Shining A Light Into ITs Shadows

Shining a Light Into IT’s Shadows

It seems every week there’s another study or headline highlighting how shadow IT is an ever-increasing concern for IT teams. And, despite this, CIOs and CISOs remain blissfully unaware (well, blissful until a breach or regulatory finding pops up) of the extent to which shadow IT is actually running within their organization.

Just last week in CloudSentry,’s Alison Arnott wrote in “Who knows what evil lurks in the heart of the cloud? how a recent report from ESG found that 65 percent of IT professionals said that they are not aware of either a significant or moderate number of rogue cloud applications in use within their organizations. Not good. But this is also an opportunity.

We know that such shadow IT can pose significant risks to an organization. When cloud services and custom applications are running in the cloud without the oversight of IT, especially systems and apps that handle critical intellectual property or regulated data, these risks are quite high. It’s something that all organizations must get a handle on – not just to reduce those risks but to better serve the organization as well.   

Therefore, to get a handle on shadow IT security, reduce the associated risks and better serve the business-technology needs of the enterprise, it’s important to first understand why staff are deploying their own cloud services. It happens primarily because IT isn’t delivering technology services as swiftly as business users need. Consider an OutSystems report published earlier this month which found that more than three-quarters (76 percent) of IT professionals say their organization takes more than three months on average to develop a mobile application. Eleven percent cited one year.

And we often hear of the same backlog levels when it comes to getting storage and virtual workloads deployed by the IT department. The inconvenience of this lag is why more workers than ever are turning to shadow IT. After all, it isn’t acceptable, and one can hardly blame workers for taking the initiative to do what they need in order to do their jobs well. But this doesn’t change the fact that no matter how noble the intentions, shadow IT can and does create enterprise risk.

What’s the best way to shine a light into shadow IT? First is to realize that shadow IT is often a cry for help: employees are seeking ways to get their work done more efficiently. This means, first and foremost, shadow IT is an opportunity for IT to see what services, apps, and features users need most – this information should be used to inform them as to what areas business users need the most support in, how to allocate cloud services in the future, and how to best service the business overall.

For this reason, instead of immediately shutting down any uncovered shadow IT as forbidden and telling users and lines of business that they’ll have to get back in the queue and wait for IT – consider whether the app really calls for a draconian crackdown. And if it does, then so be it. But help the enterprise find a way to quickly bring the shadow apps or services that staff are using into security and policy compliance.

Whether apps pose a risk or are acceptable for use will always be a point of contention. Most organizations have varying levels of risk acceptance. But certainly some classes of data deployed to cloud need to have the appropriate controls in place, notably significant intellectual property, customer financial or health data, and anything material to earnings reports. And, just because data resides in the cloud doesn’t mean that all the risks associated with data management go away: data availability and service availability, system vulnerability and configuration management, disaster recovery and business continuity, and so on. So the question becomes how do IT teams harness the innovation that their internal customers are trying to create while also obtaining the necessary level of governance over the shadow IT systems growing within?

What to do? The first step is to get an accurate accounting of all of the cloud systems and apps in use in the enterprise. Get to know what systems hold the most valuable data, regulated data, and customer data. Map where this data resides in public and private clouds and what software services support which data types.

When you find shadow IT, whether it be cloud servers, storage, platforms, or even custom apps, the first goal after determining that it creates too much risk or isn’t compliant is to bring the cloud service into the enterprise fold in a way that is secure and compliant. Perhaps even provide the business units with ideas on how to achieve what they want in more effective or efficient ways.  

When a light is shone on shadow IT like this, it’s critical that the IT team and security teams don’t automatically swing the ban-hammer and, instead, become supportive of the business. I’m sure you’ve heard that security is too often the department of ‘No’. This can also be true when it comes to shadow IT. This way, IT becomes part of the constructive business conversation and business units get the services they need, while costs, service quality, and risks also are properly controlled.

About George Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. For five years, Hulme served as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

More posts by George