By Duarte Begonha, Andreas Kopper, and Thanou Thirakul
Many companies have struggled to rein in their organization’s shadow IT—applications, such as spreadsheets and desktop databases, created and maintained by different parts of the business but without the IT department’s knowledge or engagement. Shadow IT represents a double-edged sword: these applications support critical business activities, and are likely to grow with the advent of modern and more robust cloud-based productivity tools; however, since shadow IT skirts the regular procurement, implementation, and governance processes, the applications can significantly increase an organization’s IT and security risks.
As companies contemplate a path forward, it’s worth acknowledging two truths: shadow IT is essential for business operations, and talent capable of creating applications often resides outside the IT department. Organizations must embrace this reality to begin the journey to capture the enterprise’s full potential for digital value creation and capabilities.
The causes and risks of shadow IT
With the COVID-19 pandemic and the increase in remote work, the demand for digital services has only grown. Since IT departments cannot keep up with their growing backlog, departments and functions have routinely taken matters into their own hands to support their own needs.
IT’s existing technical debt also plays a role. Some shadow IT applications are built as the glue between various siloed applications lacking features, enabling business departments to access them to support processes and decision making.
However, shadow IT can also increase an organization’s risk. Applications are frequently developed without proper IT oversight, so a security breach or noncompliant solution can incur significant damage. For example, the average total cost of a data breach, including business and technology costs, is $4.35 million.1 Failure to comply with data regulations such as the General Data Protection Regulation (GDPR) can incur fines of up to €20 million or 4 percent of a company’s revenue.2
In addition to external risks, shadow applications exacerbate existing IT technical debt with phantom couplings, which occur when a shadow application uses data from IT applications without IT knowing about the dependency. Changes to a dependent IT system can cause disruption of the shadow application, thus disrupting business operations.
Transforming shadow IT to be a strategic asset
Most organizations have two distinct sources of enterprise applications (Exhibit 1). On the “shadow side,” business understanding is translated into digital solutions—usually on low-code/no-code (LC/NC) platforms such as Excel—lacking IT governance and a structured development process.
A new and exciting world can exist when an organization’s IT function extends its software-development know-how to the “shadow side” by providing professional LC/NC platforms and embracing business developers. In this way, the IT department has a significant role in building out the organization’s IT ecosystem. Exhibit 2 shows the continuum of IT’s partnership to provide an enterprise-optimized landscape by extending its reach into the business. The no-code, low-code, and pro-code segments can provide a complete view of the enterprise’s development capabilities.
The reward can be immense. Imagine what business developers could build and innovate if IT provided the proper tools and guidance in terms of design, development, and security. Leading platforms such as Mendix or OutSystems would come with robust security and compliance capabilities that many big organizations struggle to achieve and that are difficult to implement in application development. With proper guidance, successful organizations could effectively replace shadow IT with business IT.
To do so, IT should evolve to accommodate business development with proper governance and agile principles to allow close alignment and quick iterations. Any introduction of lengthy processes and cumbersome decision gates can hamper innovation and speed, causing departments and work groups to run back into the shadows. Instead, organizations should find a middle ground, emphasizing the benefits of business departments and IT working together closely.
How business developers contribute to value creation
Business developers have three ways of generating value in collaboration with IT: augmenting existing applications, quickly prototyping new ideas, and using a LC/NC platform at enterprise scale (Exhibit 3).
- Augmenting applications means business developers in departments and work groups build applications to fill missing features in the core systems. For example, they could create a new front-end flow and connect it to existing core systems.
- Business is constantly changing, and prototypes can help the testing and evaluation of new ideas. When built on a LC/NC platform, a prototype can be translated into a production application quickly once an idea has been validated. Pro-code developers can step in to work on the more complex application areas to make it production ready and can also help to create reusable components for future applications.
- When co-building applications of substantial size, business developers would be part of the team to define requirements, develop front-end flows, and provide low-code logic. IT provides the architecture solution, designs and fine-tunes the application, and performs complex technical work.
Enterprise-grade LC/NC platforms provide ways to customize and extend out-of-the-box capabilities. In exercising any of the preceding options, it’s tempting to pile on complex customizations, but such additions can degrade performance while impeding maintenance and future upgrades. Therefore, it’s essential to create guardrails and design patterns to offload complexity with proper abstractions. Modern architectural design involves, for example, IT building modular components through (reusable) microservices that can be consumed via APIs by LC/NC applications, therefore reducing development complexity.
Choosing the right platforms
Unlike pro-coders, business developers are not trained in software engineering. Therefore, the platform needs to be intuitive and support collaborative development from start to release. Modern application life-cycle-management capabilities should be included and easy to use. In addition, a platform’s vitality can be gauged by its rich resources and active community support.
A platform’s utility is amplified when it can connect to other systems and vice versa. The best platforms, therefore, should have the following attributes:
- out-of-the-box connectors available for major third-party systems
- custom development of connectors with the option to make them available in a marketplace for reuse
- ability for other downstream systems to connect to the platform via APIs and to create data exports for analytics use cases
When evaluating LC/NC platforms, organizations should consider many dimensions, but two are critical. First, “open for extension” is the ability of an enterprise to build features and modules that can plug into the platform without breaking future upgrades. Second, hosting models, such as on-premises, hybrid, cloud, multicloud, and software as a service (SaaS), should align with the enterprise’s target architecture and regulatory requirements.
Operating a low-code or no-code platform
The operating model should match different development types (low-code, no-code, and pro-code) with IT support along the journey (Exhibit 4). For example, IT may need to provide low-code or pro-code development to integrate solutions with a core enterprise system.
The model works because IT enables a level of support that isn’t too intrusive. However, it can be challenging to enlist experienced pro-code developers from IT because supporting LC/NC platforms may not be considered a good career move for them. Therefore, an organization needs to be thoughtful in creating a culture where pro-code developers are passionate about enabling fellow LC/NC developers and recognize the value they are creating. Last, establishing an active LC/NC community of practice for business and IT is essential to evolve the model.
Despite its utility, shadow IT poses a serious risk to all organizations. But enterprises have an incredible opportunity to transform it into an area of innovation and speed. The journey starts with taking stock of shadow applications and then selecting LC/NC platforms that fit the needs the shadow apps fill. Next, IT should provide business developers with pathways to leverage the new platforms. Finally, the organization should co-create an end-to-end operating model to reduce risks, maintain agility, and amplify the organization’s digital capabilities to deliver value.
Duarte Begonha is a partner in McKinsey’s Lisbon office, Andreas Kopper is an associate partner in the Vienna office, and Thanou Thirakul is an expert in the Toronto office.
1 Cost of a data breach report 2022, IBM Security, July 2022.
2 General Data Protection Regulation (GDPR), Article 83(5).