Considering that 96 per cent of UK CIOs say that business units have bought cloud services without informing IT departments, it’s no surprise that CIOs are becoming increasingly concerned about the impact Shadow IT could impose on valuable intellectual property.
Shadow IT – as the name implies – is the installation and use of applications by employees that operate in an organisation’s area of shadows, without the knowledge or approval of IT. These applications have not been vetted, authorised, controlled or supported by the IT team and therefore are often not in line with the organisation's requirements for data management, security and compliance. At the same time, shadow IT is considered by many as an important source for innovation, enabling the faster development of applications and tools not considered by the IT team, to develop a prototype way of working that benefits the entire business.
Shadow IT can lead to innovation with applications meeting the needs of the business, but also lead to risk. It is a balancing act for businesses, with each individual organisation needing to decide just how far they reside along the risk curve. By allowing – or at the very least turning a blind eye to – shadow IT, new working processes that can benefit the wider business may be found. However, shadow IT can also be a security nightmare. Especially when you consider that those members of staff who are likely to use their own solutions, will inherently be from the generation of risk takers and will be inherently less concerned by the need for all-encompassing security measures. So, how can businesses protect themselves from this laissez faire attitude to risk and how should businesses decide their own risk profile?
BYOD as a catalyst
In some ways, bring your own device (BYOD) is the one to thank, or blame for shadow IT. The result of allowing such personally chosen devices in the work environment has led to the creep of employee’s own chosen applications to access or manage corporate information and data. The general consumerisation of IT and the trend for staff to bring in their own devices has meant that every employee is now a potential user of shadow IT, easily deploying mobile applications. It is no longer just rogue, tech-savvy staff wanting their own tools. Shadow IT has recently become a broader issue.
A starting point for businesses wishing to mitigate the risk, is to ensure that their acceptable usage policies are updated to cover the modern day business, such as home working and BYOD.
Coming out of the shadows
According to Atos, 36 per cent of shadow IT purchases is being spent on file sharing software, 33 per cent on data archiving, 28 per cent on social tools and 27 per cent on analytics. Often, the use of shadow IT is down to impatience with the IT department, with the primary reason for shadow IT cited by respondents as the IT department’s inability to test and implement new capabilities and systems in a timely manner, thus smothering creativity and productivity.
The trend for businesses to move core processes to the cloud – and staff’s general acceptance of it – has also accelerated the prevalence of shadow IT, whilst at the same time made it harder to monitor. According to a recent survey conducted by Fruition Partners of 100 UK CIOs, 60 per cent of respondents said there is an increasing culture of shadow IT in their organisations, with 79 per cent admitting that there are cloud services in use that their IT department is not aware of.
A motivational force
It is wrong to discuss shadow IT without examining the benefits it can bring in innovation. A recent Frost and Sullivan report entitled The New Hybrid Cloud showed that 49 per cent of staff are comfortable using an unapproved application, because using them helps staff “get their job done more quickly and easily”.
The rise of shadow IT may actually inject a healthy dose of innovative thinking into organisations, so shouldn’t be disregarded from the start. The ability to test new approaches to business problems that could have a positive impact on the bottom line, is vital to employees at all levels. If they are encumbered by the need for permissions, or for budget approvals to get to the technology they need, things can stall at a time when market conditions change quicker than ever. Not to mention, shadow IT applications are often far cheaper than their ‘official’ counterparts procured through the IT department.
Some of the world’s largest companies are discovering that instead of trying to drive out shadow IT, it is best to embrace it as part of a wider culture of innovation. Adriana Karaboutis, VP and global CIO of Dell recently said: “I don’t chase shadow IT, I chase innovation. When you work in a technology company and have 110,000 best friends that understand technology well and probably even better than you do, you have to be out there working, listening and determining how you can create even more value for the employees and customers that you serve as opposed to being defensive about owning IT.”
I would tend to agree. The onus on forward-thinking businesses shouldn’t be on stamping out shadow IT, but rather encouraging employees to adopt and get the most out of their tools of choice in a secure and productive fashion.
Shining a light on the use of shadow IT
Especially since the advent of shadow IT – and the exponential rise of cloud applications – organisations need to be able to monitor an individual’s data flow at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) can provide businesses with this visibility and the ability to discover, analyse and control all the information staff are accessing or sharing – whether across authorised or unauthorised applications. It is about managing security risks without stifling innovation. By ‘following the user’, businesses can ensure that employees are safe and secure at all times, whether they are using authorised applications or those from the shadows.
About the author
Ed Macnair, CEO and Chairman of cloud security specialist, CensorNet, and led the acquisition of CensorNet in October 2014. He was previously the founder and CEO of SaaSID, a UK based single-sign on and application security vendor, which was acquired by Intermedia Inc. in September 2013. Before Intermedia and SaaSID, Ed was CEO of Marshal, a global web and email security company which merged with US web security provider 8e6 Technologies to form M86 Security. Ed has also held senior management positions with MessageLabs, Symantec, IBM and Xerox.