Q&A: Managing shadow IT

Public sector organisations are witnessing an increase in software-driven solutions that are often provisioned through the cloud environment, and built and used without explicit organisational approval.

While this shadow IT can be rapidly deployed, easing the burden on IT teams, who has responsibility and what issues do organisations need to be aware of? In the third part of our Q&A based on discussions at the recent OpenText Innovation Tour event in London, we find out.


Jos Creese, former CIO Hampshire County Council & Independent Analyst:

“I think shadow IT is a positive thing, even though I can understand why CIOs and IT managers are concerned about stuff going on in IT that they’re not in control of.

“For me, shadow IT falls into two categories. There is one that is borne out of the frustration that IT departments are out of touch, slow, bound up in legacy IT and what needs to be done therefore can’t be done. Low and behold, thanks to all of these cloud applications now on the market, end-users can go it alone without the IT department.

“The second, more important, issue is that not all of the best ideas and digital solutions will come from the IT department. This is why I’m in favour of shadow IT. They come from the business. There so many solutions out there that are fast, agile and easy to implement without going through IT, that it can be a positive to empower employees. The only proviso, if I was a CIO is that it comes with responsibility. I would expect to see HR policies reflecting the fact that, if you’re going to be messing about with data and therefore the reputation of the organisation, you know what you’re doing and understand that there’s a personal responsibility, whether you’re the main executive board or a personal employee. With those provisos, go for it.

“CIOs can retain control by ensuring they have an effective information management policy and architecture covering data handling responsibilities across the whole organisation. This needs buy-in at board level and should explain why it matters and what people’s responsibilities are.

“The other thing is that CIOs should have a modern, joined-up relationship with the whole of their organisation. Gone are the days of IT departments working as operational centres taking requirements and turning them into solutions. We need to shift energy away from this ideology, based on legacy systems. We really need to shift that, at a time when resources are so stretched, into forward-looking solutions that are right for the business. That means CIOs need close relationships with their boards and service leaders.”


Stephen Roberts, Author of Digital Policing Review & Independent Analyst:

“I really do agree with Jos. Especially when shadow IT comes from directors of local authorities, heads of clinical specialities in healthcare or individual commands in policing, those individuals are thinking, ‘I run a data and information business and I need the right tools in it, which corporate IT isn’t supplying but which I can go out and buy off the shelf’. It’s a good thing that people in those areas have got that appetite and demand.

“Some of the concerns that CIOs have can revolve around the fact that their special area is now unprotected and that their colleagues know just enough to be dangerous. Or, it could be that their area of expertise has been eroded. It’s not a good place to start from. That said, there are some legitimate areas of concern and they are threefold.

“Firstly, what are your vulnerabilities and what information risks will come when you introduce a new way of storing data into a secure information environment. Secondly, shadow IT tends to be less shadow than most people think. Once something goes wrong people will go to the CIO and IT teams for help. Thirdly, once you have diversity across the estate, all the good stuff such as bringing data together and making it work can go out of the window because there becomes such differences in the way data is processed and held. There’s a danger of returning to operational data silos.

“If you are going to have a free-for-all you need to have controls over risk and governance and how data control and management will work, if the benefits are to be realised.”


Ian Owen, OpenText Healthcare Specialist & Public Governor, Blackpool NHS Trust:

“Shadow IT needs significant focus on governance and control. The proliferation of opportunities to work with SaaS models and with cloud solutions is taking off and won’t slow down. And that shouldn’t be stopped if we are to see digital change.

“Providing the right policies and controls are in place, and you can bring content together in one place, much of the risk can be mitigated. The great thing about shadow IT is that there’s no one-size-fits-all solution – every organisation needs different IT solutions and shadow IT can deliver it.”

Don’t miss: Parts one and two of our Q&A series: The case for smarter data and Unicorn projects and the public sector

Related reading