In the good old days when shadow IT was just a piece of hardware or a few lines of borrowed code, CIOs
could expect their networks and infrastructures to be reasonably well-protected from all but the most determined foes.
Today, however, with the rapid rise of BYOD and software-as-a-service (SaaS), cloud services that can be purchased with a credit card by busy managers in search of solutions IT either can't or won't deliver, it's safe to say that the typical corporate network and application stack is full of unknown security holes.
Unfortunately, the CIO is probably going to be the last one to know about the extent of the problem. This is not uncommon nor should it be unexpected. CIOs are increasingly focused on the big picture these days, trying to figure out how to apply technology to achieve business outcomes -- on time and under budget.
Wresting back control
But this doesn't mean the cloud has to run roughshod over your security efforts. There are lots of technologies to manage cloud usage so, at the least, IT has a clue as to what's going on. But, really, the goal should be to keep the company's employees from adopting bad habits in the first place. At the end of the day, cybersecurity is everyone's concern and this needs to be communicated clearly and often, so employees know the polices.
That being said, setting cloud and BYOD policies is a good place to start. The days of simply banning unwanted technology are over (not that the approach ever really worked in the first place). Your employees will find a way around any such prohibitions if their needs are great enough. And given IT's poor reputation in many organizations this is a safe bet. It's better to know who is doing what than trying to lock everything down.
You can achieve this in a few ways, or combination of ways. Network monitoring technologies will give you the lay of the land down to the IP address of individual users for example, but cloud adoption at big companies is continuously changing so it's best to combine this approach with a service catalog that offers users a pre-approved list of the most popular cloud services such as storage and collaboration.
You can also engage with cloud brokers and cloud monitoring services to do similar things without all the manual labor involved in parsing log files. Mobile device management (MDM) apps are also becoming a necessity today and can be found from a lot of different vendors in a lot of different forms.
The next step is to survey your organization either anonymously or by offering an amnesty so that people will be forthcoming about the services they are actually using. The idea is to use this information to build policies that reflect real-life usage while encouraging good security best practices. These policies need to be employee-friendly and flexible so employees can consume the cloud services they really need with IT's blessing, but ones that keep consumption under control. If the service they want is deemed too risky, for example, then IT should be able to offer some sort of alternative. Your business users are turning to the cloud for a reason that is often IT-related, so the goal should be to be seen as a partner, who is working to get the business what it needs to succeed.
It's not about technology
It helps to view the cloud and BYOD not as points of failure or even as technologies but in the context of employee behavior. Most employees are tech-savvy and enjoy a much richer and more functional technology experience away from the office, so naturally they expect the same thing at work. If they are not getting what they expect they will find work-arounds. It's just human nature. We are all problem solvers.
If you can view shadow IT security from a behavioral point of view, this will allow you to understand motivations as well as actions. If you understand why people do what they do, you stand a much great chance of affecting that behavior in a way that is beneficial to everyone and stops shadow IT before it gets started.
Read about cybersecurity that can protect against shadow IT