Dark IT is a more specific term than "Shadow IT" and self-explanatory. Dark IT is a threat to corporate interests for which the IT department is accountable. But the IT department can't do a damned thing about Dark IT in the absence of effective enterprise governance of IT (EGIT).
That's the issue we need to solve before we can address Dark IT.
Bob Martens gave me the term "Dark IT". Thanks Bob! I love "Dark IT": IT which the IT department has no involvement, (or less than we'd like), as compared to the broader "Shadow IT " where the department may or may not be involved.
- (Note 1: I use "distributed IT" to refer to IT that is done by business units with IT's assent and involvement.
Note 2: I know "department" is a woefully uncool word these days but it is clear and unambiguous. Substitute your own funky equivalent)
In that post, Bob said
the traditional way of thinking of IT as a separate entity doling out technology to everyone else isn't going to cut it anymore.
The role of the IT department is still what it has always been: the custodians of the massive investment / asset which is the corporate information, and the corporate technology to derive value from it. IT has a responsibility (and accountability) to protect the Confidentiality, Integrity, and Availability of that asset. We also have a responsibility to the organisation to ensure that use of that information does not present risk to the organisation e.g. compliance, reputation, survival...
Bob went on to say
in order to better serve the people around you, you need to get working on mending fences.
Only partly true. Trying to reach out to business on its own will not solve anything. This is the common fallacy that pops up everywhere and is driving me nuts. I'm not picking on Bob: this idea is endemic. It's the equivalent of the mea-culpa middle-class guilt that makes people buy a Prius. Running after the Dark IT is equally as ineffective at fixing the problem it is supposed to.
Dark IT is not entirely the IT department's fault. Nothing an IT department does unilaterally is going to fix the problem. If we are trying to fix Dark IT alone, we'll continue to be on a hiding for nothing. It is essential that the organisation (not the IT department) puts in place policies and controls over the use of information and technology in order to protect itself, and that it empowers the IT department to be the agency to monitor and effect those policies and controls. I wrote about how to deal with Shadow IT here.
This is simple good business.
This is not happening in many organisations.
This will lead to serious problems.
If this governance of IT as an asset is not happening, then an IT department trying to be more helpful or nimble is as pointless as turning off your lights to stop global warming, or putting up sandbags against a tsunami.
In the absence of proper governance of IT by the enterprise, IT initiatives will achieve little or nothing to solve Dark IT.
There's your problem.
Instead of running around trying to be nicer and more helpful to an uncontrolled organisation, we should be investing our energy as teams and as an industry to address the EGIT issue. This is the single most important issue facing the IT sector and all other issues such as Dark IT are symptoms or knock-on effects.
Why do I feel so lonely (though not alone) saying this? What learned helplessness causes the IT sector to do so little about EGIT? What blinds the proponents of "IT heal thyself" from seeing they are pissing into the wind?