Does your IT architecture partly consist of legacy systems, citizen apps, shadow IT or deprecated systems? Here are some of the pros and cons that you should consider before retiring an IT system.
To retire or not to retire IT systems. The answer is not always obvious. Every system or application has its reason for being, and it seems almost impossible to dismiss a system totally, at least without a replacement.
Whether an IT system should be retired or not, depends on several factors:
Do alternatives exist?
How does the retirement improve or change IT security and the work culture?
Do the economic arguments weigh in favor of retiring or upgrading a system?
Four categories of IT systems (“IT cultures” is sometimes a more appropriate term) often cause trouble, yet solutions exist to overcome these challenges. The four categories are not necessarily comparable and to some extent overlapping:
1) Legacy systems
2) Citizen applications
3) Shadow IT systems
4) Deprecated systems
An applied technology that has become outdated, as a technology of yesterday that has been taken over by newer operating systems, but are still in use for a variety of reasons. A legacy system is no longer for sale on the software market place, is not being updated and not supported by its creator.
Does anyone in the organization want to keep the legacy system?
Often a few super-users still cling onto outdated IT systems because it has appreciated features that newer systems don’t have. But the main reason is often that a change of systems also entails a change of culture and a new way of doing things. Change can be daunting, especially if employees are used to the old system and feel hesitant about new systems.
Are there any financial reasons for keeping the legacy system?
Smaller companies in particular may find it hard to allocate the necessary resources – in terms of time, money and manpower – to an upgrade. Despite the obvious downsides of keeping the legacy stack, it’s just too tempting to postpone the shifting costs for the upgrade and the necessary training in the new system.
The real problem is legacy code, when a system developer launches a whole new product, usually with a new name, to replace the old product, or when the creator of the legacy system is acquired by a bigger company with a similar product, the old product is being phased out and no longer supported. No bug fixes and no maintenance are carried out; and newer systems are not always backward compatible.
Does the business depend on the performance of the legacy system?
The most serious problem is that the legacy system can be an impediment to driving the business, because you can’t perform the workflows and because your data might no longer be 100% trustworthy.
Do you have the resources to migrate data?
The only proper way to deal with a legacy system that holds vital master data is through data migration, which can be time consuming and laborious. Appoint a project manager and set up a data team to provide a model of workflows and data processing.
Are there any extra benefits of data migration?
Yes. Provided that the data migration also entails a data cleaning and a de-duplication of data records, then you will not just acquire an updated system, but subscribe to good data governance that makes regulatory compliance easier, speeds up the efficiency and improves customer satisfaction because clean data means less manual work and fewer complaints.
Citizen development allows people with no coding or programming skills to create their own apps and software programs. Some known brands provide the opportunity to use low code/no code programming within their environment, and other suppliers have specialized in low code/no code tools with an easy-to-use, drag-and-drop interface.
Do citizen apps solve a problem?
Citizen apps fill a need for some organizations where certain tasks are better performed with a tailored software application than done manually with emails and spreadsheets. A simple and quickly designed citizen app can make people work more efficiently and provide a better workflow.
Do citizen apps save money?
Yes, in the short run. Small organizations often don’t need an enterprise solution that would not be used to its full potential.
The problems with citizen apps arise in large enterprises, where IT departments are seen as not responsive enough to the needs of employees. When creative employees request tools to work more efficiently or more precisely, and the IT department reacts with hesitancy, they can turn to create their own apps based on a low code platform. This might solve an immediate problem and benefit the company’s turnover, but the efforts of the do-it-yourself employees are not always appreciated for two reasons mainly: citizen apps represent a security problem and a data management problem.
Does the organization handle sensitive data?
All organizations store and process sensitive data, and citizen apps can be vulnerable to data breaches if they are not supported or protected by the IT department’s security measures – especially if IT doesn’t know about the application’s existence.
Does the organization have problems with siloed data?
Citizen apps can also become a data management problem, because they are data silos. When employees build their own databases – for all the best reasons – they eventually contribute to an often already fragmented data landscape, where data exists in separate systems across the organization and are not syndicated. The risk is that data exists in outdated or incomplete versions or as duplicates.
Do the citizen apps contain master data?
If the organization does not have a guideline for encompassing citizen apps within the official data governance, the apps can ultimately prevent the right product messaging from reaching vendors and customers, make regulatory compliance difficult and prevent good data governance.
Can the organization in any way embrace citizen apps?
If citizen applications are here to stay in large organizations, the IT department is basically left with two options. IT can either 1) stop the attempts by others to create their own uncontrolled IT environment by excluding non-sanctioned citizen applications or 2) mitigate the conflict by supporting the citizen developers and facilitate their work, thus overseeing security and integration into other systems. In some cases, an overarching system to manage the organization’s master data and keep all data updated across all systems and applications can be the tool for the IT Director or the CIO to reach out to the citizen developers and support them.
Does the organization have a data governance or data management policy?
Data governance and data management are imperative for any organization. With an appointed data protection officer, a team of data stewards and a set of guidelines for data security, the organization should be equipped to address the citizen application problem.
Someone might challenge the notion of calling shadow IT an ‘IT system’. And most IT departments will probably consider it something not to be retired, but to be uprooted. Shadow IT resembles citizen applications in many respects, but it has a broader sense and its usage is also more widespread. Shadow IT consists of employees and departments across the enterprise using their own hardware and software that is neither on the network nor known by the IT department. The most common occurrence of shadow IT is probably the use of cloud-based services, but also the use of private USB sticks or private email accounts is known to most people.
Does shadow IT solve a problem?
Shadow IT is typically used with good intentions. A department decides to use a cloud-based file sharing system to speed up collaboration, or employees save their work on USB sticks to be able to work offline. Cloud services can make people work more efficiently together. And because of the widespread use of cloud-based services, not all think of them as representing a problem.
Are there any organizational reasons for the existence of shadow IT?
Local dissatisfaction with the response time of the IT department and the same department’s lack of understanding of the daily challenges may also be an instigation to build alternative IT systems.
Does the IT department offer support?
IT departments can’t support systems they don’t know the existence of. Shadow IT is hard to control and to contain.
Are you concerned about hacking attempts and viruses?
USB sticks can contain viruses and hackers can find their way into cloud applications that are not covered by the same standard of organizational security.
Does the business rely on updated data?
When people hoard data in their own file sharing systems and spreadsheets, it is effectively prone to errors and becoming outdated. Shadow IT is a common source of duplicate and incorrect data.
Does the organization have a data security policy?
Because of security risk, shadow IT is never acceptable, when dealing with sensitive or confidential information. The IT departments should therefore take an effort in communicating the risks of shadow IT to the organization and issue reasonable and easy to follow IT security guidelines.
The advanced organization will acquire the ISO 27001 certificate. Being certified according to this high information security standard means that your clients can trust in you. Not only do you secure your own business from breaches and viruses, you also protect your clients’ businesses.
Does the organization provide the necessary tools to fulfil the need that is otherwise fulfilled by shadow IT?
The communicative strategy should be supported by making the necessary tools available for employees within a controlled environment. The IT department can secure a file sharing application and an online communication app as well as handing out encrypted hardware, have a password policy and in general be open towards discussing the IT needs of the employees.
Systems that were once purchased for good reasons, but are now used less frequently. It’s not uncommon that users operate maybe 80% of a system’s functionality at the time of its purchase, but after the core users have left the organization or new applications have taken over many of the tasks, only 20% of the system is used.
Has the system become indispensable?
As with legacy systems, deprecated systems might still be in operation because they store a sub-set of data that no other system supports. That might speak for its continued existence.
Is there a license attached to the deprecated system?
The problem is that it becomes harder to get a return on investment from an application that is being phased out. There is perhaps still a license to pay and maintenance to be done.
Is the deprecated system a data silo?
Systems that host data, but at the same time are used by very few people for few purposes, are in danger of hosting outdated and incomplete data.
Can data be migrated to another system?
You can choose to migrate your data into a newer and more capable application and dismiss the old system. This is not always a popular task when proposed, but it often has a convincing effect to consider pros and cons.
Can the deprecated system be integrated into other systems?
You can centralize data management, using a data hub that connects IT systems and allows them to co-exist. This architecture would allow integration with other systems, even external systems, optimizing workflows and securing updated information inside and outside the organization.
Generally, it is not advisable to have data residing in multiple systems without integration. The risk of operating with duplicate records and outdated information is too high, and the consequences too severe. A corrupted data set can cause wrong decisions to be taken and irrelevant information issued to customers, ultimately, damaging the organization’s reputation.
Retiring an IT system can have many non-IT related implications, economy being only one of them.
Legacy systems might have appreciated functions that are not easily replaced, deprecated systems can store important subsets of data, citizen apps can make employees work more efficiently and shadow IT solves problems in a hurry. But these reasons should be weighed against the obvious downsides, which are security risks and data silos. The only way to determine whether to retire or not to retire is to keep the end goal and the business impact in mind.