When is Shadow IT a Problem?
If a CISO doesn’t have a Shadow IT plan in place, then Shadow IT is definitely a problem.
Most CIOs don’t have to look very far to see that unsanctioned cloud use is a problem. In “The Hidden Truth behind Shadow IT” by McAfee, IT personnel use unsanctioned cloud applications more than other employees, so even the people who should know better are part of the “Shadow IT” problem. If a CISO doesn’t have a Shadow IT plan in place, then Shadow IT is definitely a problem.
Many businesses have already learned hard lessons in data exfiltration from experience. One out of every five people polled has experienced a security-related incident in social media, file-sharing, backup or storage. We expect these problems will increase before most businesses act. Not all is lost, though. If a CISO can figure out why unsanctioned cloud use is a problem, then those problems can be addressed.
Despite their experiences of deep concern, more than 80% of respondents presumably feel justified in continuing to use non-approved services without ensuring that protective IT policies are applied…the end justifies the means,” the McAfee report notes. “Respondents’ reasoning is the same as everyone else: approval processes are too slow and the unsanctioned cloud apps are familiar and more functional.”
IT departments are their own worst enemy. Long processes and hard-line stances on policies discourage interaction. As a result, employees don’t communicate with their IT departments. To move faster and with less restriction, they create silos that contain their own internal experts who help them with IT problems.
The responsibility rests on IT departments to bridge the gap, but many aren’t up to the task.
IT departments need to reposition themselves. Employees aren’t subverting the department out of malice, they just want to meet their goals. Instead of being a barrier for employees, they need to create value. IT departments should be there to help.
Change needs to happen to adapt to cloud use. While the process can be difficult, IT personnel need to monitor unsanctioned cloud use, address it with employees, and then listen to their responses. Approval processes need to become faster and more flexible. And finally, steps should be taken to ensure that these lines of communication remain open.
Technologies for monitoring and controlling unsanctioned cloud use can be applied, but trying to shut down SaaS entirely isn’t feasible. IT departments should use Shadow IT monitoring to learn more about how to deliver value to each department and evolve with employees’ needs. Reverting back to “business as usual” is the easy thing to do, but it’s also risky. When IT departments lose touch with employees, they are complicit in creating security risks inherent in Shadow IT.