Stop Encouraging “Shadow IT” and Start Safely Enabling Innovation

According to most information workers, when it comes to security, “IT needs to lead, follow or get out of the way.” A 2013 Software-as-a-Service study conducted by Stratecast and sponsored by McAfee reported that 4 out of 5 employees surveyed are knowingly violating company IT rules that they perceive are just getting in their way of doing their work.

Whether we like it or not, far too often security is seen as a roadblock or a showstopper for innovation. More and more employees think it’s just easier to find a solution on their own then it is to engage IT and run the risk of getting a “no” due to security concerns. This situation has resulted in a whopping 81 percent of survey respondents saying that they regularly use non-approved web applications to do their jobs opening up substantial overall security risks to the organization.

So why are they doing it? When I’ve asked most line of business managers and employees why they chose to implement unsecured tools like Evernote, Dropbox or Skype they don’t see themselves as skirting the organization’s security policies, but as innovators trying to get the job done in spite of “oppressive” and  “burdensome” security policies.

The response they generally receive from IT is “we have to allow it for everyone if we allow it for you” making every security discussion an almost certain “no.” So what behavior does this encourage? Well if employees believe the answer is always going to be “no,” rather than follow the rules they just stop bothering to ask at all.

So how can IT become a leader and enabler of innovation, which employees willingly choose to follow, while at the same time continue to ensure the safety of the organization?

Change the Conversation

The solution is to change the nature of the conversation. Instead of saying “no,” we in IT need to recognize that these applications can in fact add significant value to the organization. This must be true or employees wouldn’t willingly violate company policies in order to use them. Rather than simply blocking these applications we need to work with the business to understand their value and come to terms on how they can be introduced into the workplace and at the same time be “safely enabled.”

This approach works and Stratecast agrees. One of their primary recommendations is to:

“Mitigate risks in commonly-used applications. Rather than shut down usage of popular but risk-prone applications, implement a security solution that allows you to control their use. Look for a solution that offers policy-based control over sub-functionality of commercial software—for example, allowing users to access Facebook but restricting the ‘chat’ function.”

If you’ve seen our latest Application Usage and Threat Report, you know that many enterprises just don’t have a handle on what applications are running.  So the first step I would recommend to take in order to bridge the gap between IT and the business when it comes to security is to understand what users are already doing.

A great way to do this quickly and easily is to complete an Application Visibility and Risk Report (AVR report) with Palo Alto Networks.

With an AVR report in hand you can get a clear understanding of what applications employees are using on the network in a clear and non-technical format that is excellent to share with senior administrators.

The AVR report not only highlights risks but also determines where to start a conversation about what unauthorized applications are in fact necessary and even needed by the business.

This leads to a much more productive security policy discussion where it’s recognized that if employees are going to use them anyway and they are needed by the business, how can they be brought back under the governance of IT and implemented in a safe and effective manner?

The emphasis of this conversation changes the tone from a debate with a “yes” or more likely a “no” outcome to a collaboration that allows employees to maximize the benefit of these applications while ensuring overall security.

Rather than opening the security’s discussion with a “no,” taking this approach demonstrates to the business that IT is there to enable innovation and assist, not simply be a roadblock. While pointing out the risks is important, demonstrating the willingness and ability to understand the requirements of the business and then safely enable innovation will make IT the leader in security that employees are willing to follow.

 

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS