The cloud. Mobile devices. High-availability networks. These and other technological advances have empowered users to work with greater efficiency and with lower spend, but they come with an unintended side effect: the consumerization of IT.
Where employees once leaned on IT admins to troubleshoot any problems or install new software, they're now able to perform the same tasks via easy-to-use self-service portals. The result? A quickly growing subset of users collectively known as "shadow IT" who use whatever processes and programs they see fit to accomplish business aims, even if these offerings aren't approved by IT. Employees defend this trend as a necessity, while CISOs worry it could impact the bottom line. So, what's the real cost of coloring outside IT lines?
How many unauthorized applications can IT departments "see" running on corporate networks? According to a recent CIO article, it's fewer than most CISOs think — research from Skyhigh Networks found that the average healthcare firm had 928 cloud services in use at any given time. The problem? Just 10 percent of those were known to IT, and Skyhigh found that a mere 7 percent of these "unknown" services met enterprise security and compliance standards.
And that's not the only risk of shadow IT. As noted in a Veracode webinar entitled "Third-Party Application Security Risk: The Elephant in the Room Is Finally Getting Talked About," monitoring procurement of IT services is no easy task, even for technology experts. Why? Because many SaaS vendors will gladly take personal credit cards as payment or allow users to install software under a "freemium" model, which often has a per-seat or data usage cap.
Individual employees using these services encounter no issues because their data volumes are too low, but when it comes time to procure official software licenses approved by IT, the department may discover other services already form the core of business use. Shadow IT services can also impact bandwidth; when multiple users all leverage their favorite applications and compete for network space, critical functions can get squeezed out, forcing IT to hunt for unsanctioned services and connections.
Bottom line? What IT can't see can absolutely impact ROI.
Increased visibility, however, isn't enough to mitigate the threat of shadow IT. Addressing the issue requires a strategy in three parts: curation, cultivation and communication. According to Power More, the first step is curating the IT environment created by users rather than shutting it down outright. Banning services simply drives the problem further underground, while working to secure what's already in place encourages employees to speak up rather than shirk IT requirements. Database Trends and Applications, meanwhile, suggests companies must cultivate new IT environments that recognize the commoditization of cloud services and focus on creating a culture of security from the ground up, rather than as an afterthought. Finally, CISOs must effectively communicate the risk of shadow IT to other board members. In fact, insider IT is often the best place to start the C-suite security discussion, since it's focused on what's actually happening to corporate networks rather than on the potential risk of an outside attacker.
Coloring outside IT lines can be costly. But by supporting, rather than scuttling, user IT, strengthening security culture and speaking the truth to C-suite executives, it's possible to minimize the threat of shadow IT while maximizing the potential of existing cloud services.
For more on shadow IT threats, check out the webinar in its entirety.
Photo Source: StockSnap