“Shadow IT” might sound shady, but there’s nothing nefarious about it; in fact, its existence indicates that a company is embracing an agile mentality, which is a necessary element for successful digital transformation.
Simply put, shadow IT is defined as IT purchases that are taking place without the express consent of the IT department. Rick Howard, chief security officer, Palo Alto Networks, said that some form of shadow IT has been around since PCs started appearing in corporate and government environments. But the emergence of cheap, easy-to-use SaaS solutions has hastened the trend. “With a simple credit-card purchase, an employee can buy a virtual server complete with an Internet connection,” explained Howard.
But while shadow IT is a good sign of a company’s overall health, that doesn’t make it any less of a headache for IT and executive management. Simply put, there are three components to effective security: points of enforcement, policies to enforce governance, and visibility. Shadow IT undermines the latter. “You have a lack of visibility when you have a shadow IT organization,” said Rinki Sethi, senior director, information security, at Palo Alto Networks. “You may not know what applications that group is using. You may not know how they’re managing credentials.”
To move forward, successful companies are ones that establish a solid working relationship between CIOs and the rest of the C-suite, so the marketing department, for instance, doesn’t feel sheepish about signing up for new services. For its part, IT can be quicker and more reactive so other departments don’t feel like it’s slowing them down. As Lucas Moody, VP and CISO at Palo Alto Networks, said: “Shadow IT happens because users want something and they feel like they’re not getting it from their IT services.”
How extensive is it?
The consumerization of IT means that all departments feel the draw of shadow IT. But none feel it as keenly as marketing. Gartner has predicted that the CMO will soon spend more on technology than the CIO will. Peter Horst, the former CMO for Hershey turned marketing consultant, noted that “shadow IT” is an unfortunate term, because it connotes doing something covert. “It should be less in the spirit of ‘I’m going to do my own thing because those bastards are slowing me down,’ and more about, ‘How do we get past the functional org chart, which really doesn’t fit the way we work today?’” he said in an interview with SRT. “We need to say, ‘What do we need to do to get the work done?’”
Despite swelling IT budgets for CMOs, a recent study from CTRL-Z found that CEOs are the biggest users of shadow IT. Some 75% of chief executives said they used apps and programs that weren’t approved by the IT department versus 52% of executives overall. Most said they used shadow IT to be more productive.
Such DIY implementations inevitably cause friction with the IT department. Business units and CIOs and CISOs have different objectives, with the former being generally less concerned about security. Keeping the IT department out of the loop for such risks can undermine their jobs and make them look as if they don’t know what’s going on in their own company.
Alain Espinosa, a Dallas-based security expert, told SRT that CISOs shouldn’t tolerate any shadow activity without their knowledge, including connecting a non-secured device into the network. “It really is akin to me to walking into an office with a drill and an overhead light, drilling into the ceiling, popping an electrical wire and wiring a lamp to put on my desk,” he said. “If I did that, I’m sure people would say something.”
Paul Hill, principal project consultant with SystemsExperts, suggested that CIOs and CISOs often aren’t cognizant of the extent of shadow IT. “What we find in unregulated industries is that the IT department thinks they have things well in hand. But as we start asking questions, we find there are areas that they are just not paying attention to,” he said in an interview. Regulated industries have a higher level of awareness, according to Hill.
That lack of awareness could cripple a network, which is why Espinosa advocates a zero-tolerance policy for shadow IT. Espinosa said that CISOs and CIOs should get buy-in from the C-suite for such policies. If they don’t, then they should remind their fellow executives—at every opportunity—that they are exposing themselves to risk. If they do get buy-in, then CIOs should make it clear that they need to be in the loop on every purchase. To mitigate potential damage, they should also segment the networks, have a process in place to handle unauthorized devices on the network, and include those devices in the network-upgrade cycle.
Palo Alto Networks advocates a similar concept. Known as “Zero Trust,” the company’s approach—based on the work of John Kindervag—is to white list apps and people that are proven to be safe and useful to business and prohibit everything else. Departments that want to add new apps must make a business case for it.
Not everyone takes this approach. Some 81% of enterprises say their business teams are somewhat comfortable building mobile apps without IT’s involvement, according to a study from Canvas. Another 92% said their businesses had become more productive since adopting mobile business apps. By 2017, Gartner was reporting that some 40% of the IT spend was “shadow.”
As a result, IT analysts say that many CIOs are no longer trying to fight it. “At this point, shadow IT has become so pervasive and deeply ingrained in many organizations that CIOs would be best served by ensuring that all such efforts and engagements follow company security and governance guidelines,” said Charles King, president and principal analyst at Pund-IT.
King observed that CIOs often view seen shadow IT as a necessary evil. They also realize that it’s an implicit criticism of how they operate. “The central problem was that, in most companies, IT was simply moving far slower than technology tools or demand,” King said. “In many instances, if the behavior of IT had been mirrored in a company’s sales or marketing organizations, it would have been near bankruptcy or entirely out of business.”
Despite the temptation, Palo Alto Networks’ Moody said CIOs and CISOs should resist the urge to become more laissez-faire. He advocates making IT more responsive to remove the conditions that make shadow IT possible. “Naturally, shadow IT organizations will start to form when IT organizations don’t provide enabling services or functions,” he said. “Individuals feel like they need to self-empower.”
In Horst’s case, each business unit was cognizant of the need to communicate with IT, and IT was aware that it had to react quickly. The result, he said, was a great working relationship. “We were very agnostic about saying ‘this is a piece of technology so it belongs to [the CIO],’” Horst said. “It was about pursuing digital transformation, and that touches everyone.”
Palo Alto Networks’ Moody concluded that CIOs and CISOs should similarly look to accommodate workers’ IT needs so they don’t feel justified to take matters into their own hands: “Security’s got to be a partner and also an enabler.”