This is one of the most common IT challenges I ever get asked; “How do you govern applications you don’t own?”
One of the biggest challenges of SaaS and the cloud is that all anyone needs is a credit card and an internet connection and boom – you’re now a shadow IT manager!
On the one hand, the agility that this gives a business is phenomenal and means that they can be quite agile leveraging technology but on the flip side it typically means duplicative spend across an enterprise, sub-optimal technology decisions, and potentially introducing weak security links into the tech stack.
One obvious way to solve this is through policy – tell the business they can’t buy any technology, the downside is now we’ve taken away all this business agility and made a lot of non-value adding work for IT.
In a utopian world, all business stakeholders would reach out to IT when they’re looking to solve a problem with technology and start a conversation about solutions much sooner than what typically happens. In the absence of this it’s more likely that IT know about it when a user calls the helpdesk.
There is a better way, but it’s not one solution – it’s 3…
1. IT need to be clear about what they should own
IT doesn’t need to own all applications, it does need to be clear about what they should own:
- Highly critical enterprise applications
- Applications that require specialist skills to manage and maintain
- Anything that touches the enterprise infrastructure
To bring those statements to life, if the business is reliant on an application being available to fulfil it’s business operation, then IT should own it. IT has lots of good processes that just make this obvious – incident management, change advisory boards etc.
2. IT needs to have visibility of the application landscape
To ensure that different business units aren’t buying different applications for the same use case and for optimising technology spend, IT need to know what’s coming in and what’s going away and should maintain a portfolio of applications so that it has visibility of the total application landscape. This can be be leveraged as new technology requests come in to check fit with the wider application landscape.
This doesn’t have to be an over-engineered portfolio and can start as simple as which departments own what.
3. IT needs to have hooks into procurement processes
In order for the other two points to work there is a reliance on procurement processes to include IT to do a couple of things:
- Ensure that any technology meets IT, security and compliance standards
- Ensure the fit of any technology with the wider architecture
- Look for any duplication
In practice what this means is that legal shouldn’t sign contracts until new technology has been accessed, and procurement/finance shouldn’t raise purchase orders without assessments either – these two teams are like goalkeepers to ensure that IT get involved in the process and are able to see what’s coming in, who needs to own/support it, and decide whether it’s the optimal fit for the organisation.
Governance is a spectrum, in this scenario just enough governance reduces business risk, optimises spend, and supports optimal technology architecture. Too much governance alienates IT’s customers and drives shadow IT further underground