Achieving mutual trust between a security team and its constituents while balancing rules and culture is critical when trying to deal with the shadow IT phenomenon, says Liam Hausmann for Atlassian.
Shadow IT of course is technology that has sneaked into the organisation without administrative oversight. In some companies, most of the cloud-type applications in use can be “shadow” in this sense — and therefore risky, with many attacks this predicted to be via shadow IT.
Yet people use shadow IT because it can offer them some way of working or feature that the company-approved tech does not. Often, it relates directly to increased productivity.
“Managing the benefits and risks of shadow IT comes down to two balancing acts: balancing rules with culture, and balancing security with flexibility,” Hausmann explains.
“Reaping the benefits of these balancing acts is only possible through mutual trust between the security team and its constituents.”
This doesn’t mean abandoning rule-making, but simply being “more selective” about the rules and how they are followed. Hard and fast policies, adds Hausmann often just don’t work, and increase the distrust between security teams and grassroots workers.
Protect the company’s most sensitive data and locations, he says.
“At the same time, cultivate a culture of collective responsibility within the rest of the organization, so every individual in the company understands their role in security. This starts with providing transparency into the security posture of the company, and engaging with other departments to create a shared understanding of the needs of the business,” Hausmann continues.
The Atlassian blog goes on to explain the role of balancing security against flexibility when it comes to combatting cloud software threats.
“Most conversations around shadow IT fail to acknowledge a critical point: that IT team may not even be ready or equipped to bring the full array of shadow IT tools used by the organization under administration,” adds Bill Marriott for Atlassian.
“This is where a strategy that includes a measure of flexibility comes in handy.”
This can allow the IT team to stay focused on its strategic priorities rather than managing the tools of their constituents. Start by developing an understanding of the landscape.
“Map out both your administered IT and as much of your shadow IT as you can find, and the data your company touches, both sensitive and non-sensitive,” writes Marriott. “Next, identify your risks and priorities. Within that landscape, what systems are important enough that they absolutely need to be centrally administered?”
Marriott goes on to explain that then a correct focus should be possible. Deciding on the company’s priorities will allow the security team to map out a plan for newly added or discovered tools or data, including whether they require centralised administration. In addition, communicate these priorities and strategy across the organisation, he concludes, which also builds trust across and between teams.