Innovate Responsibly: How to Manage Shadow IT without Stifling Transformation
For decades, shadow IT has plagued IT organizations—perhaps since the late 70s when VisiCalc was released and made computing accessible for people outside of the technologist bubble, quickly gaining momentum as a serious business tool. This turning point opened the door for innovation, as employees could now easily download and start leveraging more user-friendly applications.
Shadow IT comprises of all the IT projects that are managed, and applications and software downloaded, without the knowledge of or oversight from IT teams. Recently, shadow IT has extended to the cloud with companies adopting more SaaS, IaaS and PaaS applications. Employees can now easily download these cloud-based applications or tools and can have the software installed and running within a few minutes.
And shadow IT runs deeper than user-enablement software. Rather than rely on resources from the in-house IT organization, departments outside of IT hire external consulting firms or have even created their own internal IT shops to develop custom systems. Additionally, a lack of clear direction or consensus from leadership and poor communication around SaaS policies make it hard for employees to follow.
In many ways, shadow IT has been a great benefit in maintaining competitive advantage and driving innovation, not only because of user accessibility and increased efficiency, but also because of the data insights these applications provide.
Employees, understandably, want to do their job as effectively as possible. So, if the systems, software and services in place aren’t meeting employee needs, they’ll push forward to find other resources, such as online analytics tools, web conferencing platforms and even HR applications.
But if IT teams aren’t aware of third-party or home-grown software running in the shadows, they’re limited in their ability to protect the company’s systems. Additionally, there’s no guarantee that the applications employees use will be interoperable with the company’s core applications. When applications pass through the IT organization, they undergo rigorous development, testing and assessment processes to mitigate the risk of vulnerabilities. When they don’t, there is little assurance that these applications are given the same level of due diligence.
As a result, untested shadow IT compromises enterprise systems and data by expanding your attack surfaces. Such applications expose you to malware, make you vulnerable to data breaches, increase your risk for FOSS non-compliance, break your FinOps management and more. Considering the heavy ramifications tied to data privacy regulation non-compliance and other costs wrapped into shadow IT (research has found that it comprises of 50 percent or more of IT spending in large enterprises), IT teams are under immense pressure.
Pros:
- Meets employee needs
If the systems, applications and platforms already in place aren’t meeting employee needs, providing them controlled access can help fill very specific gaps to get their job done right.
- Increases flexibility and efficiency
Opening the door to more applications and software also empowers employees to move more quickly and agilely, while providing IT teams with more transparency and visibility. - Offers valuable insights
Oftentimes, the tools that employees typically use without IT oversight yield valuable data that can be turned into actionable insights for the organization.
Cons:
- Produces confusing IT policies
Without clear communication around SaaS policies, employees won’t know how to proceed downloading software and applications safely—which can slow down the innovation process. - Compromises enterprise security If employees don’t go through the proper channels, IT cannot perform due diligence on these applications. This puts the organization at risk by increases attack surfaces.
- Causes interoperability issues Because downloaded software is unvetted, it may be incompatible with an organization’s IT systems. This makes it difficult to track data storage and can add to corporate vulnerabilities.
Struggling to stay vigilant as they juggle maintaining their existing portfolio of legacy systems, keeping up with rapid changes in technology, and facing limited IT resources and budget, the IT organization must also figure out how to wrangle shadow IT.
This is the shadow IT challenge: Balancing the risks against the benefits of innovation. Traditional IT management models could address shadow IT—for example, IT teams could choose to block access to all unauthorized cloud vendors, lock administrative rights, shut down USB ports, enforce acceptable computer-use policies and set provisions for unauthorized software usage. Such a unilateral approach may work, but at a cost to innovation.
On the other hand, CIOs and CISOs can create an environment of cross-functional collaboration and innovation by effectively managing shadow IT. This requires a strategic vision directed from CIOs and CISOs as well as transparency around the risks of shadow IT. The initiatives to focus on to accomplish this include governance, education and training, vendor selection and risk management, and IT operations.
Governance
First and foremost, your organization needs to establish governance around shadow IT so that there’s transparency and understanding around processes, protocols and decision-making.
This means creating new or updating existing documents (ISMS, SSP, etc.) to define ownership, responsibility and accountability for cybersecurity. When the proper checks and balances are in place, you’ll have a better hold on shadow IT.
You should also develop proper training techniques in a way that promotes transparency. This will encourage employees to be more open rather than hide their activities.
Education & Training
Without employee buy-in, managing shadow IT and leveraging it as a means to create innovation would be impossible. One of the most critical things you can do is educate employees about the importance of security and how shadow IT can increase security risks.
Remind them that it’s not a matter of taking away the tools that help them do their job effectively, but a means of protecting the organization. The first step starts at the top, sharing how massive of a problem this is with senior-level management and providing the correct governance.
Communicating that security is everyone’s responsibility, and training employees to practice the processes that you have clearly defined, will help to minimize the risks of shadow IT.
Vendor Selection & Risk Management
Speaking of employee buy-in, consider designing policies and practices that allow for employee engagement in the procurement process of new software application/tool selection.
If you’re investing in vendor software, it’s important to budget for either internal or third-party vulnerability testing on the selected software and account for remediation efforts.
As you’re in the process of selecting new software, be mindful to provide a clear understanding of its business purpose and function, as well as inventory of all data requirements and data classification associated with the tool or application.
IT Operations
You’ll need to instill enterprise-wide protocols that keep certain business areas and divisions from accessing third-party applications that haven’t gone through proper security analysis and approval. In the spirit of transparency, this should be communicated to the entire organization. To protect the organization, part of the IT operations remit will include:
- Managing the installation and acceptance of new software applications and tools
- Monitoring the computing environment for non-compliance and violations
- Establishing entrance and acceptance criteria for production release
- Leveraging cyberintel services to find extended boundaries and leaks (the outside-in approach)
- Monitoring the network to uncover connection points
- Offering sandbox policies as alternatives (without encouraging shadow IT)
- Allowing amnesty and a safe path forward
Shadow IT doesn’t have to be a detriment to the enterprise. Of course, the many risks associated with shadow IT cannot be ignored. But it is possible to employ shadow IT as a driver of innovation. The key is to foster a more collaborative and transparent environment, enabling employees to do their jobs with tools that work for them while still mitigating risks through a well-thought-out security strategy.
