Shadow IT - Why Security is Scrambling to Reinvent Itself

Monday, April 16, 2012

Rafal Los


Here's a statement I know will not shock you: Shadow IT is the leading cause of many of the "reinventions" that IT organizations across the globe are going through.

You're probably already at least loosely familiar with the term Shadow IT which refers to the technology capabilities organizations have outside of the formal IT department. 

You see, shadow IT is causing a major shift in the way the CIO sees his or her organization participating in the business for a few different reasons, not the least of which is fear. 

While I don't ever advocate making decisions based on fear, in this case there are more examples than I have fingers to count of companies where IT has "reinvented itself" as a result of this fear factor.

Truth be told fear is not the only motivator.  There's also other things like... uhmm... rats... no... it all boils back down to the fear of being irrelevant, ignored, and in some cases outright eliminated. 

Let's talk about this because I think for many CIOs (and consequently CISOs) the ground is moving underneath their feet, and if they're not actively moving to counter there are some very serious consequences.

What's going on?

If you're reading this post wondering what in the world I'm talking about - read this.  If you are already painfully aware of the shifts I'm referring to, by all means skip ahead and save yourself a few minutes of reading.

Some time in the last decade or so, technology went from being the enabler of business and innovation to the barrier to it.  As technology departments become commonplace in organizations big and small, they formalized, organized, and grew in purpose. 

From 'the IT guy' to 'the big IT department' process runways elongated and complexity went through the roof all while delivery times slowed to a crawl and reliability didn't improve much (face it, it couldn't possibly fall).

To be completely fair, IT departments expanded the services they provided, and capabilities to support the business.  This necessitated an increase in complexity which led to longer delivery windows and less likelihood of first-time-success.  Over the span of about 10 years frustration with Corporate IT grew to a point where many business and project managers simply found an alternative to their IT department.

BYOD (bring your own device) was born in its first wave way, way back in the early 2000's, and issues like project managers with servers under their desks became common.  Of course, this made IT react in a negative way - and processes become more rigid, rules more draconian, and with every t crossed and i dotted, the delivery windows grew even longer.

Enter the age of the iPad, the super-function 'Smart Phone', and Cloud Computing and you've got yourself a hostile takeover of rigid corporate IT.  Wait ...let's backup ...what's happening to IT Security all this time?  Answer: it's getting run over, backed up over, and run over again. 

While the struggle for control of business-enabling technology rages security is stuck in the middle trying to play policeman in a corporate environment where IT barely has control of their technology, much less their security posture.  It's ugly.

If you want proof of how ugly the security posture that shadow IT has created is, look around your own company.  Security policies that are potentially 50+ pages long, IT Security is now the "Department of NO!", and the relationship between business, IT and security is adversarial on a good day.  On a bad day it's all out war of the siblings... again, it's ugly.

Contributing Factors

I've already mentioned it above, but there are a few key contributing factors to Shadow IT and the rise of this very serious issue.  I'll list them out here, and give a short explanation of why they're an issue...

  • Complexity - by now most companies have gone through explosive growth and sudden contraction of business, which necessarily means this happened in IT as well.  Companies have bought and sold assets, acquired, divested and needed to integrate, disintegrate and partner up with various incompatible 3rd parties over this period of time and network maps read like the road map for Riverside, IL (trust me, look it up).  Complexity breeds complexity especially since you've got the next item, and it only gets worse.
  • Aging equipment - Lots of old equipment litters corporate storage rooms, desktops, server rooms and hallways - especially empty cubicles!  Think about the last time you saw a pile of old servers, switches or other equipment, all this stuff is incompatible, out of date and a nightmare to maintain.  You probably don't have funding to replace everything everywhere it needs to be replaced so you "make do" and move on, adding to complexity.  Equipment fatigue causes breakdown, breakdown causes overly cautious IT teams, and that causes everything to slow down.
  • Mobile workforce - The people who designed your original network, put in those first few dozen racks and wrote the first hundred applications are likely retired by now.  They're not just not working for your organization, they're likely not working at all anymore -so they're not going to be any help figuring out what's what.  Oh, and did you notice they didn't document anything because all this time they were building and tearing down so fast that they couldn't maintain accurate network, system and applications maps and specifications, configuration guides and other necessary paperwork?
  • Push to market - Every project in today's delivery pipeline was supposed to be released last week.  Even new projects start behind the ball and are always late, over budget, under staffed and generally just glued together well enough to limp out to the market and get those first few customers ... "then we'll use that money to build everything up like it should be"... right?
  • Availability of consumer technology - Since you're taking 3 months to deliver a server to that project which needed it yesterday, the project manager used his corporate card to provision some consumer-grade device that's now under his desk and acting as the development and testing box.  The fact that you didn't have tablets to test the new iPad and Android apps out with means that project budget was used (or more likely the corporate card again) and the project bought their own.  Oh, and you didn't get a say in it.  The project manager just learned how easy and 'safe' it is to bypass IT to get stuff done when you really need it.  Dangerous lesson for them, worse for you.
  • Cloud computing - If you're not depressed yet, here's the big punchline.  Cloud computing means that rather than having to wait 4 weeks for you to scope out, provision, configure and deliver a working server your project managers can do it in 30 minutes on, or Amazon, RackSpace or any of the dozens of cheap competitors.  That's right, you're no longer a bottleneck like you used to be ...except now you have absolutely zero control.

The Reaction

Now, knowing some of this, and having the rest in front of you on the screen generally has 1 of two effects.  Either you're simply resigned to being left behind and possibly irrelevant, or you're resolute to fix this issue.  Nearly everyone from the IT management world (CIO, CISO, CTO, whatever) when faced with being irrelevant, ignored or even possibly eliminated finds religion in reinvention.

Figuring out what you're doing wrong and righting those ills quickly is what many of the IT departments out there are going through as your read these words.  Processes are being streamlined, budgets optimized, goals business-aligned, and delivery methods and capability pushed to an acceptable point.  No one wants to work some place where they're not respected, or worse, irrelevant.  IT is scrambling right this minute to reinvent itself to get back to where we wanted to be - a business enabler.

It's one thing to say this, but it's another to actually make it happen.  At the heart of that make it happen attitude is the ability to tell whether you're doing a good job or not.  Are you aligned to the business sufficiently?  Are you delivering IT capability and capacity to a speed that's required by the business?  Do your processes match the expectations and requirements of your business?

If you're not equipped to answer those questions quite yet, don't panic.  There is lots of help out there.  I won't offer anything here except free advice from a community that's being built around the need to help IT reinvent itself for the next cycle of utility. 

If you're interested in learning more, check out the ever-expanding Discover Performance community where you can get advice, knowledge and engage experts who've not only reinvented their IT departments but been able to prove it! 

Go.  Right now.  Click over, subscribe, read, and understand a little better about what it takes to reinvent your IT department and prove you've done a darn fine job.
Be able to prove it.

Best of luck... wait, you don't want luck, you want skill.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Security Strategies Cloud Computing Chief Information Officer Mobility Legacy Systems IT Security BYOD Shadow IT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.