CIOs start to view ‘shadow IT’ as a catalyst for innovation
Illustration: Matt Murphy
Share on LinkedIn
Share on Xing

CIOs start to view ‘shadow IT’ as a catalyst for innovation

Jessica Twentyman — January 2016

Attitudes to unauthorized software and services are changing, with IT heads now seeing the use of ‘citizen tech’ as a way to creatively explore opportunities and rapidly solve problems.

Here’s a novel idea: so-called ‘shadow IT’ might not be such a bad thing for an organization. Instead of signalling a lack of control, the proactive, clandestine adoption of IT products and services by employees might just be the mechanism that enables a business to implement new strategies faster. Instead of a runaway train, shadow IT might be an innovation engine.

It’s a contentious argument for many technology leaders. For those charged with ensuring that company systems remains secure and under tight control, the rampant spread of company data and intellectual property through the use of unsanctioned tools, mobile apps and cloud services might seem like the stuff of nightmares — or at least a few sleepless nights.

But many IT leaders now feel they are locked in a fruitless battle to hold back the tide of user demands for new and upgraded apps and services they feel will help them do their job better. In a survey of 212 IT executives published in 2015 by the Cloud Security Alliance, almost three-quarters (72%) of respondents readily admitted that they don’t know how many rogue applications are being used within their enterprises.

What’s needed, perhaps, is a new approach — a middle way where the adoption and development of new apps and services becomes much more user-led, with IT’s blessing and oversight. And some technology leaders chiefs are certainly thinking along those lines.

“User-led IT is a positive thing. The IT organization should be about creating a landscape of provision that allows users to get creative.”

    Paul Clarke, technology director, Ocado

“I’m not a fan of the term ‘shadow IT’ because it has negative connotations,” says Paul Clarke, head of technology at Ocado, the UK-based online grocery delivery company. “If you let that cat too far out of the bag, you have to somehow get it back in again. But I see user-led IT as a positive thing. The idea that innovation is about the IT team giving people tools is a well-worn myth these days. Instead, it should be about creating a landscape of provision that allows users to get creative, because that’s what drives innovation down the channels that are more valuable to the organization.”

Creating that ‘landscape’ at Ocado, he says, has involved implementing a software layer that bridges the divide between the individual tools and services that users are clamoring for on one side, and “full-blown, tightly controlled enterprise apps” on the other.

Here, he says, Ocado is using the Salesforce1 platform to allow business analysts to develop internal applications to better manage customer processes, without software engineers from the IT team getting involved.

“The key bit for us was to get software developers out of the loop. I simply can’t hire developers fast enough anyway to ever get internal [user-requested] apps to the top of the priorities list — so having business analysts building tools has been a key requirement and is producing great results,” he reports

At the same time, he says, this platform-based approach, where business analysts assemble new apps and services largely from a library of preconfigured software components, means that all the features that IT needs to see in order to feel comfortable — security and permissions, reporting, APIs (application programming interfaces) and release control, for example — don’t get left out.

“I’m increasingly suggesting to the business that they ‘build it themselves’ but to do so within an agreed set of terms.”

    Antoine de Kerviler, CIO, Eurostar

At cross-channel train company Eurostar, CIO Antoine de Kerviler is taking a similar approach. In the past, he says, shadow IT approaches often sprung up in response to urgent regulatory issues and, for reasons of expediency, were broadly tolerated.

He describes a scenario in which an auditor told the company’s engineers they had to make a change to their processes and, in turn, they asked IT for a fast response. IT’s immediate request for details of the relevant database schema was greeted with incredulity by the engineer, who went away and set up his own spreadsheet and database to meet the requirement.

The issue here, says de Kerviler, is that, suddenly, that ‘application’ on someone’s desktop is an essential element of the company’s certification and its license to operate as a train company could depend on it.

In part, the challenge has been that many of Eurostar’s core systems are older, difficult to change and connected to many other external systems. For example, its reservation system was created in an older code base and connects to the systems of train operators in the UK, France and Germany, so that passengers can book their onward journey to, say, Poitiers or Bordeaux, directly through

“What we try to do is hide this back-end complexity by putting a layer above it, which exposes services that can then be used by new tools and services, to get data on a passenger reservation, for example. We try to componentize everything to make [core functions] accessible through APIs, so whenever the business wants to build something new, this layer makes it easier — more modular, more componentized. We’re trying to build something that’s much more decoupled.”

That, he says, opens the doors to a more inclusive agenda in which new apps are readily created in areas of the business outside of IT. “The concept of ‘citizen developers’ is really interesting to me. It’s not that users are malicious or that they don’t like the IT department but they just have a job to do. If IT says to them, ‘Come back in six months,’ and their boss is saying, ‘Just do your job,’ they have a choice to either wait for IT or do it on their own — and you can guess which option they choose.”

“If IT wants to bring back value, it needs to stop stepping into users’ critical path. If we tell people in the business they need to submit a detailed description to IT of what they need, and then they wait for months for that to be delivered, then our approval [of their use of tools or services] no longer has any value to them.”

Eurostar has been encouraging citizen developers for more than a year, he says. “I’m increasingly suggesting to the business that they ‘build it themselves‘ but to do so within an agreed set of terms — the tests they need to do, the minimum documentation they need to put together. And in exchange for that, we provide the back-ups, the traceability, the audibility and the workflows around it. ‘We’ll help you,’ we tell them, ‘but the business is your business.’”

“We’re trying to strip out the negative connotations of shadow IT and replace it with the more positive notion of ‘citizen development.’”

Managing user-led IT is harder in some organizations than it is in others. Working in an industry as highly scrutinized as pharmaceuticals, “means we live in a world of regulation and change control,” says Mike Meadows, chief technology officer at Eli Lilly, the US pharma giant.

“But, at the same time, we know we need more focus on user uptake and a user-centric view to our systems. Human beings will always gravitate to what they know and can use quickly in order to accomplish their goals. So we need to find a way to enable this agility while still maintaining control,” he says.

bridesmaid dresses UK
Mike Meadows, CTO, Eli Lilly
“We too are trying to strip out the negative connotations of shadow IT, replacing it with the more positive notion of ‘citizen development,’” he says. And that notion of citizen developer applies to those within the IT department as well as users.

“I’d say we’re still moving up the educational curve here,” says Meadows. “Our legacy and natural way of working will drive focus on quality and controls. The mantra I’m trying to get across to the team with some of the new digital capabilities is, ‘If it feels light, it’s about right.’ Believe me, we will put the necessary controls in place — but what is increasingly important is that we focus on making IT agile, shifting from ‘built to last’ to ‘built to adapt.’ However you look at it, it’s about doing both — increasing flexibility and speed of response, while still retaining quality control.”

Paul Clarke, Antoine de Kerviler and Mike Meadows were speaking at’s annual Dreamforce event in San Francisco.

First published January 2016
Share on LinkedIn
Share on Xing

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy

    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.

    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy

    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from

    For a full list of social media cookies and how we use them, visit our Cookie Policy