Don't get left out in the cold - IT teams risk getting left behind if they don't adapt to the way lines of business are selecting their own SaaS solutions. A ‘Shadow IT’ perspective isn’t helpful to understanding, or benefiting from, this trend. Labelling these decisions as ‘bad’ can leave you tilting at windmills whilst opportunities for IT innovation pass you by.

Successful outcomes start with IT and line-of-business partnership

The genesis of Trelica was our experience in a previous start-up – an early enterprise SaaS vendor in the corporate sustainability space. We implemented enterprise SaaS solutions for hundreds of large multinationals and, to be frank, the value each customer got was variable. The successful client relationships we had involved selling to subject matter experts / the business owners, but in close collaboration with central IT. It’s all about the right mix of end user input and IT expertise.

Our foundational concept for Trelica was that IT and ‘the business’ need to partner and share responsibility for technology decisions if an organization is to balance the risks and opportunities of SaaS. Let’s not get into why ‘the business’ is so commonly considered to be distinct from the IT team, which is of course a central function within ‘the business’!

Business-led IT as a basis for cooperation

As we researched the theme of IT / business collaboration we came across ‘Business-led IT’. Our vision was a platform for IT to shape the decisions line-of-business users were making i.e. to provide structure and guidance, without the need to wrestle back control. In much the same way a gardener sets out a trellis to provide a structure for climbing plants to propagate… hence, Trelica!

Our original strapline was ‘Business-led, IT shaped’. Brilliant, no? What could possibly go wrong? We tested the idea with a few IT leaders and the almost unanimous feedback was, to summarize, that this sounded rather negative from an IT buyer perspective. IT teams don’t necessarily want to cede control to the business, nor should they.

Call it commercial pragmatism, or a lack of conviction, but we dropped ‘Business-led, IT shaped’. Two years in though, we think it’s a theme worth revisiting.

What is Business-led IT?

Business-led IT is technology controlled outside of central IT. That’s a rather broad definition that encompasses line-of-business users selecting off the shelf third party SaaS apps, through to ‘citizen IT’ where a tech-savvy user is building a custom app, perhaps using a low code platform.

A 2019 KPMG / Harvey Nash CIO survey revealed that two-thirds of respondents allowed technology to be managed outside the IT department. This is starting to sound a lot like ‘shadow IT’. It’s technology the IT team didn’t select, don’t control and in many cases won’t be aware of.

It’s easy to understand why IT leaders might not celebrate the idea of ‘Business-led IT’ if it’s simply being used as a way to label and rationalize the transfer of decision making power to the line-of-business. At the same time though, this transfer of power is a reality and failing to get to grips with it risks leaving IT teams on the back foot as their shadow IT problem grows.

What’s the problem with ‘Shadow IT’?

The term Shadow IT conjures up images of a homogeneous set of risky apps being (mis)used by bad actors in your organization. The reality is that what we find in the shadows is far more nuanced and less alarming than this. We used real-world (aggregate) discovery data from Trelica customers to provide a sense of what IT teams are likely to find. The results are covered in much more detail in this article. Here is a summary:

  • Typically, over half of the SaaS apps you discover will have just one or two users and have no inherent risk in terms of access permissions
  • There will be a small core of apps that have risky access permissions, but used by a relatively small group of users (<1% of the total userbase)
  • Time and again we see popular business apps that are addressing emergent business needs (e.g. remote team collaboration tools)

SaaS discovery will reveal a variety of apps in the shadows, and each needs to be addressed in a different way. You can revoke permissions, block access, engage with the users, or simply accept the usage. None of this is to say that there isn’t risk in shadow IT, what we’re advocating is that you don’t consider it as a monolith. Creating a SaaS inventory and putting a SaaS management program in place will give you visibility and the tools to respond proportionately to what you discover.

Re-imagining Business-led IT

There was another interesting finding in the KPMG / Harvey Nash survey: over 40% of the companies that allowed the lines-of-business to make their own technology decisions, did so without any direct involvement from IT.

Herein lies the problem. Business-led IT will always be unappealing if it’s shorthand for cutting out central IT. It’s also not in anyone’s interests to cut out central IT. The lines-of-business aren’t going to have technical expertise or the benefit of insight to the organization-wide technology landscape.

We believe there is a middle way. IT should be the framers; setting the overall structure and policies, but allowing the lines-of-business to make decisions within this framework. This allows technology decisions to be ‘business-led’ but with the right amount of oversight and guidance from the IT experts. Business-led, IT shaped.

A practical example of Business-led IT in action

Hopefully we’ve started to persuade you that shadow IT isn’t as scary as it sounds, and that some version of business-led IT could represent a better paradigm for understanding the challenges of SaaS sprawl. Let’s look at a practical example of this shift in thinking.

We can practically guarantee that if you start with SaaS discovery and build out your SaaS inventory, you will discover use of project management apps like Monday.com, Asana, Smartsheet, Airtable. There is nothing inherently wrong with use of these apps, if anything, their adoption might indicate a technology gap in your organization that needs to be addressed.

Business-led IT thinking encourages us to accept that the lines-of-business needed project management tools in order to function. If central IT already licenses a project management app, it’s either not fit for purpose or there is a simple awareness issue.

Leaving each team to operate whatever project management app they want isn’t the right solution though. It’s IT’s opportunity to engage with these teams and shape their decisions. That means consolidating usage into as few apps as possible to achieve volume discounts and efficiencies in training and support. Once IT has partnered with the business to establish which apps are delivering value, there needs to be an Information Security review and from an operational perspective these apps should be covered by standardized management processes for renewals, user access reviews etc.

The common misconception is that the business wants to hide from IT. What we’ve witnessed in our work with progressive IT teams is that the business is more than happy to collaborate with IT. As with most interdepartmental interactions, success in IT / business partnership is built on mutual respect and an understanding that both parties have expertise and a job to do.