Application Portfolio Management (APM) Best Practices

Overview

Shadow IT - applications and technology services procured and operated outside the visibility and governance of the central IT organization - is a universal and growing challenge in enterprise environments. The proliferation of easy-to-purchase SaaS tools, the expansion of corporate payment mechanisms available to business units, and the acceleration of business technology needs relative to traditional IT procurement cycles all contribute to a shadow IT landscape that grows faster than any manual monitoring process can track. Shadow IT creates unquantified cost, unmanaged security exposure, unaddressed compliance risk, and hidden integration complexity that the organization cannot govern because it does not know what exists.

Best Practice

Invest in systematic shadow IT discovery and develop a process for bringing discovered applications under governance rather than reflexively shutting them down. Discovery approaches include financial analysis of procurement and payment records to identify software purchases, network traffic analysis to identify cloud services receiving organizational traffic, and structured business unit interviews. For each discovered shadow IT application, assess its business value, its security and compliance risk profile, and whether it duplicates a governed application or fills a genuine gap. Develop a disposition: bring it under governance if it is valuable and can be made compliant, migrate users to an existing governed alternative if one adequately serves the need, or retire it if it provides no value or creates unacceptable risk.

Benefit(s)

Systematic shadow IT discovery and governance reduces one of the largest categories of unquantified enterprise technology risk. Unknown security exposures are surfaced and addressed. Unknown cost is quantified and rationalized. Compliance gaps created by ungoverned data handling are identified before they produce regulatory consequences. Business units whose shadow IT reflects unmet needs gain access to governed alternatives, improving their relationship with the IT organization and reducing the incentive to procure outside governance in the future.