Shadow IT in your organisation: Racing to a red light?

Shadow IT – a term used to describe the proliferation of locally implemented IT systems without enterprise governance oversight –  is a now fact of life in most organisations. Problem is that the benefits and risks of shadow IT can both be significant.

Shadow IT may fill a local business need and help the organisation remain competitive and agile at a local level. It also elevates the real risk to the whole organisation in a number of ways. This includes (but is not limited to) considerations such as:

  1. Proliferation of data islands. Each data island has its own characteristics. These may include their own data architectures, access and security controls or backup and recovery processes.  All of which add to the technical complexity, cost and effort of any future integration with any other enterprise systems. Don’t think it’s problem?  Think again.
  2. Increases the total, aggregated cost of information and digital technologies across the whole organisation.
  3. Voiding your cyber-insurance policyShadow IT could be regarded as Contributory negligence by not maintaining effective risk, technology, business governance.

Put another way, data breaches and adverse information security events continue unabated.  No industry appears immune from adverse information security events.

The bottom line is that many organisations’ information security practices are lagging behind the rapid uptake of employee’s usage of IT. This is fuelled in part by Shadow IT.

Maintaining information security effectiveness also is influenced by organisational culture. A high rate of employee disengagement,  increase in part time employees and contractors, as well as the rapid rate of technological change contribut to the challenge of maintaining the effectiveness of security controls.

As organisations increase their use of modern digital and information technologies, their dependency on these technologies increases. Is information security seen in the same light?

Information security is your job, IT – we’ve got a business to run.

Enterprise IT departments, once the bastions of centralised control over all matters IT – including information security – are no longer king of the castle. Armed with a credit card, managers and users now have a choice.

The dilution of enterprise IT decision-making authority has been fundamentally driven by the factors such as:

  1. Users having immediate access to useful, enterprise-ready technologies (mostly cloud based);
  2. Increasing impatience by managers and users of their own internal IT departments, unable to meet business demands;
  3. Increasing focus by organisations on short term results.  This biases decision making towards short term priorities at the expense of the medium to longer term, and
  4. Federated IT structures, often taking the form of outsource providers, IT staff and IT executives operating across a diverse range of global locations. Orchestrating  and effectively managing culturally and geographically diverse teams across a range of organisations is fertile grounds for breeding information security vulnerabilities, whether self-inflicted or as a result of an external attack.

Shadow IT: Sorry – it’s working for us!

Evidence is that the major cause of adverse cyber incidents are people related. One contributing factor is Shadow IT .

So information security breaches have less to do with technology and more to do with other people and organisational factors.

These include individual’s behaviours, lack of expertise, ineffective training, leadership effectiveness, inappropriate incentive schemes and business processes, to name but a few.

Fact is, maintaining effective enterprise-wide information asset protection relies on collaboration across the entire organisation. This extends beyond your own employees, but also contractors, part timers, outsourced IT providers and the like.  One consequence is that both the benefits and risks of shadow IT are better defined – thereby contributing to getting the balance right.

Merely putting all staff through a security awareness training program offers little real protection against adverse cyber events.

The benefits and risks of shadow IT – Getting the balance right.

What can business owners and executives do to fix this persistent problem? Here are a few takeaways:

  • Encourage Shadow IT!  Astute leaders recognise that Shadow IT is often filling a legitimate local business need.
    • Systematically identifying the rationale for Shadow IT on a case by case basis has the potential to drive innovation, improve IT-business engagement, solve real problems and drive other benefits to the organisation as a whole.
    • Work towards encouraging Shadow IT in a controlled environment where its potential to add value can be rapidly assessed with known risk and cost.
  • Treat Information Security as everyone’s responsibility. Adopting a multidisciplinary, enterprise-wide approach to data and information security is key.  One key aspect is educating everyone to both the potential benefits and risks of shadow IT
  • One size does not always fit all. Design and implement enterprise-wide information security policies, processes and technologies that are granular enough to focus effort where needed and shown to be effective. In certain instances, a ‘one size fits all’ information security policy may just add cost, inhibit flexibility and elevate your overall risk. Test underlying assumptions as to their efficacy and business benefit.
  • Review individual’s incentives.  Incentives (financial or otherwise) drive leadership and staff behaviors. In transitioning to a resilient and effective information security aware organisation, it is crucial to ensure that individual incentives are aligned with expected competencies, behaviors and business results and  their individual contribution. It’s not ‘someone else’s job’!

Expecting your CIO to take care of enterprise-wide information security on behalf of the organisation is a sure way of ensuring that your organisation remains vulnerable to adverse cyber incidents.

Bottom line is that any executive that recognises the critical but limited part that technology plays in ensuring ongoing enterprise-wide information security, is taking a step in the right direction.

Question is, is the rest of the organisation following in the same direction? If so. are both the benefits and risks of shadow IT given due consideration?