JC Gaillard of Corix Partners shares his top 4 tips for CIOs to effectively and efficiently deal with the matter of Shadow IT.
Dealing with Shadow IT embodies the evolution of the role of the CIO, from being primarily a technologist and a problem solver to being an influencer and a risk manager. Thinking about Shadow IT as a “problem” and something that should be banned is not the right start. Embracing it without controls as the way forward is equally wrong. This is just part of a different way of working around technology and security.
Shadow IT is a recurring source of concern for many CIOs. For most, the key issue revolves around losing control, with some seeing it as a sign that their empire is crumbling and others thinking they cannot support their business if they don’t know how the business is structuring the use of IT across processes. Some might be simply concerned about the unknown and fear that one day, all of this might fail and come back to them to “sort out” in a hurry.
Still, some see an amount of risk behind all this – with the business potentially accepting ludicrous terms from shameless vendors, and potentially exposing sensitive data.
-
Don’t be complacent about the context
None of this is new and, in fact, it has been happening for the best part of the last 10 years in some areas (for example in the HR departments of some large organisations). A great deal of it is rooted in the commoditisation mega trend which has been changing the nature of IT. Trying to ban it would be difficult to enforce and possibly counter-productive.
Of course this is also rooted in each CIO’s perception and practice of their own role. Focusing only on technology problems, support issues, priorities and costs is a sure way to alienate some business units where younger leaders expect a more responsive and agile approach. The same goes for the CISO who needs to understand that developing security “awareness” amongst business units goes way beyond tick-in-the-box online courses, colourful posters and distributing mouse mats. Both need to learn to listen to their business and answer back in a positive simple language rooted in today’s reality. It’s about building channels and becoming more of an influencer and less of a technologist. Those aspects are driving a fundamental evolution to the role of the CIO and the CISO.
-
Security is key but put it into perspective
The security aspects associated with Shadow IT are real and must not be overlooked but they can only be understood when put in the right perspective. It doesn’t make sense to assume upfront that any Shadow IT solution introduces risk and is therefore a hazard that must be avoided.
75% of large organisations currently show a significant cyber security risk exposure and low levels of maturity in that space, according to the first RSA Cyber Security Poverty Index, published in June 2015, taking data from 400 security professionals across 61 countries. Similar results can be found in an earlier survey conducted by McKinsey & Co for the 2014 World Economic Forum. Those who need further anecdotal evidence can simply refer to any recent security breaches around them.
You can only assess properly the security levels of any Shadow IT solution (or any Cloud-based solution for that matter) by comparing them with your initial internal security practices. If your CRM consists of an unknown number of spreadsheets which can be copied by any of your colleagues onto any removable media, and live on file servers that can be accessed by an unknown number of administrators using generic accounts, and are randomly backed up on unencrypted tapes that are never checked … then SalesForce could well be a step forward.
Of course many of these issues may be linked to catastrophic legacy problems or years of under-investment and adverse prioritization by the business. However, over time, this type of language is going to be less and less audible to younger managers who are used to a different delivery model where IT is just there and working – and would you blame a business leader for moving its team on to the Cloud after hearing for the third time in one month that “the backup tape was corrupt”.
-
Build channels to listen and teach
On the other hand, Shadow IT will never be a curse for CIOs who take information security best practice seriously, run a clean shop, listen to their business communities and talk to them in their own language.
Influence and knowledge are the two vectors CIOs can use to deal with Shadow IT. They must build channels to work with their business units and teach them to challenge providers instead of trusting blindly, and ensure they take into account all hidden costs and relevant considerations before making decisions. Data has been the true currency of cheap Internet services for many years, so reading the small print is always key from a corporate perspective to avoid costly mistakes.
-
Don’t lose sight of controls
From a control perspective, a sound vendor risk management practice is key to ensure all these aspects are captured and dealt with by the relevant parties within the organisation. It has to start with a solid inventory and vendor classification practice, and be focused on the tangible verification of key controls with key vendors. Resulting actions must be tracked and followed up. Unsatisfactory risk postures must be reported internally through regular risk reporting channels.
Dealing with Shadow IT embodies the evolution of the role of the CIO, from being primarily a technologist and a problem solver to being an influencer and a risk manager. Thinking about Shadow IT as a “problem” and something that should be banned is not the right start. Embracing it without controls as the way forward is equally wrong. This is just part of a different way of working around technology and security.
Corix Partners analysed many of these challenges in their 2012 and 2014 white papers on Cloud Computing and Vendor Risk, and readers can click on the links to download them as a resource.
[su_box title=”About JC Gaillard” style=”noise” box_color=”#336588″]
Jean-Christophe (JC) Gaillard is a senior executive in the Information Security transformation field, with over 20 years of experience developed in several global financial institutions in the UK and continental Europe, gaining exposure to all layers of management up to board level. JC was the Chief Security Officer at Rabobank International from 2000 to 2009. Prior to that, he held a number of IT Management positions within the Paribas/BNP-Paribas organisation between 1991 and 2000. A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.