Shadow IT Part 1

How Do We Respond Tactically?

Baxter Thompson Ltd, Jon Baxter


According to a survey of nearly 400 CIO’s by Logicalis in 2015, nearly 1 in 3 CIOs are bypassed ‘often’, ‘very often’ or ‘most of the time.’ (on Technology decisions) . This is the first in a two part blog where in the first post I take an example, and give some detail considerations that could guide our immediate response to business partners. The second post looks at the impact on the role of IT in the context of the growing trend of Shadow IT.   For our immediate response, considerations will be: what is the business strategy; where in the organisation is the business value; and then what is considered core to the business.  The key point: Assets that are strategic, generate customer value, or are fundamental to the business model need to be managed within the business’s boundaries and access controlled accordingly.  Finally I provide some practical steps to provide a tactical response with our business partner.

Introduction and Example

According to a survey of nearly 400 CIO’s by Logicalis in 2015, nearly 1 in 3 CIOs are bypassed ‘often’, ‘very often’ or ‘most of the time.’ (on technology decisions). That’s a concerning statistic and questions the ability of the IT department to lead and influence the direction of Technology. Let’s start with a practical example.


So imagine we find out that our Marketing Partner has started using an online mass-emailing platform only because they contacted IT in wanting to extract the customer email data from the company’s ERP system, which naturally, the IT department manages, and Marketing need to access.


The fact we find out in this way is evidence of a lack of Strategic Partnership that is discussed in my previous post “Strategic Partnership Considerations”.  How do we respond? Below are some responses that reflects the style of engagement, capability maturity and governance:

  • DENY: The exfiltration of data conflicts with corporate IT policy and we need to leverage existing CRM functionality to achieve a return on investment. The business partner could be unhappy at a response they might perceive as “no and slow.’
  • ACCEPT:  Pass the request onto a Business Analyst to figure out how to extract the data at least possible cost. A request is made to the Business Partner that they accept the risk of data loss and potential poor value for money
  • NEGOTIATE: Identify what technical solutions could fulfil a compliant mass email capability, create a business case and prioritise
  • PLAN: Agree with marketing the long-term capabilities it requires to fulfil the business strategy and create a roadmap.

There are justifiable reasons for any of these approaches and the answers may depend on a number of factors and there is no right answer; indeed, the answer may well be a blend of several responses (and as a side note, the presentation and engagement of the response with a business partner is as equally important). I’ve outlined some considerations below:

  1. What is the type of Business and Business Strategy?
  2. Where is the Business Value and Risk?
  3. What is “Core” and “non-Core” to the Business?

1.    What is the type of Business and Business Strategy?

What are the core capabilities that the business has that differentiate it from its competitors? How does it make money based on those capabilities and is information technology a key component of that capability?

•    Rolls-Royce engines lease jet engines to aircraft companies based on air-miles travelled.  Sophisticated measurement and data collection systems are required to support this business model.
•    Tesco loyalty card not only incentivises customers to purchase at its stores, But it uses the buying data generated to inform on customer behaviour and to sell onto interested parties the data, itself becoming a marketable commodity.

2.    Where is the Business Value and Risk?

Value and Risk is attributed to business assets and they are defined for the purposes of this post in terms of Technology, Information and Process ( implicitly including people competencies):

Technology Assets

 If technology forms a fundamental part of the business model – i.e. it itself makes money, then Technology will be a strategic asset that needs to be developed and it’s associated intellectual property properly managed.

Stock trading platforms such as the London Stock Exchange that transact commodities, shares etc rely heavily on bespoke, complex software applications that are developed in house. Access is provided to the services by paying a license fee through secure portals. The software itself is hosted internally.

Information Assets

If Technology is relied on to enable the business model, then in this case, It is the information that is critical to the functioning of the business and it is the classification of the data that will denote whether this is a strategic asset or not.  Therefore having a data management policy on how and what types of data can be distributed externally is key.

Royal mail provides online tracking of parcels through its supply chain to its final destination.  The information of where the parcel is and when going to be delivered is critical for customer satisfaction. This information is managed internally, yet with authentication controls can only be seen by certain users on the internet.

Process Assets

If it is the process that is the fundamental value driver then both technology and data will be core components. It goes without saying that people, their skills and knowledge are part of this too. The classic scenario is outsourcing, such as insurance claims handling, IT service desk, call centres and payments processing. Key here will be understanding the organisational change requirements, integration and connection of systems between different companies.

3.    What is “Core” and “non-Core” to the Business?

From the last section the point becomes clear: whether it be technology, data or process, what is considered core to the business (i.e. creating customer value) often determines whether it can be outsourced or supported externally.

Key point: Assets that are strategic, generate customer value, fundamental to the business model need to be managed within the business boundaries and access controlled accordingly.  

So referring to our original practical example, it may well be that customer email addresses albeit important are not critical to the functioning of the business. In addition it may well be that the functionality offered by an external service provider could be better then what the current version of the CRM system offers. Another aspect is that the cost of providing this service could be cheaper than upgrading the CRM system on an ongoing basis. Considering the urgency and also the lead time of upgrading CRM functionality may well mitigate any benefit the doing the marketing campaign would have.

Other criterion in this instance will be:

  • Personal data protection and data leakage (i.e. How sensitive is the data? )
  • Maintaining data integrity – one version of the truth (e.g. valid email addresses – which system is the original source?)
  • Improving productivity ( e.g. double data entry)
  • Realising Business insight from data (e.g. How many responses to the email campaign and which customers bought products)
  • Cost of systems integration long-term ( e.g. API interfaces and System architecture)
  • Solution Scale (I.e. How many users would it have? How much data is required to work it? Is it a one-off project activity or a frequently repeated operational function?

Practical follow-on steps

  1. Identify Business capabilities that will require core and non-core Technologies longer term.
  2. Define what core Systems, data and processes that the IT department shall manage and maintain control over.
  3. Determine integration requirements between core and non-core systems
  4. Conceive an architecture that will allow easy integration between core and non-core services and obtain financial approval.
  5. Define a non-core systems and data policy that informs Business Partners on where provisioning third-party services and external access to data is possible.
  6. Establish a governance mechanism to allow changes to policy, decide priority of changes to core and non-core systems and data.
  7. Assign ownership of the data and associated risks (such as data leaks, security breaches). Monitor the data use and manage the risks.

How Baxter Thompson Associates can help

We help IT understand the opportunity with business partners through our Reconnaissance for IT framework and can help implement a business relationship management capability to ensure that the Value in IT is delivered. The framework includes the criteria mentioned in this post and is applied though a short diagnostic comprising mainly of interviews and workshops. The outcome being a report on recommended changes, options and a business case for implementation. We also provide training, coaching, recruitment and change management.

Back to Top