Article Preview
TopIntroduction
Shadow IT is a phenomenon that gained popularity in recent years among both academics and practitioners. It includes all software (incl. Software/Platform/Infrastructure as a Service), hardware, or IT service processes which are used or created by business units (BUs) without alignment with or awareness of the IT organization (Zimmermann, Rentrop, & Felden, 2014). The term BU in this context includes all types of business entities (individual users and business workgroups/units/departments/ divisions) and is subsequently used for simplification. With the term IT organization, we refer to all company-internal IT departments, subsuming different design options of the IT department(s) (Winkler & Brown, 2014). Especially trends such as cloud computing, mobile IT, and IT consumerization made it easier for BUs to procure IT by themselves without requiring deep technical expertise (Andriole, 2015; Gregory, Kaganer, Henfridsson, & Ruch, 2018). This allows BUs to become more independent from the IT organization in cases where it is perceived as too slow, too expensive, or too restrictive (Kopper, 2017). This power shift (Fürstenau, Rothe, & Sandner, 2017) undermines the control an IT organization can exert in its organization. Thus, the phenomenon can potentially lead to inefficiencies due to heterogeneous systems and uncoordinated efforts, or security-related risks with a high impact on the organization (Gozman & Willcocks, 2015).
Considering the whole body of knowledge about Shadow IT, it is mostly viewed with a negative connotation, but both researchers and practitioners are increasingly dealing with its potential benefits (Kopper, Westner, & Strahringer, 2017). It can contribute to a company's innovative potential (Silic, Silic, & Oblakovic, 2016), lead to an increased organizational agility (Tambo & Bækgaard, 2013), or simply be a way to deal with shortcomings of corporate IT systems (Alter, 2014; Behrens, 2009). These aspects stand in contrast to the negative connotation of the term Shadow IT. Also, in practice the characteristics of Shadow IT systems can change over time. As soon as the IT organization detects a hidden system it becomes visible and is not “in the shadows” anymore. The IT organization may decide to either take over control of the system completely, leave it as is, or share responsibilities with the affected BU (Zimmermann, Rentrop, & Felden, 2016). Especially a division of responsibilities as described in the latter case does not fit to the definition of Shadow IT anymore due to the involvement of the IT organization.
There is still a lack of understanding of the differences and transition between “hidden” Shadow IT systems and IT systems openly managed by BUs themselves. Behrens (2009) tries to differentiate between “good” and “bad” Shadow IT but does not systematically elaborate on their differences. Haag and Eckhardt (2017) mention “overt” Shadow IT (which is conflicting from a terminology perspective), but primarily convey a compliance perspective. There is also a phenomenon to be observed in practice that IT control is deliberately shifted to BUs. Capgemini (2016) determined that in more than 60 percent of companies, BUs were given direct control for certain IT investments (such as consulting services for pilot projects). Gartner (2017) predicts that “through 2017, 38% of technology purchases will be managed, defined, and controlled by business leaders.”