1. Power of CIO threatened by shadow IT
Althoughshadow ITisn’tnewat all,itscharacter haschanged and it ispotentially becomingmore
threateningtothe CIO. Cloudservicesoutside control of the CIOmay create securityandcontinuity
risks.Whowill be blamedincase of a serioussecuritybreachorcontinuityissue?
I am afraidit’sstill the CIO.Howto handle this?
The past
ShadowIT isdefined asall IT outside control,budgetand oftenoutside view of the central IT
department.Ithasexistedalreadyfordecadesandmostprobablywill alwaysbe there.
In the past shadow IT consistedof incidental purchasesandinstallationsof hardware orsoftware
withoutconsentof the central IT department.Due tolimiteddecentral ITbudgets,the expenditureof
shadowIT wasrelativelysmall,aswasitsimpactand risks. Ownersanduserswere usuallyvery
positive about‘theirown’shadowIT. Itserveditspurpose well andthey considered ittheirbaby.
Whenthere wasa problem,theydidn’tdare tocomplain – knowingtheirbabywas initssort, an
illegitimatechild.
CIOswho triedtoforbidor blockthisoldstyle shadow ITmade themselvesfarfrom
popular.Therefore mostCIOswere inclinedtotolerate thisoldstyleshadow ITandignoreditaslong
as it didn’tbecome aseriousproblem.
What changed?
Since then,mobile devicessuchaslaptops,smartphonesandtabletswere introduced.Tocreate
maximumflexibility,organisationsadoptedthe BYOD(bringyourowndevice) approachandallowed
companysoftware tobe installedonuserowneddevices.
2. Accessto companysystemswasgrantedto devicesoutside control of the CIOdepartment.Security
became a seriousissue.
Cloudservicesbecame available thatoffersolutionsthatare fitforpurpose,cheap, andeasyto
purchase and deploy:acreditcard and a few clickswasenough.Consentorevenawarenessof the
CIO wasn’tneeded.A newspeciesof shadow ITwasborn.
Figures
83% of IT-usersadmitusingshadowIT.80% of IT managersbelievetheyhave successfullyblocked
Dropbox.Inrealityonly16% has.(SurveySkyhighNetworks2015).
CIOsbelieve theycontrol 80%of total IT spend.Inrealityit’s60% (Forbes2014).
80% of CIOs don’tknowthe extentof shadow ITintheirorganisation,72% addedthat theywould
like toknow. 23% of the IT budgetiscurrently spentoncloudservices,7,2% is spentonshadow
cloud,inotherwords:one thirdof the total cloud services inuse, hasbeendeployedoutside control
of the central IT organisation (Forrester,2013).
Newrisks
Mobile devices are sometimesstolen,lostorleftunattended ata bar. Whenno central security
systemor policyisappliedthismayresultinunwantedaccesstocompanysystems.No hackingskills
are required.
Whena user leavesthe organization andcorporate ITdeprovisionsthatuserinitsdirectory,nothing
happensinthe shadowIT userdirectory. If thisisnot remedied bywhoevermanagesthe shadow IT
solution,this formeremployeemaintainsaccesstopotentiallysensitive data (potentiallyahuge
securityrisk) while the organization isstill payingforit.
In the past shadowIT was typically aminorindependentinitiative withinadepartment.Modern
shadowIT cloudsystemsare widelyspreadandusedacrossorganisations.Businessisbecoming
more and more dependent onthe reliabilityof shadow ITservices.Manyusersare unaware that
these servicesareoutsidecontrol of the departmentof the CIO.Incase of failure the organisationwill
pointto the CIO. ‘I didn’tknow’or‘It wasn’tmyresponsibility’ won’tbe acceptedasexcuse.
Unlike oldstyle shadowIT,cloudsystemscommunicate withclients,suppliers,businesspartners
and/orpublicmedia. Incorrect,sensitive,privateorotherundesirable information couldbe
communicatedtoclients,competitors,financialanalystsandpublicmedia,withoutthe CIOknowing
it.
Again‘Itwas outside mycontrol’won’tbe accepted.
How to deal with it?
What shoulda CIOdo to deal with these issues?
1. Don’tignore shadowIT.Don’t waitfor issuesto happen.Take actionnow.
3. 2. Look shadowIT rightinthe face. Assessthe currentsituation (functions,systems,risks,cost)
of yourshadowIT ASAP.How?There are skilledconsultantsanduseful software toolsaround
to help youcollectrelevantinformationin ashortperiodof time at a limitedexpense.
3. Don’ttry to blockshadowIT. Your colleagues are smartenoughto finda wayto go around
your blockade.
4. Builda cloudstrategy.Whatcloud servicesdoesyourorganisation really need?Which
productsand servicescoulddeliverthe required services?Whichonesperformsuficientlyin
termsof securityandavailability? Make choicesbasedonwhatpeople are alreadyusing.
5. Builda menuof available services.Aslongasyourmenucoversall needs,there islittle
reasonto use somethingelse.
6. Build/extendasecurity policy thatincludessafetymeasurestakingintoaccountthatmobile
devicesare stolen,lostorleftunattended andthatservicesare deprovisionedwhenpeople
leave the organisation. Communicate yoursecuritypolicyproperlytochange people’s
attitude andbehaviour.