As the name may imply, Shadow IT relates to the installation and use of applications within an organisation by employees operating in the shadows of the business, without the knowledge or approval of IT. Therefore, these applications are often not in line with the organisation's requirements for data management, security and compliance. Whilst many may see this a potential security risk, shadow IT is also considered as an important source for innovation, enabling the faster development of solutions that can change the way of working and could yield greater benefits for the entire business.
Shadow IT is region agnostic and purely business driven. It can lead to innovation with applications meeting the needs of the business, but can also increase risk. It is a balancing act for businesses, with each individual organisation needing to decide just how far they reside along the risk curve. By allowing – or at the very least turning a blind eye to – shadow IT, new working processes that can benefit the wider business may be found. However, shadow IT can also be a security nightmare. Especially when you consider that those members of staff who are likely to use their own solutions, will inherently be from the generation of risk takers and will be inherently less concerned by the need for all-encompassing security measures. So, how can businesses look to protect themselves from risk and go about deciding their own risk profile?
BYOD and the cloud as a catalyst in the Middle East
Businesses in the Middle East are now starting to fully embrace the cloud. However, several high profile cyber-attacks in the region – most notably the one on Saudi Arabia's state-owned petroleum company Saudi Aramco – have raised the awareness of the security implications that come with it.
A starting point for businesses in the Middle East wishing to mitigate the risk is to ensure that their acceptable usage policies are updated to cover modern day business practices, such as home working and bring your own device (BYOD). In some ways, (BYOD) was the main catalyst behind shadow IT. The general consumerisation of IT and the trend for staff to bring in their own devices has meant that every employee is now a potential user of shadow IT. It is no longer just rogue, tech-savvy staff wanting their own tools. Shadow IT has recently become a much broader issue.
Shedding light on the shadows
According to Atos, 36 percent of shadow IT purchases are spent on file sharing software, 33 percent on data archiving, 28 percent on social tools and 27 percent on analytics. Often, the use of shadow IT is down to impatience with the IT department, with the primary reason for shadow IT cited by respondents as the IT department's inability to test and implement new capabilities and systems in a timely manner, thus smothering creativity and productivity.
Between now and 2019, the Middle East is expected to have the highest cloud traffic growth rate globally (41 percent CAGR). The trend for businesses in the Middle East to move core processes to the cloud – and staff's general acceptance of it – is also accelerating the prevalence of shadow IT in the region, which at the same time has also made it harder to monitor.
A motivational force to be reckoned with
It is wrong to discuss shadow IT without examining the benefits it can bring in innovation. A recent Frost and Sullivan report entitled The New Hybrid Cloud showed that 49 percent of staff are comfortable using an unapproved application, because using them helps staff “get their job done more quickly and easily”.
The rise of shadow IT may actually inject a healthy dose of innovative thinking into organisations, so shouldn't be disregarded from the start. The ability to test new approaches to business problems that could have a positive impact on the bottom line, is vital to employees at all levels. If they are encumbered by the need for permissions, or for budget approvals to get to the technology they need, things can stall at a time when market conditions change quicker than ever. Not to mention, shadow IT applications are often far cheaper than their ‘official' counterparts procured through the IT department.
Some of the world's largest companies are discovering that instead of trying to drive out shadow IT, it is best to embrace it as part of a wider culture of innovation. Adriana Karaboutis, VP and global CIO of Dell recently said: “I don't chase shadow IT, I chase innovation. When you work in a technology company and have 110,000 best friends that understand technology well and probably even better than you do, you have to be out there working, listening and determining how you can create even more value for the employees and customers that you serve as opposed to being defensive about owning IT.”
I would tend to agree. The onus on forward-thinking businesses shouldn't be on stamping out shadow IT, but rather encouraging employees to adopt and get the most out of their tools of choice in a secure and productive fashion.
Since the advent of shadow IT – and the exponential rise of cloud applications – organisations in the Middle East and indeed worldwide must ensure that an individual's data flow is monitored at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) can provide businesses with this visibility and the ability to discover, analyse and control all the information staff are accessing or sharing – whether across authorised or unauthorised applications. It is about managing security risks without stifling innovation. By ‘following the user', businesses can ensure that employees are safe and secure at all times, whether they are using authorised applications or those from the shadows.
Contributed by Ed Macnair, CEO, CensorNet