Are IT departments pushing people into the shadows?

By Bill Dunnion

If you’ve ever wondered what the single most effective trigger is to make the blood pressure of IT and compliance professionals simultaneously skyrocket, the answer is simple: mention the term Shadow IT and see what happens.

And to be completely honest, as a cyber security expert my blood pressure is equally as spiked. The mere thought of highly confidential corporate assets being uploaded to some rogue cloud platform completely unknown to the powers that be within an organization is frankly terrifying.

All terror aside, the greatest question to be asked is why do so many employees turn to external cloud platforms in the first place—I’m not sure anyone will like the answer. It all comes down to one single factor: IT cannot deliver the same experience, convenience, or ease-of-use as big cloud providers.

But before anyone thinks that this is some sort of insult, it’s far from it. It’s actually far more about what people expect of IT departments paired with their own outside influences and habits, and why those expectations are completely unrealistic.

Let’s take DropBox as a perfect and typical example of a cloud platform that is considered by many as “Shadow IT.” I’m sure that in our personal lives, the majority of us use this platform or something just like it—and why wouldn’t you? From its super slick and easy drag and drop functionality, to its ubiquitous connectivity on any and all devices, the idea of having access to all your files at all times is downright amazing. And it is amazing; however, not to IT and compliance professionals, and for good reasons.

Here’s where reality and expectation collide. When you consider the power of personal habits combined with modern technological convenience, the expectations of what can and should be the norm vastly changes. However, that same set of habits and convenience—something that most definitely influences how people also expect to work—rarely aligns with that of the corporate environment.

That said, if people have expectations and habits that work for them, that also make them more productive, by nature people are going to gravitate towards external solutions, regardless of what their employer says. Pair that with IT not being able to accommodate certain “expected” IT needs, and suddenly their jobs, associated projects, employee reviews, and even bonuses are placed in jeopardy. In short, IT may very well be out-of-sync with the perceived reality of the daily grind.

So why can’t IT just catch up? After all, if it’s nothing more than a free app, and the IT folks are super smart, can’t they just spin something up quickly? No, and here’s why.

Go to your IT department and ask them to build you the exact equivalent of DropBox. Sound reasonable? No it does not. Let’s not forget that even in the early days of the now famous cloud platform, DropBox was given a $10 billion valuation right after it raised $1.1 billion in an initial investment round. So, unless someone is willing to spin up a company-within-a-company and throw 1.1 billion dollars at IT for a new cloud “project,” the reality is that IT can’t and will never be DropBox.

So if IT can’t compete with the outside world—because they are busy doing real work that drives their own company—then what is the alternative? It’s actually easy: embrace what many refer to as Shadow IT.

And if that sounds like the old adage of if you can’t beat ’em, join ‘em, you are absolutely right. But with one monumental difference. In the case of joining them, it must be on one’s own terms, ensuring that whatever cloud platform is being used that it is secured and monitored at all times.

This means creating a Shadow IT and cloud application control strategy, being able to support and guide employees in proper usage, and restricting access to certain corporate data—welcome to your new world of Data Loss Prevention (DLP), Cloud Access Security Broker (CASB), Identity Access Management (IAM), and more.

Cloud applications with all their ease-of-use and convenience aren’t going anywhere. Aligning your cyber security practices and taking a holistic and complete cyber resilience stance on all aspects of IT will make for a happier workplace, a more productive workplace, and a place where the blood pressures of IT and compliance can remain at normal and acceptable levels.