The complicated relationship with Shadow IT

In a not-so-distant past, shadow IT was a one of the more pressing business challenges that kept many CIOs and CISOs up at night. While still an issue deserving of thought-provoking conversation, it’s no longer the top pain point it once was. Instead, the conversation has shifted. 

The increase in remote working, and the resulting work to ensure staff have access to the right tools to help them do their job from anywhere, has sparked a more nuanced response to the issue of shadow IT. This is due to the resurgence of shadow IT activities spawned by remote or hybrid work environments. Yes, shadow IT must be addressed but we should also embrace it, within reason. 

In this new landscape, dominated by a vast cache of instant cloud technologies, we instead need to get to the core of why shadow IT has been so strongly guarded against for all these years. There are ever present concerns around supportability, data interoperability, or I dare say it, application rationalisation. However, the crux of the issue is data security, because throughout it all, an organisation’s greatest concern must be its most important asset: data. 

In Australia, over the course of 2020, Australian organisations notified the Office of the Australian Information Commission (OAIC) of 1051 data breaches. The main causes of these breaches were malicious attacks (58%) and human error (38%). It is notable that data breaches resulting from human error were among those that increased the most, something experts lay at the feet of the remote working shift. 

With a growing emphasis on digital transformation, data as a strategic asset continues to evolve for most organisations. The issue of shadow IT can therefore more accurately be seen as a need to implement unobtrusive governance, designed to prevent corporate IP or personal data from falling into the wrong hands. 

For effective data loss prevention and management, the starting point is to make sure you (or someone in the organisation) has the ability to know where the organisation’s data is at all times — only then can steps be taken to protect it.

One method to help gain an understanding of what technology is in use across an organisation – and whether it contains sensitive data is to rely on IT or software asset management (ITAM or SAM) programs. Gathering an accurate inventory of your organisation’s technology assets is also a best practice promoted by a number of global cybersecurity frameworks. CIOs and their teams can better grasp what they have, who has access to it, and how it is being used. This intelligence can not only potentially save or optimise budget when it comes time for a contract renewal, but it can also generate red flags for the possibility of data at risk. 

Reinforcing data as a strategic asset, Gartner predicts that three-quarters of large organisations will have a Chief Data Officer by 2021. If you’re a CIO for a larger organisation, chances are high that one of your colleagues is a chief data officer (CDO). If this is the case, you have a good opportunity to support the organisation and each other in the flow and protection of data. Knowing what software and cloud applications are being used where, and by whom can inform data strategy and digital transformation projects, as well as drive data protection strategies.   

In addition to potential tools and internal process, organisations need to review their enablement and training for employees. Many organisations allow their departments or teams to drive technology purchasing decisions – in some cases outside of IT knowledge. Ongoing training and enablement is essential for employees to understand their role in the buying process especially if IT is not involved including budget concerns, larger risks and negotiating techniques. 

Of course, the ideal would be that IT is able to serve as a trusted advisor in these situations, but its clear that this is not always the case. IT should be prepared to create guardrails and governance where possible to ensure they can maintain at least a view into their organisation’s technology ecosystem.

It’s clear that mitigating the risks of shadow IT is still an important part job for CIOs and IT teams, however, the response has to be nuanced and take into account the needs and demands of the organisation — and the staff within that organisation. Yes, data must be protected at all costs and through visibility, security needs to be a priority, however, a balance needs to be forged where the productivity and agility of a team, that’s likely to be working remote, is not negatively impacted.