If there’s one term that can make a CISO squirm whenever mentioned, it’s “Shadow IT.” After all, when tasked with securing an enterprise-scale network, most CISOs frown on business units and employees procuring their own tech solutions — like Dropbox, Flickr, or Gmail — without notifying IT for proper vetting. But that discomfort isn’t stopping mid-market and enterprise employees from using Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) solutions. In fact, according to our research, 81 percent of Line of Business (LoB) users and 83 percent of IT users deploy these cloud applications without the support of their business.
We’re not the only ones noticing this trend: According to Enterprise Strategy Group (ESG) research, 72 percent of all mid-market and enterprise firms are increasing their spending on cloud computing initiatives in 2014. This increase in spending has also coincided with a persistent infosec worry: A separate ESG survey found over 25% of security professionals are concerned with the lack of control, privacy, regulatory compliance, and visibility offered by cloud services.
Organizations are doubling down on cloud applications whether they know it or not. The question now is “How can CISOs control Shadow IT’s presence without negatively impacting IT risk?” For this, Jon Oltsik of ESG suggests in his NetworkWorld post that we focus on three critical areas: Identity, or who is accessing resources from where and on what device; Data, or where data resides, what it is, and who has access to it; and Visibility, or the ability to see what’s happening on the network.
These three areas, however, can be boiled down to one concept: constant awareness of all things IT. Of course, obtaining this awareness is easier said than done. Few vendors can provide the insights needed to empower the CISO seeking visibility, but McAfee is one of them. What will the future have in store for CISOs needing to consider the Bring Your Own App movement? Web application firewalls, secure web gateways with cloud visibility and control features — all are viable solutions as Shadow IT further envelops traditional IT with the expansion of cloud services.
But there are more immediate problems CISOs are running into with Shadow IT —problems that can’t wait for a future possible fix. Adding to the complexity, however, is that restricting cloud usage could do more harm than good. Learn about these issues and best practices to mitigate risk in our Shadow IT report.