Casting a light on shadow IT -- turning threat into opportunity [Q&A]
Today's climate of digital transformation (DX) is giving rise to a variety of intriguing cloud and software-as-a-service based offerings.
In the case of public cloud, instant access to infrastructure and platforms for developing new services off-premise may be extremely attractive to some organizations. The modern world of free cloud services and easily installable apps makes it all too easy for employees to bypass the IT department and use whatever systems they want.
Virtually unlimited elasticity and pay-as-you-go cost models with no capital expenditure make these offerings an ideal solution to lines-of-business . Add to this a wealth of SaaS offerings that enable chief digital officers (CDOs) and chief marketing officers (CMOs) a means to subscribe to new external services at will without having to rely on IT, and it's little wonder CIOs are taking notice.
These trends of bypassing IT and effectively creating a 'shadow IT' organization have CIOs concerned about how DX is causing them to lose control. But is it better to empower users rather than enforce corporate policy? Performance management company NETSCOUT believes the way for enterprises to address this issue is to offer the sort of agility and functionality that people need so they don’t have to look elsewhere. We spoke to Michael Segal, NETSCOUT's director of enterprise solutions, to find out more.
BN: How pervasive is shadow IT?
MS: A recent study by Cisco revealed that, at the average enterprise, 80 percent of end users rely on software not cleared by IT. And a Logicalis Global CIO Survey found that, "90 percent of CIOs are now bypassed by line-of-business colleagues at least occasionally". For years, we have known that employees and lines-of-business (LOB) are going around IT departments and utilizing cloud services to get their job done. But this data highlights the overwhelming scope of shadow IT and its use across all industries. The digital economy is putting greater pressure on businesses and one result of this is the vast growth of shadow IT.
BN: If DX is inevitable, where does that leave CIOs?
MS: CIOs are left with two major options:
1. They can see DX as a threat. They can push back on DX initiatives that try to bypass the CIO, and fight the LOB, CDO and CMO for ownership and control of these projects.
2. Or they can perceive DX as an opportunity. In doing so, they can become the corporate champion of DX initiatives, transforming shadow IT into LOB shortcuts sanctioned by IT to guarantee business velocity through an overarching business assurance strategy.
The second option here is where we see the industry headed today. To fulfill this strategy of DX acceptance, CIOs should seek complete visibility across all on- and off-premise environments, both physical and virtual, mobile and desktop systems, applications and services consumed by corporate users, including employees, customers and contractors. Furthermore, this end-to-end visibility will enable CIOs to introduce a corporate BYOD strategy that will improve productivity and help the organization remain competitive over time as more millennials and other natively digital employees join the workforce. CIOs that embrace shadow IT give their businesses the keys to confidently innovate and compete in their industries.
BN: How does shadow IT complicate the issue of security?
MS: With social engineering becoming the predominant technique utilized in advanced persistent threat campaigns, the prospect of non-qualified employees interacting directly with a variety of service providers is a significant problem. When IT departments don't have an enterprise-wide security strategy that delivers complete visibility across all on- and off-premise environments, the risks are considerable. The problem is compounded quickly if the infrastructure of these service providers is breached and used as the launching pad for campaigns against its customers.
To manage risk effectively, it's critical for IT to profile traffic behavior and to identify anomalous deviations from the baseline for zero day attacks, as well as utilize signatures of behavior of known threat agents effectively. IT also needs an uninterrupted view of the network required to identify and alert on the advanced threats creeping into both corporate networks and their service provider networks. These visibility-drive insights enable IT to mitigate the security challenges imposed by shadow IT.
BN: Is there a need for an overarching governance strategy? If so, how would that strategy be best achieved?
MS: There's no doubt that a governance, risk management and compliance (GRC) strategy that utilizes a business assurance solution is necessary in our increasingly digital world. Such a strategy allows organizations to meet their risk and compliance obligations for all technical operations, including security, infrastructure, integration, third-party risk, business continuity/disaster recovery and application development. Existing frameworks, such as the Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT), can be used to cast light on the shadow IT elements by adding them to an official IT service catalogue and formulating service level agreements around them. This approach would enable CIOs to govern shadow IT and become internal service providers, regardless of where those services are built and operated internally, through managed service providers or from the cloud. The business assurance solution can also provide CIOs with holistic visibility across all services, which is necessary for the overall agility of any given IT organization.
BN: Is there a case to be made for decentralizing part of the IT budget to let departments make their own choices?
MS: It's easy to make the argument that having the speed and agility of deploying new services is key to surviving and thriving in the DX age; and decentralizing part of the IT budget definitely supports this. Let’s face it, shadow IT is virtually a fact of life in the modern IT organization. The problem is that this world of cloud offerings and easily accessible and installable technologies creates a lot of chaos. This is why CIOs must develop a companywide governance model for shadow IT that enables lines-of-business, CMOs and CDOs to talk to cloud providers, and to do so in a way that makes the most sense for the organization as a whole. This might mean leveraging economies-of-scale to negotiate a better price. IT can also serve as a central point to look at the big picture, addressing challenges that come with DX, effectively managing risk, and leveraging a global business assurance solution that allows IT to be more agile in delivering new services faster, at scale and with higher quality.