For those who are unaware, ‘Shadow IT’ is hardware or software deployed within an organisation that the IT department is unaware of, or has not approved.
As explained by Andrew Kellett, research analyst, Ovum, the term often carries negative connotations due to the maintenance and security issues involved in this often unregulated area of the technology marketplace.
According to Kellett, the general consensus is that the growth of shadow IT should be seen as a business and data protection problem, but not all chief information security officers (CISOs) agree.
“Not all shadow IT is bad,” he observes, “and leading CISOs recognise that there can be business benefits.”
In June 2015 a dozen of the UK’s leading CISOs gathered at the Eskenzi IT Security Analyst & CISO Forum to answer questions from security analysts, resulting in a lively exchange of views.
“Although the analysts would have expected the panel to take a strong stance on the need to reduce the use of shadow IT, the situation turned out to be less clear-cut,” Kellett recalls.
“Many of the CISOs who took part agreed there are control issues to be addressed when technology use bypasses corporate policy and standards requirements. But the overall message was that shadow IT can also deliver business benefits.”
For Kellett, those in the creative industries, media, and telecoms were particularly supportive of shadow IT. The suggestion was that these businesses need it to support the requirements of their free-thinking users.
“The focus for these CISOs from a security perspective was education, to ensure that users understand the data protection and security issues involved,” he explains.
“Although there will always be non-negotiable areas in which shadow technology cannot be used, IT security can no longer always inhibit it. User and data protection has to be agile enough to support the ongoing demands of the business.”
Kellett believes that the consensus view from this group of leading CISOs advocated a collaborative approach that incorporates shadow IT into computing polices whenever its use can be supported.
“Their opinion was that security teams should make every effort to find out why specific third-party tools are being used, and to review their business benefits and risks before making any final decisions,” he concludes.