Strategies for managing the risk of clandestine IT while promoting novelty and technological advancements
In the modern business landscape, the balancing act of fostering innovation while managing security risks has become a crucial concern for many organisations. This is particularly true when it comes to the phenomenon known as Shadow IT.
Ed Macnair, CEO of CensorNet, underscores the importance of this delicate dance, emphasising the need to 'follow the user' and ensure employee safety and security at all times, without stifling innovation. Adriana Karaboutis, VP and global CIO of Dell, shares a similar sentiment, advocating for the embrace of shadow IT as part of a wider culture of innovation, stating, "I don't chase shadow IT, I chase innovation."
So, how can businesses strike this balance? A pragmatic approach that integrates visibility, governance, and collaboration seems to be the key. Recognising that shadow IT often arises to solve workflow gaps or speed innovation, businesses should implement controls that provide security oversight without stifling employee initiative.
Key strategies for this approach include:
- Increase Visibility and Monitoring: Unsanctioned applications and cloud services can create security blind spots, increasing the risk of data exposure and compliance violations. Deploying technologies and policies that detect and log the use of these tools can help reclaim visibility.
- Implement Clear Policies and Training: Open communication encourages employees to report AI or software tools they want to use, allowing IT teams to assess and onboard appropriate solutions securely. Educating users about risks can prevent careless shadow IT adoption.
- Establish Governance Frameworks: Managing shadow IT through structured governance enables control over sensitive data flows and usage while permitting innovation. Frameworks should be aligned with regulatory requirements and incorporate regular compliance audits.
- Collaborative IT and Business Partnership: Instead of outright banning shadow IT, treat it as a signal of unmet business needs and consider integrating popular shadow tools into the official tech roadmap. This balances innovation and control, reducing operational friction and financial waste.
- Enforce Security Controls on Approved Tools: Mandate strong authentication, encryption, and vendor risk evaluation on approved tools to minimise attack surfaces, including for AI tools running on third-party cloud infrastructures.
While shadow IT can pose risks to data management, security, and compliance, it can also lead to innovation. A Frost and Sullivan report shows that 49% of staff are comfortable using unapproved applications because they help complete tasks more efficiently. The trend for businesses to move core processes to the cloud has accelerated the prevalence of shadow IT, making it harder to monitor.
To mitigate these risks, businesses should update their acceptable usage policies to cover modern-day issues like home working and BYOD. Allowing or ignoring shadow IT may lead to the discovery of new working processes beneficial to the wider business. A survey by Fruition Partners reports an increasing culture of shadow IT in 60% of UK organisations, with 79% of surveyed CIOs admitting to unauthorized cloud services being used that their IT department is unaware of.
In summary, businesses should combine detection, transparent communication, and adaptive governance to harness shadow IT’s innovative potential while reducing security, compliance, and operational risks. This balanced approach views shadow IT as both a challenge and an opportunity for enterprise IT strategy rather than simply a threat.
- In the realm of business, technology plays a significant role in facilitating innovation, such as shadow IT, which can be governed and monitored to ensure security and compliance, without hindering the finance sector's growth or the industry's progress.
- To succeed in this delicate dance of fostering innovation while managing security risks, businesses can implement strategies like increasing visibility and monitoring, establishing governance frameworks, collaborative IT and business partnerships, and enforcing security controls on approved tools, thus turning shadow IT into an opportunity for growth and improvement.
