What Business must do when IT goes Shadow dancing

–Brian Pereira

A few years ago we heard about BYOD (Bring Your Own Device) and now everyone is talking about Shadow IT or Bring Your own IT.  There’s a trend of more employees working outside the office, be it from a hotel room, a customer site, a café or from home. And these road runners are building their own IT infrastructure, using personal clouds for storage, helping themselves to software applications off the cloud; Excel spreadsheets and PDF docs are exchanged over email. Heavier files like images, voice files, and videos are transferred over cloud-based file transfer services. And communication happens over Whats App, Skype or instant messaging on social media sites. All this must be giving the CISO (Chief Information Security Officer) or Chief Risk Officer sleepless nights. We asked Ruggero Contu, Research Director, Gartner how organizations must act to safeguard its information assets in the wake of the shadow IT trend.

Ruggero Contu, Research Director, Gartner“Shadow IT does not require approval for deployment. It could be something like deploying a service like Dropbox. Organizations should seek better visibility and better control on shadow IT. There are tools like CASB (Cloud Access Security Broker) that can provide better visibility.”

Some organizations try to block access to online resources and social media sites when they find out that their employees use these services and tools at the workplace. Ruggero (and other Gartner analysts that we heard at the summit) feel that this is the wrong approach. Rather, organizations should empower users to use these services, in a responsible manner, of course.  And these actions should be closely monitored, if necessary, to ensure that resources are not misused.

As former US president Ronald Reagan used to say, “Trust, but verify.”

“Employees must be made aware that they are responsible for the manner in which they deploy and use these resources. They should be empowered rather than dissuaded.  You can do this through training and by creating awareness,” said Ruggero.

Shadow IT can also happen at a departmental level. For instance, the marketing department may deploy its own applications from the cloud.

While most organizations may permit this, it is imperative to deploy sufficient controls and monitoring mechanisms, advises Ruggero.

“I’ve had conversations with marketing departments and for them social media was the key to their functioning. In many cases, the business actually sponsored the purchase of controls that facilitated the use of social media in a more secured fashion,” said Ruggero. “It is not the Security department or IT that is paying for that – it comes from the business or a particular department.”

So the resources to support shadow IT comes from outside the IT department.

“There are various ways to check shadow IT, like Mobile Device Management, containerisation, sandboxing, end-point detection and remediation, threat intelligent services, monitoring user behaviour  etc. So there is a new set of security technologies emerging. However, some challenges will remain, especially when you have a private device (BYOD).”


  1. The writer visited the Gartner Security & Risk Management Summit 2015 in Mumbai, held between September 1 – 2, 2015. More reports on the summit follow.
  2. “Shadow Dancing” is a disco song performed by English singer-songwriter Andy Gibb that reached number one for seven weeks on the Billboard Hot 100 in 1978. (Wikipedia)

Brian Pereira

Brian Pereira is an Indian journalist and editor based in Mumbai. He is the Founding Editor of Digital Creed, which he founded in 2015. A technology buff, former computer instructor, and software developer, Brian has 28 years of journalism experience (since 1994). He is sound and confident about his knowledge of business technology concepts. And he is a believer in continual education/learning. Brian is the former Editor of CHIP and InformationWeek magazines (India). He has written hundreds of technology articles for India's leading newspaper groups such as The Times of India and Indian Express Newspapers (among others). And he has conducted more than 300 industry interviews during his journalism career. Brian also writes on Aviation, cybersecurity, startups, and topics directed at small and medium businesses. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]

Related Articles

Back to top button