In the upheaval of the last decade or so on the rush to the cloud (no, not that cloud though rush-related), a similar development preceded it – and still runs on. It is the spectre not only hunting Europe (and certainly the deviant [all manners? ed.] off the coast, splitting but not drifting away like an Iceberg would. should…), but everywhere else as well, the spectre depending on who you ask of Shadow IT.
Which is facilitated through XaaS (SaaS/PaaS/IaaS/…) availability. But which hardly ever is allowed… — allowed through being compliant with organisational standards. From anyone’s perspective but the IT club’s, it is not about breaking the in-house IT vendor lock-in barriers. That were breached becaused the bounds were straight-jackets. Don’t try to break those, just sneak out the back door. But it’s about the latter, seeking what wasn’t provided in-house on one’s own account, previously not having been ‘allowed’ but it was IF the solutions sourced, complied with the security (mostly) requirements set at the organisation-wide level, and set from the business side of the organisation.
Controls in or out of IT, required by IT to be implemented elsewhere, are about the particular IT solutions chosen. Solutions to the problems identified in control objectives and controls, always having alternatives in the latter. So, when through these IT-dictated controls, your preferred solution cannot be made to fit (or only near-unusably awkwardly so), they do allow you, even in a sense require you, to go for shadow IT.
Which, hence, is permitted If ad only if being (security) controlled at at least the same level of control objectives achieved. So, some department might have to re-build all of the IT department’s load of overhead qua systems management, all of ITIL or even CObIT, all of … wait, not ISO 2700x – that is an organisation-wide thing already or it is of fact a crappily implemented thing. So covers the shadow IT as well, fitting in the latter under the umbrella of the former. That’s where the battle would need to be fought, if at all since the shadow runners may very well have done a good job at running an outsourced-portfolio coordination team, neatly sheltering under the umbrella already. Showing the IT department how that’s done.
Possibly [hey I’m over-using the em-tag or what; ed.] doing it both proper and cheaper. Usually doing not the former, hardly the latter and certainly not the latter if the former is corrected. But sometimes, showing how; when IT told them that was impossible, they just did it. As good / better, and cheaper. Yes you can, to paraphrase some sorely missed leader.
In the interest of the organisation, sometimes shadow IT should be the preferred solution direction…
I’ll stop now before angering too many. And:
[The (black) details, are they essential? In a way, but could they be different or would you have chosen these in the first place …!? Prague]