Shrinking agency budgets and the wide-spread use of cloud computing are starting to address a long-standing problem for agencies commonly known as shadow IT.
Shadow IT is when employees deploy hardware and software without the permission and/or knowledge of the agency’s chief information officer.
But after decades of this cat-and-mouse game between field offices and the headquarters CIO, or in some cases with bureau CIOs, two factors are beginning to bring shadow IT out into the light.
Agency CIOs say one reason is bureaus and offices just don’t have the money any more to fund their own IT projects, whether small or large scale. The second, the CIOs say, is cloud computing, and how it’s making it easier and cheaper to build off of a standard platform.
“What I’m trying to change, at least at NASA, is let’s protect at an agency level the enterprise services first. I’ve implemented an enterprise-first program whereas any new IT requirements need to consider enterprise and shared services first. And if those don’t work, it can’t meet the requirements, then we can waiver out,” said Larry Sweet, NASA’s chief information officer, during a panel discussion Wednesday in Bethesda, Maryland, sponsored by AFCEA Bethesda. “By having that kind of rigidity in terms of new requirements that need to be met, hopefully that will address some of the shadow IT. If I can provide those under an enterprise umbrella and I can be smart in provisioning the IT in a way that meets the requirements, I think I can eventually chisel away at those [shadow] IT requirements. It is a partnership. I need to be able to sell this idea to stakeholders, to the folks who own the budgets, because I don’t own all the IT budgets at NASA.”
Sweet said NASA is trying to ensure its building a contract vehicle, a platform and a set of standards that can meet the bureau’s or office’s needs, and eventually the budget will strangle the shadow IT.
Lack of budget control can lead to unknown ITM
The challenge of controlling shadow IT is not a new issue, but one that hasn’t received a lot of attention over the years.
Many times CIOs struggle to control it because they lack oversight and accountability of the IT budget.
House lawmakers are trying to address this issue through the Federal IT Acquisition Reform Act (FITARA). The Senate version of FITARA also would give CIOs budget authority, but the White House, thus far, has not supported those provisions.
Sweet said if agency and congressional leaders want CIOs to effect timely change and do it in an efficient way, then they need to have budget control.
Rafael Diaz, who has been the CIO at the Department of Housing and Urban Development for just three months, said shadow IT was one of the first areas he was alerted about when he came on board.
Diaz said the cloud is changing the tone of the conversation when it comes to implementing separate hardware and software.
If the CIO is the CI-NO, then shadow IT rears its head, he said.
“This happens in private industry as well. Folks have their credit cards and they go out to Amazon and set up a cloud environment and start doing stuff. There’s no security, no process and they are putting out sensitive data, but they are getting their job done,” he said. “That’s where the CIO needs to come in and be able to say, ‘here’s how it’s going to happen,’ but we need to do it with discipline because security is important, because process is important, because repeatability is important, because accountability is important and because we don’t have enough money to wrong, we have to do it right the first time.”
Balancing act between innovation, standards
Diaz said the CIO has to understand the business owners’ goals, and roll out technology quickly and effectively. He said using the cloud to do that will help get quick wins and build momentum to get rid of shadow IT.
Panelists agreed that the historical development of shadow IT that is done without the CIO’s knowledge isn’t good for the organization and puts it at risk.
But the panel was split between implementing centralized control of all IT, and finding the right balance of giving field offices some latitude.
Sonny Hashmi, the CIO at the General Services Administration, said his office has been running a program to control shadow IT for the last few years, called the Jedi Council.
“CIOs need to figure out a mechanism where they can accept a certain amount of shadow IT because here’s the deal, the tools out there, the technology that are available are getting so sophisticated and so cheap with the cloud, it will be a whack-a-mole exercise all day long to try to clamp down on shadow IT all over the place because the fact is you can’t even detect now when somebody can dial into a service from their smartphone using LTE,” he said. “I want to create an environment where my business users feel like it’s okay and I’m not going to beat down on them if they are trying to get something done. I’m going to give them some leeway to go out and get these things done and then let’s be part of the conversation. Then either I’ll say, ‘your business case is so unique that you need this tool or four of you need this tool and nobody else does so you’re sanctioned to do so and we’ll keep tabs on you. Or gee, we didn’t think about this great tool is out there and we need to think about incorporating it into the enterprise.'”
Hashmi said the CIO’s office always will be behind the grassroots innovation because of policy, budget or just the size of any organization. He said if he’s not filling the business owners’ needs, then they will figure out how to get their jobs done without the CIO. So he uses this controlled shadow IT to understand where the gaps in IT exist and how best to fill them from an enterprise perspective.
Between 200 and 300 employees are working on shadow IT in the Jedi Council, particularly focusing on up-and-coming technology areas such as big data, mobility, analytics and others.
Hashmi said the volunteers must get approval from their supervisors to spend a certain number of hours per week working on these projects.
“It does help because it gives our organization better visibility into what the business lines are doing, and it helps us guide them and them to guide us on how we should evolve together,” he said.
IT transformation lessons
Hashmi said there are several instances where the council has helped GSA improve upon technologies.
“Some of the advanced analytics tools that we are looking at, we’ve had lots of investments over time in traditional business intelligence stacks. But they were just not cutting it in certain cases in like deep analytics and real time analytics,” he said. “So this Jedi Council and the larger community around it, helped us identify better tools. We actually did an acquisition for those tools, secured them and then offered them back as an enterprise solution.”
Hashmi said the community also helped GSA validate the usefulness of mobile apps. The council provided details about how they are using the app and its security and authentication protocols. GSA then used that information to decide whether to allow the apps to be used on its network more broadly or not.
Sylvia Burns, the Interior Department’s new CIO, said she agreed with Hashmi that CIOs must find the right balance of control and innovation.
Burns said Interior’s three-year effort to transform its IT infrastructure is providing some important lessons when it comes to managing shadow IT.
“The philosophy of our bureaus and offices — and we have 14 of them and they are extremely powerful — was ‘you know what, we don’t need that so much. We are optimized as we are and we’d really like you to go away.’ And we didn’t go away because there was a compelling argument about why we are trying to consolidate the common stuff,” she said. “Five months ago, I was meeting with the IT leaders in our bureaus and offices and they told me we’ve been through a lot because the way we were approaching our IT transformation was more like a hostile takeover. It created a lot of riffs in the organization and you can’t do big stuff if people are fighting you. You have to be together. So a lot of what I’ve been busy with in the last five months is repairing those relationships and getting us all to be together.”
Burns said the bureaus and offices said over the last five months that they agreed with the build once, use many philosophy. She said for these 14 organizations to have a consensus around this concept is a big deal, and if money wasn’t an issue, Interior likely wouldn’t have gotten that agreement.
Burns said the IT transformation is all about shared services for commodity IT in the cloud. She said the cloud creates a platform for the field offices to come to for help in analyzing new IT and potentially expand it to other places or even enterprisewide.
NASA’s Sweet doesn’t disagree with the need to balance control and innovation. But he said there is a fundamental question NASA, and really every agency, must ask about their workforce and shadow IT.
“Do I want rocket scientists doing IT? Do I want NASA engineers doing IT? Today they are. If they are doing that because they can’t get what they need from the CIO organization, then that’s a problem that needs to be solved,” he said. “We need to focus on our core capabilities today. Our budget doesn’t afford us to do business like we’ve done in the past. I don’t want to stifle innovation. But one of the things I wrestle with as a CIO is it is more costly to NASA and to taxpayers to have scientists and engineers doing IT. I’d prefer if they use enterprise services.”