My experience of Shadow IT
As long as IT has existed, it seems that shadow IT has existed as well. I distinctly remember one of my first projects as a junior consultant where I was tasked with mapping an enterprise’s finance processes. I had carefully drafted detailed process maps based on the enterprise’s policies and procedures. I sat down with the client’s finance lead only to be told, “ That’s how it’s supposed to work, but here’s how it actually works…” Due to issues with the legacy system, an entire shadow finance system had been created. A few quick conversations with my colleagues in industry confirmed that my experience is not unique – and this is further corroborated by a McAfee study stating that 81% of Line of Business users use shadow IT.
Impact and Cost of Shadow IT
The impact and cost of shadow IT is massive. Gartner estimates that large enterprises spend 30 – 40 percent of their budget on shadow IT. Research from Everest group puts that estimate even higher - 50 percent or more. Additional impacts can include duplicated efforts, multiple sources of truth and security vulnerabilities, to name a few.
Is Citizen Development Shadow IT?
Given enterprises’ experiences and the cost of shadow IT, it’s not surprising that there is hesitation around the concept of citizen development. Phrases like “empower business users” are frequently espoused, but, cynically, isn’t citizen development just shadow IT in a different wrapper? If an enterprise is encouraging end business users to develop their own applications, is it sanctioning shadow IT and all the costs and issues that come with it?
Citizen Development is not Shadow IT
Personally, I strongly disagree with that sentiment, but it’s easy to see how someone could reach that conclusion. A PMI survey found that lack of IT governance and control is one of the top three barriers for increased adoption of low-code/no-code platforms.
Link between Citizen Development and Shadow IT
For enterprises to feel comfortable deploying and scaling citizen development, the concern of shadow IT and rogue software must be addressed head-on. PMI’s latest handbook, “Citizen Development: The Handbook for Creators and Change Makers,” starts to do just that.
PMI clearly states that effectively deploying citizen development isn’t about circumventing existing controls or finding work arounds. As stated by PMI, effective deployment requires enterprises to “engage with IT to excel in citizen development. IT needs to be a collaborative partner, the owner of access and permission controlling, as well as in charge of the protection and security of information.”
The right governance model allows enterprises to find the balance between empowering the business user while controlling and managing risks.
Praveen Seshadri, the founder of AppSheet (a no-code platform) and now a Distinguished Software Engineer with Google, describes how enterprises can strike this balance: “So IT departments could easily say nobody can build an app that doesn't force sign in. And all the sign in must be through this identity provider and have your account access this data. And if you do, I'm going to know about it right away.” In this example, the business user still has the capacity to create and develop applications, but IT still retains full control. Rather than IT being developed in the shadows, it is carried out in the open with the full awareness of the IT department.
Not surprisingly, rather than fearing citizen development, with the potential for better oversight and control, IT department are embracing the low-code-/no-code movement. Coming back to Praveen, “That's one of the things that we're observing is that IT departments actually love the no code story, because it's not opaque, they can shine a light on it. It's a ‘What is this thing doing?’”
Ultimately, despite surface-level impressions, citizen development is the antithesis of shadow IT. It’s bringing application development into the light.
If you want to find out more, I'd recommend PMI's new book, Citizen Developer: The Handbook for Creators and Change Makers (available at www.pmi.org/citizendeveloper).