Emerging from the Shadow

One of the things that still surprises me in my day job as a consultant, is how difficult enterprise IT departments make it to share information and files with suppliers. Much of this is the fault of legacy systems, such as old SharePoint versions or old school FTP sites, but in today’s interconnected world making external collaboration difficult actually increases security risks. Too many IT departments still fail to realise this.

Part of this is cultural. User experience is never going to be the number one priority for IT, nor is it supposed to be. Their job is security and availability, in that order. UX is still a consideration, but ranks third in the priority list. The never ending news cycle of data breaches has elevated preventing data leaks to the top of the IT to do list, GDPR re-enforced this trend. The problem is that implementing the right protections requires changes to business processes that other departments can be hesitant to adopt. This reinforces the unfortunate trend for people to refer to IT as the "No" department.

Things are changing. Few IT departments these days still conform strictly to the "No" department stereotype. The Digital Transformation buzz has eliminated the tendency for IT to react to change by blocking it at the firewall, but they do still move slower than other departments. This is by design. IT departments have a large number of external technical standards that they need to comply with such as the ISO 27001 information security standard or the PCI payment card protection standard. These standards aren't just about configuring servers in a specific way, they enforce a set methodology that IT departments need to follow when developing applications, systems and processes. At the heart of this methodology is the concept of identifying and managing risk. Potential issues and threats are evaluated for both their severity and likelihood. Measures to reduce those risks are then identified and implemented. Failure to follow this approach, has financial consequences for the business.

Other departments are rarely this methodical, often not considering the security or compliance landscape that firms operate under. This causes friction between employees looking to do their job and security or process oriented IT staff. Internal politics can reinforce this trend with CIOs often thinking that all technology should belong under their remit.

The problem with the traditional IT approach is that applications are only useful if they fulfil the purpose they were designed to perform. This is one area where IT has had a bad reputation historically, preferring complex but technically interesting platforms that can be developed internally over a user friendly, off the shelf solution. Given that IT rarely have to use the line of business applications they're supporting, ease of use has never been given sufficient priority. This applies as much to leading enterprise software companies such as Oracle or Microsoft as it does to the IT departments who buy from them. The alternative approach of commissioning a developer to write a custom solution allows the software to meet usability requirements, but as the cost of reduced flexibility causing problems further down the line.

Until the cloud came along there was nothing that frustrated sales or marketing teams could do about the complexity of your average enterprise software application. IT was the only place you could get new software for your team, unless you were lucky enough to have an Excel or Access guru on hand. Cheap online services changed everything, allowing anybody with a company credit card to buy the software they needed to get the job done, assuming you didn't just use your personal Dropbox account. This do it yourself approach is called Shadow IT.

There is just one problem with Shadow IT - data security. Shadow IT bypasses all the security controls in place to prevent downtime and security incidents. This is a real concern to IT given that they are explicitly responsible for securing the businesses digital assets. If departments are using technologies and applications without their knowledge then they can't be held responsible for a breach, yet will often get blamed anyway. A decade ago, security breaches were more of a theoretical threat than a real one to many businesses. Numerous high profile examples have changed attitudes, but not as much as IT departments would like. Belatedly, there is an awareness on all sides that a balance needs to be struck. A new generation of enterprise software startups have transformed the marketplace. Business users have the opportunity to choose from a vast array of different products fitting every niche imaginable. In many companies, IT are letting them make that choice too just with a degree of oversight and education to ensure that security and compliance requirements are met.

What's more, the established enterprise software players favoured by CIOs have begun to take notice of the competition. The cloud has opened up numerous markets to new entrants built using the same principles and technologies as consumer software. Companies such as Box or Google have provided much needed alternatives to an industry that was becoming increasingly deaf to their customer's needs. Oracle, Microsoft and SAP have been making real efforts to increase the user friendliness of their products. Even Sharepoint, long a byword for terrible UI, has been relaunched with a modern interface that just works (most of the time). They, like the IT managers who comprise their customer base, know that blocking the competition at the firewall is no longer an option. They've learned the hard way that the long-term solution to the Shadow IT threat, is to make sure that business users have no reason to bypass IT when making decisions about technology. Not before time.