Shadow IT Goes Mainstream
When you’re trying to get people to heed a warning about a subject nobody wants to talk about, it sure is helpful when every media outlet in the country picks up the subject, puts it into plain English, and turns it into breaking news.
This time the warning message was about “shadow IT.” For years CIOs have been sounding the alarm about proliferating applications, devices, and services put to use within a company without having been approved by IT. In banks especially, with their heightened security and privacy obligations, the scramble to develop the right safeguards and rules about shadow IT has been a top concern of the CIO and consumed a lot of IT time and budget, but the shadow kept expanding.
Then all of a sudden there was the State Department story about personal vs. work emails, and suddenly the subject was breaking news, front page, and the topic of op-eds in mainstream and technology journals. Cybersecurity and compliance experts popped up everywhere with their opinions. How safe are personal devices used in workplace settings? How to protect company information and still make access convenient for regular users? How to contain and compartmentalize risk from outside users of internal information? What are the relative risks of email senders and receivers?
It’s safe to say that now every American – and every bank employee – is aware of the ins and outs of shadow IT. But if the question is what to do about it, the answer is, bring it into the open.
According to a Skyhigh Networks study, the average bank had 844 cloud services in use last year – far more than many banks suspected. And you have to think that about 800 of them are cloud services purchased on individual employee credit cards. In other words, put into use within the bank, unsanctioned by IT – which then has to vet them after the fact. And if IT finds problems that force them to ban a particular service, they end up inconveniencing the very users they would really like to support. It is not a situation that will help bridge the proverbial “business-IT divide.”
And some employees, so accustomed to deploying technology on their own, can be remarkably complacent about security risks, as this bit of research indicates:
While many millennials said they were contacting their work friends through social media to be social, other millennials said they were contacting co-workers through noncorporate systems because the corporate security controls made their work so inefficient–and they hate bureaucracy wasting their time.
By bringing shadow IT into the open, bank CIOs accomplish two important obligations.
- They can identify the risks involved with the shadow devices and applications, defend against them, and put in place rules and policies accordingly.
- They can study the choices made in the shadows and better understand how IT’s current applications are not meeting the needs of the users, and collaborate with users on bringing in better solutions while protecting against risk.
So keep an open mind about shadow IT. Don’t underestimate the risk that might reside there, but don’t overlook the valuable direction and ideas it can offer.