Shadow IT is not necessarily a threat to the enterprise – it can actually be an effective way to meet changing business needs and forge tighter alignment between IT and the business. Our 2016 Global CIO Survey showed that IT leaders have come to terms with the fact that they can’t prevent the incursion of mobile applications and devices, and are taking a new approach to managing shadow IT. Instead of trying to prevent employees from ‘going rogue’, they’re shifting their focus and resources to risk management.
The way they are doing this is by working with the users themselves. In a huge 84% of companies surveyed, line of business (LOB) departments now employ their own IT staff to support their function-specific technologies and services. And in most cases, they have a strong relationship with the CIO. Almost a quarter of IT executives (23%) reported that they work on a daily basis with IT people employed by the LOB, while 41% do at least weekly.
Securing shadow IT
However, distributing IT skills throughout the organisation is not enough to solve the security issues posed by shadow IT; an overarching strategy needs to be in place. Cloud services in particular introduce more risk into an enterprise due to the ambiguity with regard to where data is located and how it’s protected. In fact, 74% of CIOs surveyed cited security as the biggest challenge related to the increased use of cloud services.
One way to minimise risk is to identify acceptable apps and services. IT leaders can review cloud products and services for adherence to security best practices and put the ‘all clear’ vendors on an approved list that employees can refer to. Such a system gives users the autonomy to choose their own tools within certain parameters.
One company that took this approach and has made a successful transition to the ‘distributed IT’ model is financial services provider, Western Union. Rather than block employees from using third-party cloud applications and services, Western Union rolled out a strategy to help its workforce take advantage of them. Called the Western Union Information Security Enablement, or WISE, the program involved bringing shadow cloud services into the light, approving them for official use, and adding the necessary controls and policies to secure them.
Information Security Manager, Mike Bartholomy, explained the sanctioning process to TechTarget: “We look at the individual service and determine what kind of security controls it already has and what it may need. We also look at what kind of data might be flowing through that app, what data would be considered sensitive and how we want to govern that sensitive data. [Then] we develop a policy for that cloud service.”
He adds: “The idea is to quickly get these services approved and secured so that employees can be productive and we can make sure they're using secure cloud services instead of ones that are [riskier].”
Convincing the board
Before CIOs can do any of this, though, the board needs to be convinced that endorsing shadow IT is a good idea – and it’s likely they’ll have a more cynical view. How do you explain to company management that rewarding employees’ rogue behaviour is a good idea?
Two words are key: security and productivity. If employees have the best tools for the job, job satisfaction and efficiency increase. And if these tools are authorised by IT rather than hidden from them, they can be securely enabled. IT departments have been trying and failing for years to eradicate shadow IT from their organisations, yet the trend has only increased. With the current rate of technological change, employees are always going to be able to find something newer that isn't blocked (and is probably a lot less secure).
The key is to trust the business units to choose the software and apps they need, and then assist them in making the most of these technology investments.
To read more about this year’s Global CIO Survey results, download the full report here.