It’s funny—or at least ironic—that the term “shadow IT” sounds kind of sinister—i.e., “lurking in the shadows”—while the term “bring your own device,” or BYOD, connotes joviality.
Maybe it’s because “BYOD” looks like “BYOB.”
Yet both present similar, or at least parallel, possibilities and problems.
Why people bypass IT department
In both cases, these practices are motivated by a perceived need to get a job done quicker, better, and more efficiently using newly developed and newly available technology. With BYOD it’s generally new gadgets. With shadow IT, it’s generally new “as a service” offerings available in the cloud. [Read John Ginovsky’s recent blog, “BYOD’s saga continues.”]
Shadow IT has become entrenched, it’s generally said, due to individual lines of business perceiving the need to adopt new technologies sooner and quicker than their associated IT departments can test, integrate, and ultimately approve of them. In many cases, the business lines find out about the new tools way before IT ever hears about them. [Read “How IT audit can get the job done.”]
But it’s not a case of CIOs wanting to arbitrarily exert authority. As with BYOD, it’s a matter of security.
Why bypassing IT’s a big issue
“Shadow IT is a problem because it bypasses the IT staff who are responsible for protecting the security of enterprise IT resources and prevents proper enforcement of compliance with legal regulatory regimes, contractual obligations and other company policy,” says Larry Seltzer, a cloud security expert writing for the ZDNET.com blog.
It’s a big issue. Gigaom Research, working for CipherCloud, which specializes in cloud security, conducted a poll of workers’ use of “unauthorized” services. Among line of business employees, 81% admitted to using unauthorized software-as-a-service applications, and 38% of these deliberately went around IT in adopting applications because the IT approval process in their companies was deemed too slow.
“Organizations are moving beyond curiosity about the cloud to actual deployment,” says George Crump, Gigaom Research analyst. “SaaS is growing at 199% and is the typical home for shadow IT. It is growing because end-users are impatient with IT and looking for alternatives.”
Confessions of a shadow IT practitioner
Banks are not immune to shadow IT. Craig Stedman, executive editor for the SearchDataManagement blog, recently chronicled the experience of a former shadow IT worker at a bank. That bank staffer has since been transferred to his employer’s IT shop in order to lead development of enterprise data solutions.
He had been in a position where business executives in the bank’s consumer lending unit were looking for better business intelligence data to help in decision making. The banker reportedly said that the “execs gave the new team tons of cash to fund its work and free rein on how to proceed. They said, ʻWe need questions answered and we don’t care how you do it—just do it’.”
He and his team did it, all right, rapidly expanding from three people to more than 100. They reportedly “got to do cool things in direct support of business needs, with a heavy focus on analyzing sales and marketing data.”
The fact that such behind-the-scenes work produced tangible, positive results for the bank was not lost. Now this banker is using those techniques, but as part of the overall IT structure.
Balance of power shifts
That banker’s transfer, in a way, conforms to new thinking about the role of IT, and CIOs, in general. Logicalis, an international IT solutions provider, polled 177 CIOs in 24 countries, about these and related subjects. Some results:
• 57% of CIOs think line of business colleagues have gained more power in the last 12 months.
• 28% believe their colleagues already hold the balance of power in information and communication technology decisions.
• 64% believe the trend will continue over the next three to five years.
In response, Logicalis says, CIOs need to:
• Become experts in service integration: Lines of business will now want access to a growing number of market offerings delivering transformational line-of-business applications, making the selection, integration, and management of as-a-service as important as maintaining in-house technologies.
• Transform the IT skills base: They will have to recruit specialists with broader, business IT-oriented skills. They must actively reduce the level of technology their teams maintain in-house. And they must refocus the CIO role on strategic activities.
McAfee, the digital security company, has distinct advice regarding steps companies can take to deal with shadow IT risks:
• Establish an SaaS policy that aligns with your business objectives. A heavy-handed policy, one that seeks to shut down any SaaS usage beyond a limited number of approved apps, will likely backfire.
• Protect your enterprise in a way that is transparent and comprehensive. Look for tools that can track all web traffic; automatically provide proactive protection against malware; block undesirable web addresses; prevent outbound leakage of sensitive data; and enforce acceptable usage policies.
• Be inclusive, rather than exclusive. Build a policy around a security solution that can provide employees with secure access to a broad range of recognized SaaS options.
• Mitigate risks in commonly-used applications. Look for a solution that offers policy-based control over sub-functionality of commercial software. For example, allow users to access Facebook, but restrict the chat function. Or automatically encrypt files before they are uploaded to a file-sharing site, like Dropbox.
• Make sure your business units safeguard data and comply with privacy regulations.
• Implement identity and access protection. Rather than accumulating multiple passwords that inevitably end up on sticky notes, etc., find a robust identity and access management solution.
• Communicate. Once you’ve developed a reasonable policy that balances employee freedom with corporate protection, and implemented security solutions that are strong, yet nonintrusive, you will need to gain support from your employees and business leaders.
Share reports showing the threats you have staved off with your new security policy, and distribute media accounts of security breaches suffered by your competitors or other organizations within your industry.
If employees feel that your SaaS policy is reasonable and effective, they will be more likely to take pride in its success.
Sources used for this article include: