What Business must do when IT goes Shadow dancing

by | Sep 1, 2015

Shadow IT
–Brian Pereira

A few years ago we heard about BYOD (Bring Your Own Device) and now everyone is talking about Shadow IT or Bring Your own IT.  There’s a trend of more employees working outside the office, be it from a hotel room, a customer site, a café or from home. And these road runners are building their own IT infrastructure, using personal clouds for storage, helping themselves to software applications off the cloud; Excel spreadsheets and PDF docs are exchanged over email. Heavier files like images, voice files, and videos are transferred over cloud-based file transfer services. And communication happens over Whats App, Skype or instant messaging on social media sites. All this must be giving the CISO (Chief Information Security Officer) or Chief Risk Officer sleepless nights. We asked Ruggero Contu, Research Director, Gartner how organizations must act to safeguard its information assets in the wake of the shadow IT trend.

Ruggero Contu, Research Director, Gartner“Shadow IT does not require approval for deployment. It could be something like deploying a service like Dropbox. Organizations should seek better visibility and better control on shadow IT. There are tools like CASB (Cloud Access Security Broker) that can provide better visibility.”

Some organizations try to block access to online resources and social media sites when they find out that their employees use these services and tools at the workplace. Ruggero (and other Gartner analysts that we heard at the summit) feel that this is the wrong approach. Rather, organizations should empower users to use these services, in a responsible manner, of course.  And these actions should be closely monitored, if necessary, to ensure that resources are not misused.

As former US president Ronald Reagan used to say, “Trust, but verify.”

“Employees must be made aware that they are responsible for the manner in which they deploy and use these resources. They should be empowered rather than dissuaded.  You can do this through training and by creating awareness,” said Ruggero.

Shadow IT can also happen at a departmental level. For instance, the marketing department may deploy its own applications from the cloud.

While most organizations may permit this, it is imperative to deploy sufficient controls and monitoring mechanisms, advises Ruggero.

“I’ve had conversations with marketing departments and for them social media was the key to their functioning. In many cases, the business actually sponsored the purchase of controls that facilitated the use of social media in a more secured fashion,” said Ruggero. “It is not the Security department or IT that is paying for that – it comes from the business or a particular department.”

So the resources to support shadow IT comes from outside the IT department.

“There are various ways to check shadow IT, like Mobile Device Management, containerisation, sandboxing, end-point detection and remediation, threat intelligent services, monitoring user behaviour  etc. So there is a new set of security technologies emerging. However, some challenges will remain, especially when you have a private device (BYOD).”

———————————————————————————————

  1. The writer visited the Gartner Security & Risk Management Summit 2015 in Mumbai, held between September 1 – 2, 2015. More reports on the summit follow.
  2. “Shadow Dancing” is a disco song performed by English singer-songwriter Andy Gibb that reached number one for seven weeks on the Billboard Hot 100 in 1978. (Wikipedia)

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles

Return to Business as Unusual
Return to Business as Unusual

Remote working is no longer a benefit, luxury or convenience. It’s also more than a current make-do for organizations looking to conduct business as usual.