The key is mutual trust between your security team and its constituents.
Shadow IT – tech used in an organization that is not administered by that organization’s IT department – accounts for the majority of the cloud tech at most companies. Understandably, the risk this implies might keep a security pro up at night; Gartner estimated in 2016 that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
But shadow IT is more than just a stressor for security teams. Shadow IT has as much to offer in benefits to an organization as it does risk; 97 percent of IT teams surveyed said their employees were more productive when allowed to use their preferred tools, and 80 percent said their companies should deploy more employee-suggested tools. In addition, the bottoms-up adoption path followed by shadow IT tools can reveal which are true winners, in a process that often moves faster than conventional procurement.
Managing the benefits and risks of shadow IT comes down to two balancing acts: balancing rules with culture, and balancing security with flexibility. Reaping the benefits of these balancing acts is only possible through mutual trust between the security team and its constituents.
Rules vs. culture
The default for most IT teams is a desire to issue hard and fast policies that ban the use of shadow IT. This default instinct typically stems from a lack of trust in their workforce. In practice, this almost never works, and only amplifies the culture of distrust. In a best-case scenario, employees respond to this stringency by ignoring the rule and using shadow IT in spite of the policy, then attempting to hide it, making it even harder to manage. The alternative can be even worse: a drop in employee morale and an increase in attrition.
The solution here is not to abandon rulemaking. Security teams must simply be more selective about the rules they do enforce, so the company’s most sensitive data and locations are protected. At the same time, they must cultivate a culture of collective responsibility within the rest of the organization, so that every individual in the company understands their role in security. This starts with providing transparency into the security posture of the company, and engaging with other departments to create a shared understanding of the needs of the business. The security team should understand what drives teams to adopt shadow IT tools, as much as the teams should understand the risks that those tools bring into their organization.
Cultivating this culture is not easy. Building a shared sense of responsibility is a perpetual process, requiring constant work by the security team as well as leadership. But that’s the nature of building a company culture; the hard way is the only way.
Security vs. flexibility
Most conversations around shadow IT fail to acknowledge a critical point; that IT team may not even be ready or equipped to bring the full array of shadow IT tools used by the organization under administration. This is where a strategy that includes a measure of flexibility comes in handy. Balancing security and flexibility is important not just because it keeps business teams happy, but because it allows the IT team to stay focused on their strategic priorities rather than managing the myriad tools of their constituents.
To put this balance into practice, follow a three-step process:
1. Discover
Start by developing an understanding of the landscape. Map out both your administered IT and as much of your shadow IT as you can find, and the data your company touches, both sensitive and non-sensitive.
2. Assess
Next, identify your risks and priorities. Within that landscape, what systems are important enough that they absolutely need to be centrally administered? What data is most sensitive and must be protected?
3. Focus
With an understanding of your priorities, map out a rubric of what qualifies newly added or discovered tools or data to require centralized administration. Identify the threshold outside of which the risk is reduced, and control does not need to be centralized. Ensure that this strategic focus is understood within the IT and security teams, but also across the organization.
This three-step process will help keep your team focused on its strategic goals, while preventing them from getting sucked into unnecessary administration of low-priority tools and data. It will allow the other business units in your company to use the tools they see fit, within reasonable boundaries. And most importantly, it will cultivate trust between departments, because inevitably, the landscape will change. And when it does, you’ll need those other departments’ help to rethink the strategy, re-establish security, and maintain the culture.
In a time when security threats have never been more complex and technological innovation is a competitive necessity, IT and security decision-makers today must walk a tight balance. Let shadow IT run completely free, and you run the risk of leaving important data unprotected. Lock out shadow IT completely, and you risk innovation stagnation. Only through developing a relationship of trust with the greater organization can organizations develop the right balance.