With shadow IT and ‘shadow AI’ becoming routine across organisations, Terry Storrar, Managing Director at Leaseweb UK, explores why visibility, not blame, is now the starting point for security.
The challenges posed by shadow IT are significant, not only for IT departments but also for the data centres that play a major part in managing today’s infrastructures. Whereas a decade ago, the use of unofficial software, apps or services away from the IT department’s radar, was more limited to individuals using personal devices for work, the picture today is vastly more complex with the use of shadow IT set to reach record, highly concerning levels.
Gartner has predicted that by 2027, 75% of employees will make use of technology that is not visible to or approved by company IT departments, up from 41% in 2022. Similar to a covert operation, individuals are becoming more adept in using tools and services, including SaaS and shadow AI tools, to achieve what they need to get their jobs done. As many as 67% of employees in Fortune 1000 companies use unapproved SaaS applications. A recent survey also highlights how the use of shadow AI tools is presenting a growing security risk to UK organisations, with 71% of UK employees saying they have used unofficial consumer AI apps at work.
Although on the surface this initiative enables people’s jobs, by using shadow IT, employees are creating multiple, stealth, security risks and vulnerabilities across their organisation and it is becoming ever more challenging for IT teams to manage this.
Cloud and digital disruptive technologies have further spurred the problem. No longer is it a matter of moving a physical server hidden under a desk or a handful of workloads to a data centre. With SaaS subscriptions activated with an email address and credit card, it is possible for anyone within a company to unintentionally become a ‘mini’ system administrator outside the auspices of official IT. And the use of just one inconsequential app or tool could be the reason for a security breach far out of proportion to its cost.
A culture promoting IT visibility
It is essential to recognise that employees use shadow IT to get their work done efficiently, not to deliberately create security risks. This should be front of mind for any IT teams and data centre consultants involved in infrastructure design and security provision.
Finding blame or taking an approach that blocks everything does not work. A more effective way to address shadow IT use is to invest for the long term in a culture which promotes IT as a partner to workplace productivity, not something which is a hindrance. Ideally, this demands buy-in from senior management.
Although it falls to IT teams to provide people with the tools for their jobs, providing choice, listening to employees’ requests and offering prompt solutions, will encourage the transparency so much needed for IT to analyse usage patterns, identify potential issues and address minor issues before they grow into costly problems. Importantly, this goes a long way towards embracing new technologies and avoiding employees turning to shadow IT that they find and use without approval.
If the finance team wants to set up a new reporting tool, then it makes sense to involve IT from the outset of the procurement process to ensure that the tool is safe and compliant with security. This mindset shift also facilitates openness and innovation through all areas of an organisation, so people are less inclined to circumvent IT’s involvement.
A marathon not a sprint to reduce security risk
While IT teams are focused on gaining visibility and control over the software, hardware and services gainfully used by their organisations, they also need to be careful not to stifle innovation. It is here that data centre operators can share ideas on ways to best achieve this balance, as there is never going to be one model that suits every business. This includes advising on capacity planning, network speed, monitoring and security tools.
It is widely acknowledged that many people tap into shadow IT when approved tools work too slowly or do not have sufficient functionality. Thus, data centre professionals can optimise network speed to deliver these effectively. Similarly, if the marketing department downloads a tool that holds customer data, then a data centre team is well placed to identify this, assess risk and quickly provide an authorised cloud network storage alternative.
Although some organisations may opt for on-premises equipment to meet specific performance or compliance requirements, the majority of companies are choosing to put most workloads into hybrid cloud models that offer flexibility and transparency along with choices of multi-level security. The huge benefit is that organisations have endless choice of providers to mix and match their services.
Today’s data centre professionals are highly skilled in helping pull IT systems together into a consolidated strategy for the entire IT environment that achieves high levels of security, compliant processes along with flexibility and freedom. And although this is a marathon, organisations that invest now will reduce their shadow IT risks in the longer term.
