The 6 Keys For CIOs Managing Shadow IT


A CIOs job is never done. Cloud computing and Bring Your Own Device (BYOD) has elevated security risks to an all-time high. Even if your systems are secure, it doesn’t mean every device employees use will be. Managing hardware, software, and personal devices make it a never-ending battle for IT leaders to maintain security.

The Keys To Managing Shadow IT

Managing these devices, unapproved software, and apps are becoming a larger part of IT teams work and budget. 40 percent of all IT spending is now estimated to go to managing outside of the IT department itself. You’ve got to worry about how employees interact with software, file sharing, and social media while using devices at work. Office 365 and other cloud-based applications mean IT professionals need to go beyond physical infrastructure security and monitor security and compliance in SaaS (Software as a Service) applications.

1. Clear Policies And Procedures

Security starts with setting clear guidelines on what is acceptable in the workplace. Employees still have to be able to do their job, but you can limit your exposure by putting in place strong security procedures.

Every employee should be trained during onboarding on what’s acceptable. Periodic training can help reinforce team members are taking the necessary precautions. IT leaders should make sure workers know they need to get permission before adding any new devices or applications that integrate with company networks.

These guidelines need to address BYOD, cloud services, and apps – including those on employee personal devices that will connect with your network in any way.

2. Constant Monitoring And Vigilance

It’s not a matter of if, but when you’ll have a problem protecting your data. You need constant vigilance to monitor your networks for new or unknown devices. The more quickly you can identify Shadow IT, the faster you can deal with it.

Continuously compare your inventory of system devices and set flags to warn you when new connections or devices are added. Identify cloud access using log data from firewalls, proxies, and security information and event management (SIEM) applications.

3. Lock Down The Basics

Make sure you have a full inventory of everything on your networks. This includes implementing best practices, such as:

  • Insulate vital systems
  • Segregate data, users, and resources
  • Assign minimum privileges
  • Backup resources
  • Have a disaster recovery plan
  • Monitor and record activity
  • Test and improve

4. Approved Access

You have the right to limit access to anything you think creates increased security risks. While you always have to balance the needs of the employees and organization, if you find there’s an enhanced risk, it’s your job to restrict access to approved software.

This will mean guidelines, onboarding, and training of staff. You will also need to provide approved alternatives.

5. Provide The Tools Employees Need

Team members need the tools to get their job done. If the company doesn’t provide it, they figure out workarounds. These increase your security risk with each additional device, app, or cloud service they use.

You need to provide secure solutions not just at your physical location, but for remote workers and work-at-home employees. Over the last five years, the number of remote workers has grown at a rate of 44 percent. It’s more secure to have employees use your approved devices and software rather than use whatever they have on hand.

Make sure employees understand the security risks associated with connecting remotely and take the necessary precautions. This includes using approved VPNs and private internet browsers to ensure a safe connection when accessing company data.

6. Risk Assessment

It would be so easy if we could just limit access to networks and close off outside connections. In the real world, it’s not so easy. Employees need access to do their jobs and it’s nearly impossible to conduct business without exposing yourself to some level of risk.

The job of CIOs, CISOs, and IT managers is to limit that risk wherever possible. You need to create a critical inventory of cloud services and potential threat entry points and address these. When you see someone doing something that increases your exposure, address it promptly.

Managing Shadow IT

Managing Shadow IT is a big job, but it’s crucial to maintain data security. Following these six steps will mitigate your risks.

About the Author

Matt Shealy is the President of Chamber specializes in helping small businesses grow their business on the web while facilitating the connectivity between local businesses and more than 7,000 Chambers of Commerce worldwide.


Leave a Reply Cancel reply