A Contributed Article by
Israel Lifshitz, CEO of Nubo Software
In most businesses, the notion of a "bring your own device" (BYOD)
policy has become absurd. People are using personal smartphones and tablets for
business regardless of what policy says. You may as well implement a "bring
your own brain" and "bring your own body" policy too. BYOD is now a description
of what is happening, not a
prescription for what companies should permit.
As long as business and IT leaders continue to think that policies
can curb risky BYOD, "Shadow IT" will continue. Employees and departments will
continue to subscribe to cloud services outside IT's awareness, raising the
likelihood of data leaks, cybersecurity breaches and compliance violations.
According to Netskope's January 2015 Cloud Report, organizations use an average of 613 cloud
apps, 88.1 percent of which aren't enterprise ready. Their researchers estimate
that 15 percent of corporate users have had their account compromised, and
another 13.5 percent of business-critical apps are at risk. We've seen enough
data breaches in the news to know that this danger isn't trivial.
Organizations have to fundamentally change how they regulate
mobile devices. The key is turn your employees' indiscretion into an advantage.
The apps and services that employees download at will - those are the services
that your IT department is failing to provide.
The Consumer Mindset
Your employees are members of a business, but with a smartphone in
hand, they will behave like consumers. The iOS and Android ecosystems have
taught people that if you need something, download it. The expectation is that
digital challenges can all be overcome with the right tool. No scanner at hand?
Download a scanning app, link to your Google Drive. No access to your notes and
most important documents? Download Evernote. The smartphone is a device of
enablement, and Shadow IT is the inevitable byproduct. IT has no hope of
changing this consumer mindset, especially if Shadow IT is already underway.
The Investigation
Instead of changing your employees, investigate why they are downloading these apps and
using them to handle enterprise data. Do you offer an equivalent service, or
not? If you do, why don't employees use it? Among the shadow apps that employees
do use, which are true threats? Which are relatively harmless?
This investigation must
involve interviews or discussions with employees. Buy them lunch if you have to,
and then listen. In essence, your non-IT coworkers are your customers, and if
you can't meet their needs, what's the point of IT?
The Comeback
It's fair to say that IT is behind in the shadow game, and a
comeback must be orchestrated. Once you know what apps employees are using and
why, it's time to go after the offenders in order of risk. So let's say that
the sales department is using a cloud storage service you've never even heard
of to store financial records. It's some obscure, free service that a
Millennial dug up, and it's not designed for enterprise use.
The first step is to talk with the department - explain that
they're using an app that could jeopardize the information security and
compliance obligations of the entire company (this is where people skills come
in). Then, sell them on the better,
safer solution you have identified, and offer to have it up and running ASAP.
Over-deliver: implement quickly, train people and make sure the launch is a giant
success. Continue repeating this process.
Preventative Measures
As you start cleaning out shadow IT - basically by providing
outstanding service - you have to take measures to prevent future activity. HR
can be your best partner in this endeavor. When employees are new at a company,
they are impressionable - and they want to prove themselves. However, most new
recruits never have a face-to-face encounter with IT. Someone emails login
credentials and a link to the self-service portal, and that's about it.
So instead, ask HR for a chance to meet with new recruits. Use
this opportunity to market your services. Illustrate why downloading and using
random apps for business is a huge risk to the company's information security,
reputation and legal obligations. Ask that these recruits come to you instead
of just downloading apps. Be sincere in your offer, otherwise they will
exacerbate your shadow IT problem.
This process will sound unrealistic to people who think about what
IT has been instead of what it could
be. IT has to evolve from the gatekeeper into a pillar of business growth and
enablement. Shadow IT is not a user problem - it reflects a weakness in the
culture of IT. Employees in marketing, sales, finance, etc. aren't trying to
cause trouble - they're trying to do their job effectively, and they resort to
Shadow IT when they lack the right tools and don't expect to get help from IT.
Change the culture of your IT department. Change the mindset of
your users. Turn the current shadow IT into an advantage, and begin to
eliminate this risk from your organization.
##
About the Author
Israel
Lifshitz is CEO of Nubo, a company that is defining the new virtual mobile work
experience for enterprise organizations. An entrepreneur and experienced CEO,
Israel previously founded Sysaid Technologies, a worldwide leader in IT serve
management solutions. He tweets @IsraelLifshitz.