Shadow IT – Page 11 – IS Survivor Publishing

The newest “best practice” is an old banned practice.

By: Bob Lewis|In: Architecture|Last Updated: March 23, 2015

Guess what’s now “best practice.”

A few years back it meant locking PCs down tight, preventing anyone outside IT from doing anything creative with information technology unless they could get it done with Excel.

“Shadow IT” … business departments implementing information technology without any IT involvement? An information security nightmare!

Nightmare? Look at the number of recent, massive data breaches whose targets have been … what shall we call the opposite of shadow IT … sunlit IT?

The actual evidence seems to show that shadow IT is, at worst, no less secure than sunlit IT.

The exact same cast of characters that advocated tight lockdown just a few years ago are now, without even a trace of contrition, writing favorably about how smart CIOs are supporting and leveraging shadow IT rather than trying to stamp it out.

Research current thinking on this and you’ll find the IT punditocracy has discovered IT has to handle some tasks more quickly than others. McKinsey, for example, calls it the “two-speed IT architecture.”

Welcome to the party, folks. You’re late. Did you at least bring some decent champagne?

To be fair: Just because these folks are latecomers, it doesn’t mean their insights are worthless. The McKinsey piece, while long on what the outcomes should look like and light on how to achieve them, is a fairly decent analysis.

Decent, that is, other than ignoring the significant role shadow IT will and should play in most two-speed IT architectures.

And, decent with this possible exception: “… companies need to improve their capabilities in automating operations and digitizing business processes. This is important because it enables quicker response times to customers while cutting operating waste and costs.”

If, by “quicker,” McKinsey’s analysts mean reducing cycle times for fulfilling orders, then fair enough. While the notion that information technology can be helpful in reducing process cycle times is hardly a fresh one, it’s no less valid today than it was when first introduced in the mid-1970s or thereabouts.

But “quicker” might also mean implementing new strategies or responding to marketplace changes. If that’s what McKinsey means by “quicker,” it’s way off, because optimized processes are one of the biggest impediments to rapid change. That’s because optimized processes need supporting infrastructure, and infrastructure encourages stasis, with “infrastructure” including:

Business process design. As these things go, this is the easy one. Designing an efficient process just isn’t all that difficult compared to what it takes to implement one. Visio is the most adaptive component of process infrastructure.

Design of business process controls. Beyond the process itself are management practices and process metrics. Designing them isn’t all that hard. Designing them so they don’t do more harm by getting in the way than they provide in benefits? Trickier. A lot trickier.

Design and build-out of the physical plant needed to support the business process. This could be as trivial as setting up a new cube farm, or as complex and expensive as designing and building a factory. Ignoring all other aspects of this task, whatever gets built will have to last long enough to be relevant until the company has paid off the design and build-out costs.

Design (or selection), implementation, and integration of supporting information technology. Presumably, KJR’s audience knows a thing or three about this topic. To make sure it doesn’t get lost: The integration part is, in most situations, the most expensive and difficult technical dimension of the task.

Employee training. The need to train employees is obvious. That their education is part of your business infrastructure is less obvious.

Investment in continuous improvement cycles until process optimization has reached the point of diminishing returns. No matter what the new process, it’s the organizational equivalent of a skill. Skills take time, and money, and effort to acquire and perfect.

There’s one more factor to take into account to understand why investments in business infrastructure put the brakes on business agility, and that’s the project failure rate.In most companies, more projects fail than succeed. That being the case, once a company has a process and its supporting infrastructure up, running, and optimized, the fear that implementing its replacement will fail isn’t merely very real. It’s realistic.

And when the odds of success are low, it’s perfectly natural for a company’s decision-makers to take what looks like the safer bet — sticking with that has worked, even if, in the long run, the result will be an obsolete company that sells and delivers obsolete products and services.

Especially because, in so many cases, by the time it’s impossible to ignore their obsolescence, it will be someone else’s problem.

* * *

Next week: Shadow IT’s role in a two-speed business (not just IT) architecture.

Storming around

By: Bob Lewis|In: Architecture|Last Updated: March 10, 2014

Jimmy Dean should never have recorded “Big Bad John.” His squeaky tenor just doesn’t fit the lyrics — they demand a Johnny Cash baritone.

Still, Dean got some things right — his sausages, for example.

And, he gave us a useful quote: “I can’t change the direction of the wind, but I can adjust my sails to always reach my destination.” It will never make it on despair.com, but that’s okay. Cynicism is more fun, but figuring out how to make things work is what pays the bills.

My last two columns have talked about the direction of the wind (“An imperfect storm,” 2/24/2014 and “More storm warnings,” 3/4/2014) — trends you can’t do much to affect, and do have to respond to:

Cloud 3.0 — enterprise-class computing that includes cloud-based applications.

Shadow IT — the growing amount of information technology implemented without IT’s involvement.

The digital enterprise — a grab-bag; right now its most important elements are smart products, the so-called “internet of things,” and all of the opportunities possible when you put the two together.

Income disparity — and the rising demand for luxuries and uniqueness by those on the lucky end of this trend.

The rise of business practices over processes — practices being the way to organize how work gets done so as to be able to deliver uniqueness.

Your challenge: Adjusting your sails so IT can at least survive these trends and maybe even enjoy the outcome. Suggestions:

Get the relationship right. I know you’re tired of hearing me rant and rave about moving beyond the supplier/internal-customer relationship model to a fully collaborative alternative. I also know I talk to IT leaders all the time who haven’t made the transition.

It matters in this context because in your brave new world of embracing shadow IT, a collaborative relationship is what will stop shadow IT from become rogue IT.

Automated regression testing. Take this to the limit, and beyond.

Cloud 3.0 means multi-cloud plus inside-the-firewall infrastructure provisioning. Multi-cloud, and especially multiple cloud solutions managed directly by the lines of business, means patch management and version management move outside IT’s control.

With automated regression testing you might be able to persuade the lines of business that IT should test cloud-vendor-induced configuration changes before they’re put into production. Without it, IT will once more be positioning itself as a bottleneck rather than an enabler.

Redefine the “I” in “IT.”

Except for shadow IT, all of these trends mean more work for IT, not less. Even cloud computing doesn’t mean IT has less work to do. You’ll be managing multi-cloud systems. Think monitoring for availability and performance. Think more reliance on your WAN. Think about what restoring from backup now means. Especially, think about integration.

This is the redefinition of “I” — from “information,” which never truly encompassed IT’s responsibilities anyway, to “integration,” which completely describes where IT is essential.

Look, like it or not, sales managers everywhere understood the difference between cloud-based shadow IT and the installed alternative. Installed software meant asking IT to unlock sales reps’ laptops so they could install Act! and asking IT to provide a server so their laptops could synchronize to a shared database.

The Cloud meant buying licenses from Salesforce, doing everything through the browser, and getting the shared database too, all with no IT involvement.

So encourage Shadow IT. Get rid of as much responsibility for the applications portfolio as you can. For individual applications, shadow IT’s drawbacks are diminishing, and this also eliminates the “This application doesn’t do what I need” vs “The specs were wrong” arguments that now dominate many business/IT relationships.

But integrating the applications? Only IT … “Integration Technology” … can make this happen.

Which gets us to enterprise technical architecture management (ETAM). This is a long-running personal favorite, and it’s only going to be more important in the future.

A multi-cloud environment with lots of quasi-independent line-of-business and departmental IT departments adding to the application layer is akin to a bunch of developers adding buildings to a community without building codes or well-designed water purification, electricity-delivery and sewage treatment systems to connect to.

In particular, the ETAM function should choose the company’s integration technology system and define the company’s data integration engineering requirements.

Data integration is what causes the most trouble when it comes to accidental architecture. Without a clean, clear, well-engineered approach, shadow IT will exacerbate the situation exponentially.

Okay, okay. “Polynomially” is more accurate, but who’s counting?

* * *

15 years ago in KJR’s predecessor, InfoWorld’s “IS Survival Guide”: An app dev methodology that looks a lot like Agile, two years before the Agile Manifesto.

Way back in 1996, I recommended viewing yourself as a product, not an employee.

And ten years ago, how to avoid the proximity trap — the tendency to pay more attention to those who have access than to those who have answers.