Arab Spring revolution. Colonel Gadaffi had just tried – and failed – to shut down the use of Twitter.

“The conclusion we came to was that actually the world had changed, and we could no longer have a system with a big span of control,” said Harris. “The globalised idea to get them under control with one CTO was gone – the world had moved on.”

Harris’s current employer, Aimia, chose to offer a company-approved alternative when its marketing team began using Yammer to share thoughts and ideas.

Some of the ideas were commercially confidential and could have proved useful to a competitor. The problem was that no one was checking whether former employees still had access to the service after they had left the company.

Aimia selected another service, Chatter from, as its corporate collaboration platform, but there was no compulsion for staff to use the new system.

“By the way, if you throw the latest marketing plan on Yammer, and someone has left the company to join one of your competitors and they pick it up, that is your accountability,” said Harris.

This approach – setting the behaviour without trying to control every aspect of technology – has been very effective, he said.

“It’s a different way of thinking, but it actually it works well for us. And we have found that we get a lot of creativity from people doing the right thing.”

Encouraging innovation

Taking the IT reins off the business will help organisations to respond more quickly, and to exploit technology to generate more innovative ideas.

Aimia, for example, hires data scientists, and although they may not be technology experts, they have the freedom to develop their ideas and source their own cloud services for data analytics.

“If they had to come to the IT department each time to set these things up, we would slow them down, we probably would not value them, it would probably just be another task,” said Harris. introduced the principle of failing fast in a controlled environment to encourage innovation.

The IT department gave the commercial and marketing departments three developers to work on rapid prototypes. All the costs were written off in advance, and there was no pressure to produce a working product.

The only proviso was that if the work did lead to a product, the IT department would test it on one of its systems. And if it succeeded, IT would be responsible for scaling the technology and rolling it out.

The project led to one of TheTrainline’s most successful products, Farefinder, which allows customers to search for the cheapest rail fares.

“That started with two IT developers sitting in a corner, trying to figure out a customer problem,” said Burtscher.

The company also set up 24-hour hackathons with free beer and pizza in the office. Whoever came up with the best ideas was given a few days off.

“That really worked,” said Burtscher. “That engaged the younger generation.”

Treat IT as an ecosystem

CIOs should think of IT not as a system, but as an ecosystem with components that fall both inside and outside the IT department, said Harris.

“Where I think, ‘IT sometimes goes wrong’, that is treating IT as a binary, one or zero. I am in control or I am not in control,” he said.

“If you fight to try and get an ecosystem under control and you try and treat it as a system, and you try to exert your authority, then you are going to fail.”

We need to use the cloud to put in place a platform, an ecosystem, that you can offer to the business for a unit price with a well-understood service-level agreement

John Seglias, Abellio Group

John Seglias, IT director, Abellio Group

The role of the IT department should be to set expectations for employees, not to control the way they use technology, said Harris.

Compliance teams would not consider following the CFO to the pub to make sure he doesn’t disclose sensitive company information, said Burtscher. It is just accepted that he knows what he can talk about and what he shouldn’t.

Companies should take a similar approach with their own employees when it comes to IT, he said.

“Talk about what 'good' looks like, talk about what is acceptable. You put the onus on the individual.”

Marketing people don’t really want to run IT systems

The role of the IT department should be to support other parts of the business to choose the most effective technology.

Chief marketing officers just want their systems to scale and to work; they don’t want to have to maintain IT systems, or take responsibility for them working.

So they are usually more than happy for the IT department to step in and provide support, said Harris.

“We talk about how we want to do security, how we are measuring service, integration against the back end,” he said, “all the things we know the CIO and the CTO are good at and marketing people haven’t thought of.”

When you explain that the director of marketing needs to be available on the phone at 2am when the system goes down, they soon want to bring the IT department on board, said Burtscher.

“At that point in time, the CFO will immediately have a discussion with you about how you can put it on IT support and have 24/7 support,” he said.

Move from in-house to cloud

Seglias said organisations should move away from providing IT in-house and towards buying in standard services.

“We need to use the cloud to put in place a platform, an ecosystem, that you can offer to the business for a unit price with a well-understood service-level agreement,” he said.

The role of the IT department will not be to deliver the systems, but to work with external providers to offer the service quickly, for the best cost.

“It means that IT governance is not about saying 'I need three months to go away, work out how much coverage I need, put forward a request to the CFO, go through the IT governance process, get approval if I am lucky, and so on',” said Seglias.

The skillset of IT professionals will change. Rather than being technology experts, their role will be to work with business professionals to evangelise the benefits of IT.

I am sure there are times when the CIO loses their role because the CMO went out, bought lots of stuff and messed up. But you can no longer say 'I didn’t know about it, don’t talk to me'

John Harris, CTO, Aimia

John Harris, CTO, Aimia

A really good chief information security officer will not just be someone who knows the technology backwards and how to fight off cyber attacks, said Harris.

“They will know how to do that, but they will spend their time evangelising and explaining, articulating the risk in the ecosystem, challenging what is good behaviour, and when is it that you should go along to the IT department to get sponsorship,” he said.

Who carries the can?

One of the challenges facing CIOs is that although they no longer control the IT in the organisation, they are still held responsible if it goes wrong.

However, companies that are less focused on finding fault when things go wrong are more likely to encourage innovation and risk-taking. was one such place, said Burtscher, a former executive consultant at the company.

The CIO at TheTrainline was responsible for all aspects of IT, even in areas where he ceded control to other parts of the business.

But when things went wrong, the CEO’s focus was on fixing the problem, rather than apportioning blame.

That freed up the CIO and the business to innovate and to use IT in creative ways to improve the business.

“If failure means being fired, then it is really difficult for the CIO to accept responsibility for something that he could not control,” said Burtscher.

Yet chief financial officers are routinely fired when their companies do not perform as expected. And CIOs must expect to fall on their sword if a technology failure damages the company.

“I am sure there are times when the CIO loses their role because the CMO went out, bought lots of stuff and messed up,” said Harris. “Naturally, the CIO did not know about it. But you can no longer say 'I didn’t know about it, don’t talk to me'.”

Read more on Collaboration software and productivity software