In our last blog post, we talked about the dark side of shadow IT. End users and lines of business might see a productivity boost from circumventing IT and adopting cloud apps on their own, but that boost comes with serious security and compliance risks. There are tools to help identify and combat shadow IT already in use at organizations, such as CipherCloud’s Discovery tool for sniffing out cloud services, but preventing shadow IT from taking over your organization demands more than just technology. CipherCloud Chief Trust Officer Bob West spoke with us about organizational and management strategies to control the spread of shadow IT.
Bob West: It goes back to fundamental governance in an enterprise. If the right discussion is going on, and the business and technology and security organizations are at the table, you can really understand what the business needs to do its job. Most importantly, what’s the gap in terms of what tools the organization is using and the tools that IT is sanctioning or providing? That gap shows what the business’s needs are. Once you know that, you can come up with a good set of solutions for the enterprise.
When you have the right people at the table, they can have a good, constructive discussion about, “Here are the applications we have right now. Here are the benefits and risks. What are the pain points that we have?” For example, there might be an enterprise application that an organization is using that either has problems or is very expensive to maintain. There can be opportunities like that, or applications that are just not working properly. If a cloud strategy is then executed properly, it can bring a lot of relief to an organization.
It sounds like you’re saying that leadership is key.
Bob West: Yes. It’s leadership, not technology. In many cases, the technology team is not in tune with what the business needs. There isn’t a good, constructive conversation going on. The flip side is that if the technology organization is functioning properly, it can understand where the business is heading strategically and provide the tools to enable that.
As an example, in most of the organizations that I’ve worked in, we either had Top 3 or Top 5 business initiatives, and technology and security were at the table. So technology could respond to say, “These are the solutions we can provide to deliver these business priorities,” and security was there to say that as these solutions are delivered, “Here are the security solutions that we can offer to be part of that equation.” There was a good alignment with the business, security, and technology organizations within the businesses.
If you understand where the business is headed, you can provide the right solutions. It sounds like a very simple problem, and it is, but lack of alignment is something that is pervasive within many organizations.
How does the leadership at your organization handle shadow IT? Tell us what you see in the comments.