, mobile apps, self-service business intelligence tools, low-code/no-code development platforms and other technologies makes it easier for business units to deploy IT systems and applications on their own, and many millennial and Generation Z workers who grew up using technology now bring an I-can-do-it-myself attitude to the workplace.
Such technologies came into the enterprise partly because employees were seeking to get their work done in a better or easier manner, said Samir Datt, managing director of the technology strategy and operations practice at management consulting company Protiviti. "Business leaders have a closer understanding of what the customers need and what's going on in the market," Topham said, adding that such thinking has business units believing it makes good sense for them to take the initiative on IT projects.
Thomas Phelps, senior vice president of corporate strategy and CIO at software vendor Laserfiche, has adopted that stance."There's shadow IT and business-led IT, and from my perspective they're different," he said. On the other hand, with business-led IT,"there's engagement, services and governance from IT, where [IT leaders] have carved out a model of how and where they'll be involved," Phelps said."You're getting the right level of governance and IT engagement to help the business make technology decisions."Phelps did find instances of true shadow IT at Laserfiche, a maker of content management and business process automation software that's based in Long Beach, Calif.
"There are business technologists who exist within business units and can add a ton of value in terms of making technology investments and deploying technology. They know the business, and they should be involved with those technology decisions," he said.
more visibility into business objectives and how technology can support those goals, which in turn encourages more proactive discussions about the organization's technology and business roadmaps;by addressing immediate business needs; and True shadow IT certainly presents significant risks. But they exist even with business-led IT, depending on the scope of the IT department's governance model and whether -- and to what extent -- IT staffers support the technology brought in by the business.
The security issues are particularly worrisome because of their possible consequences. Protiviti's Datt recounted one case he saw at a manufacturing company in the B2B market: Its marketing department brought in a data analytics tool without IT's involvement but failed to configure it properly, which exposed data on some 50,000 corporate clients.
Snedaker explained that she can't have business units signing up for SaaS technologies or downloading applications on their own; to her, such actions present a high risk not only of running afoul of compliance requirements but also of ringing up."Software as a service is a fabulous thing, but it's almost impossible to control the spend," she said.
Snedaker, who's a member of ISACA's Emerging Trends Working Group, said she supports business leaders defining requirements and selecting possible technologies. But she stressed that IT has skills, expertise and experience that generally don't exist elsewhere and are still required to make technology deployments -- even SaaS ones -- work securely and properly within the enterprise.