Shadow IT amounts to a significant amount of IT spending in most organisations today — spending that isn’t sanctioned and doesn’t go through the IT department. It’s a big issue for South African businesses, and the emergence of cloud technologies have further exacerbated the problem, as businesses can’t keep ahead of everything at the current pace of change.
During a recent “CISO perspectives” lunch for chief information security officers, held by TechCentral, McAfee and DRS to discuss shadow IT and securing the cloud, it emerged that users want what they want, and that means the tools they are used to. Some attendees said they need to use the apps they’ve built over the years, and more still will want to jump on the latest bandwagon, be it Slack or Teams, or one of the many collaboration tools and apps that are flooding the market. To continue using their solutions of choice, most users will try to work around security.
The problem is these services don’t go through the business’s IT budget, and the businesses has no control over administering them.
To eliminate the problem of shadow IT, attendees discussed what causes shadow IT to happen in the first place. The general consensus was that users feel that IT isn’t serving their business needs well enough. In most cases, IT is too slow or not responsive enough to the needs of business users. It is focused on the cost of solutions versus the value they deliver, while the business is more interested in getting the functionality and capability it needs.
IT simply can’t operate at the speed of business in today’s world, so business users are getting their own functionalities and capabilities through buying shadow IT solutions.
When asked about their main concerns surrounding shadow IT, attendees were unanimous that data security is an issue, specifically when looking at cloud apps, where security and protection controls might not be up to regulatory or business standards.
Unsanctioned
Another top concern is where the data is stored, and how it is secured and protected once it’s in a shadow IT environment. Questions such as “Will the data be secured, and how?” and ‘Who can access it where it is stored?” are key. While organisations across the board have data security policies and solutions in place, employees might not take them into account when signing up for an unsanctioned cloud service. It’s no surprise, then, that everyone agreed that this puts the business at high risk.
There’s also the question of data distribution, as once it is spread between many cloud services, both sanctioned and unsanctioned, it becomes increasingly difficult to track and account for. For a business to protect its data, it must know what it has, and where it is. Information that the IT department doesn’t know about will be left out of business continuity and disaster recovery plans, not to mention audits and suchlike.
So, what can be done?
It was agreed that businesses that are starting to listen to their users and trying to understand their productivity needs, and must find a way to deploy solutions that employees actually want to use.
Others suggested setting up a “shopfront” from within the business, to manage requests for new cloud services or applications. However, bearing in mind there are millions of developers creating applications all the time, the IT department simply can’t evaluate every single app.
The question was how to take that view and incorporate it into the business and create a pipeline to the user. This pipeline would give users the ability to request access to a service and for the business to then be able to quickly evaluate that service and bring it in to the organisation based on a couple of criteria. And of course, it was agreed there will be some “no’s”. Users can’t have everything, there must be a minimum standard applied.
In addition, those services that are brought in need to be integrated into the environment as the business simply can’t have pockets that are unattached to the rest of the environment.
There was also agreement that with the ongoing consumerisation of enterprise software apps and services, there was a growing need to close the disconnect between IT and the business, particularly with legacy companies that were never IT centric, and only really brought technology on board in the last 50 years. With businesses such as Google, Microsoft or Amazon, the differentiation between IT and business doesn’t stand out, as these companies were tech businesses from the start.
In conclusion, the CISOs agreed that forward thinking companies talk about the business and its vision as a whole. When there is a siloed strategy there will always be shadow IT, with each department demanding its own preferred software and tools.
This can’t be solved in the short term. If everyone in the business has the same objectives it won’t have a problem with shadow IT.
About DRS
Dynamic Recovery Services is an ICT services and cybersecurity solutions provider that specialises in providing innovation and agility in information security, IT risk management and IT governance. It provides security services with a portfolio that satisfies customer needs, from the creation of security strategy to the daily operation of point security products. It partners with market-leading technology providers to ensure the best supply of infrastructure as well as execute professional services, ensuring that the selected products are effectively implemented and operate efficiently in the business environment. Visit www.drs.co.za for more info or contact Tash Finnegan on +27 11 523 1600 or [email protected].
- This promoted content may have been paid for by the party concerned