Transitioning to Business-Focused IT: 4 Keys To Eliminating Shadow IT

Next-gen projects in mobile, cloud, big data and social are capturing more corporate attention -- and resources. As a result, savvy tech execs are taking new steps to balance the need for innovation with security and governance needs – and reduce the growth in Shadow IT. Ryan Ward, CISO at Avatier, shares some key tips for transitioning to ‘Business Focused IT’.

Tags: architecture, Avatier, governance, IAM, SDLC, security, shadow IT,

Ryan Ward
chief information
security officer, Avatier

"Tighter business and IT alignment is no longer a ‘nice-to-have.’ It is now a ‘must have."

In this article, I highlight broad IT-related culture and process changes that can help organizations deliver greater capabilities by engaging with the business.

Becoming a business-focused IT department requires both

  1. a holistic change in approach throughout several areas of IT, and
  2. strong commitment and leadership throughout the organization to drive and enforce business unit accountability around technology decisions.
Security & Management
Secure, Manage and Automate Enterprise Cloud
September 18
An Online Conference

Developing strong partnerships between IT and business throughout an entire project helps place accountability with the business – while also ensuring IT understands the project requirements and delivers the appropriate solution. If the business is not engaged throughout the entire project and held accountable through various stages of the project, the chances of accomplishing the goal of business-focused IT will not be realized.


As security has become top-of-mind for both IT and business users, this provides a great illustration of why IT-business joint engagement is so important through the entire process.


In many situations, business units are more than willing to choose the types of solutions they want to use. But, they often remain unwilling to engage in risk-based discussions around their choices. To account for this gap in joint risk-based evaluation by IT and business, changes in processes must be implemented that can ensure an equal mix of controls can exist for both IT and the business.

Even as business units may report great results from going around IT (Shadow IT), we feel companies need to re-establish better relations between IT and business, and start to pull the business back into working within formalized processes. Not only will this give IT better control, but it will also provide deeper visibility into all of business’ needs. Through stronger engagement and partnering, Shadow IT will slowly fade, but it will require ongoing engagement from IT to ensure Shadow IT will not return.

Success from 4 Crucial IT-Related Disciplines
We’ve identified four crucial IT-related disciplines that will help organizations recapture control from any Shadow IT culture. Done correctly, with a more mature and intertwined approach, they will also prompt the business take on more accountability.


These 4 areas are:

  • Leadership
  • Enterprise architecture/Standards
  • Information security
  • IT Business partner functional development

Let’s take a look at how each can form the foundation of better IT/business relationships.


1. Leadership

In order to become closely aligned with the business, IT leadership must take the lead to “sell” the benefits of a business approach. At the same time, IT leadership must be strong enough to say no to the business when appropriate.


Gathering support from C-level executives and other business unit leadership will be required to reach this vision, but it will ultimately benefit the organization by lowering risk, placing some accountability in the hands of the business and ensuring they have some skin in the game to help deliver projects successfully.


2. Enterprise architecture/Standards
Without established architecture standards set down and well-defined, it will be difficult to gain trust in the business when IT questions a proposed business solution. Educating the business on basic technology standards – and reasons behind those standards – will help them understand why certain technologies might not be good fits for the organization.


And by educating, we do not mean speaking to them in deep technical terms. The best way to influence and educate them is to speak in their language in the context of financial and risk-related terms.


Architectural standards, defined in the terms of what’s important to business (not solely in terms of what’s important to IT) will provide an easy cheat sheet for business units to use when they venture off and look at solutions on their own.

With today’s headlines filled with news about security, your discussion about “security architecture” is an opportunity to relate your business risks to real-world security concerns. This type of discussion will also relieve some of the “bad guy” stigma surrounding the security team.

3. Information Security
Along with defining security standards, security personnel should be engaged early on in any solution discussion. There are a range of security questions that will impact how the business conducts business.


Topics such as access, authentication, encryption, process changes, DR, compliance and integration with existing IAM or other security technologies are all important – and can have varied impacts on all types of business operations with customers, partners and suppliers. If business users are not involved during an actual vendor/product evaluation, it is very beneficial for the security team to brief the business users on all of these topics and how specific risks could impact their business.


These reviews need to be formally embedded in SDLC/project methodologies. An escalation procedure should be defined so a specific role/person is ultimately accountable for accepting or declining risk when the business does not agree with the answer from the security team.

Of even greater importance is the need for security professionals to speak to business stakeholders in terms of “risk.” Further, these professionals should help business evaluate the risk or impact of a particular technology choice on operations – and offer alternatives and compensating controls when a solution might not meet all of the requirements on paper.


This connecting-the-dots between architecture and business operations is frequently undervalued. Often times, in fact, security professionals take the black or white approach to evaluating security. Far from encouraging collaboration, this stern approach ultimately builds barriers between them and the business – and in the worst cases, even with others in IT.

4. IT business partners
An IT business partner is a growing role in organizations today, and it is important to implement this type of function to ensure business requirements are translated appropriately to IT. A business partner does not necessarily need to be a full-time, defined position, but it should be a functional duty within IT to build business relationships and understand business processes. These business partners should help enforce accountability within the business as well as manage IT effectively so that IT delivers business capabilities rather than just technology.

In conclusion, let me emphasize that tighter business and IT alignment is no longer a “nice-to-have.” It is now a “must have” as such cooperation is needed today in order for the overall company to compete effectively.


To achieve this IT/business alignment, IT needs to loosen the reins of control around solution decisions. It must also pull the business back away from rogue projects or “Shadow IT” into IT projects. At the same time, business needs to be more accountable, and encouraged to take on more responsibility for assessing and mitigating risk as it pushes to meet the business needs.


When IT and business engage with each other in this constructive way, it sets the stage for more innovation and measured risk-taking. It will also reduce finger-pointing between the two groups if a project goes awry.


Ryan Ward is CISO at Avatier, and provider of identity management solutions. Wards is a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP), and is responsible for security initiatives as well as strategic direction of identity and access management and security products. Connect with Ryan on Twitter at