When discussions on security enter the room, it’s all too easy to get a little paranoid. The web is rife with threats to the sanctity and safety of a business’s mission-critical information; modern organizations are besieged from all sides by a combination of hackers, spammers, scammers, and malicious insiders. It goes without saying that your IT department needs to do everything in its power to keep your business’s data safe – heedless of the consequences.
Not exactly. Thanks to a combination of mobile technology and the cloud, employees are now more empowered than ever. What that means from a security standpoint is that if an employee doesn’t like a solution their IT department has mandated – if they find a corporate application is too difficult to use or an encryption protocol too obtuse to deal with – they’re fully-equipped to just discard the mandate and use a solution of their own.
And that solution isn’t always going to be particularly secure.
The Looming Threat Of Shadow IT
Because folks in the media positively love their buzzwords, this new business paradigm has been given an ominous moniker: Shadow IT. More and more, employees are using personal devices, third party apps, and unsanctioned services. And they’re doing it without letting their IT departments in on the secret.
You shouldn’t blame the end user for this, though. If people are using unauthorized applications and devices within your business, it doesn’t indicate malice or ignorance on their part. Rather, it indicates that whatever security or productivity measures you’ve put in place simply aren’t doing what they need to.
That needs to change – and so does your perspective.
“CIOS must stop thinking of themselves as guards who are walking up and down in front of corporate assets as a sentry,” advises Forbes’s Dan Woods. “Instead, think of yourself as a staff officer on a mission. Security professionals must see themselves as enablers of the business, be present from the beginning, and seek to protect the most important assets in ways that makes sense.”
I’m Sorry Dave, You Are No Longer In Control
It’s not surprising that Shadow IT has CIOs and administrators so nervous. It represents the greatest threat to their control of organizational security since, well….Honestly? There really isn’t an analogy that works here.
In a BT survey of 1,000 IT decision-makers, 76% of respondents reported “unauthorized shadow IT” within their business. 58% were further concerned that their roles could very soon become redundant, while half reported that their central IT budget has decreased by an average of $864,000 per year. According to BT, these figures represent the dissolution of the traditional relationship between business and IT – and CIOs need to adapt to it.
As an administrator, your job is no longer solely that of a vanguard. While you still need to make sure corporate data is well-protected, it’s far more important that you do so in such a way that you don’t impede your users. Archaic security practices that rely on the IT department being in complete control of their environment need to go out the window.
Instead of taking a device-centric approach to security management, you need to take a user- and data-centric approach. You need to understand that you’re no longer in control of what your employees do and how they do it. You can no longer effectively mandate what applications they use, what devices they connect to your network with, or what networks they connect on.
What you need to do instead, says Absolute Software’s Ryan St. Hilaire, is focus instead on the user, especially where mobile is concerned.
“If you shift [your] perspective, you’ll see that a user’s requirement is to have the same data on each device,” he writes. “Focusing on the device adds an unnecessary layer of complexity. Instead, if you have one solution that can secure all devices while focusing on managing risk at the user level, you’ll end up with a far stronger, more manageable security solution.”
Embracing Your IT Department’s Shadow
Shadow IT exists for a reason. It isn’t simply the result of ignorance and arrogance on the part of rogue users. Businesses need to understand that – and more importantly, they need to embrace its presence as a driver of organizational change; a sign that they must make their security solutions and corporate applications more usable and user-centric.
“Usually, employees that decide to engage in shadow IT don’t have bad intentions,” writes CIO’s Tom Kaneshige. “They do so because what they’re getting from corporate IT isn’t good enough: corporate-issued devices and apps are clinky, enterprise security measures ruin the user experience, and IT is too slow to respond to requests.”
By working together with the rest of their organization, IT departments can gradually change this perception, and make everyone more productive and effective in the process.