Posted by Ed Macnair / 25 September 2016
One arbitrary Google search of ‘Shadow IT’ will instantly present a buffet of opinion; not to mention some of the most spurious marketing images in the history of the internet.
That’s the trouble with the tech sector, a genuine issue arises and before you can say the words ‘Please. Just. Stop’; everyone (and I mean everyone) has a ‘solution’ and a ‘marketing strapline’ for it. You only have to look at how many times BYOD was rinsed and repeated over the last decade to know where I’m coming from.
Now, that’s a shame for two reasons; the first being that ‘Shadow IT’ itself is an ever-evolving beast that clearly needs to be tamed and quickly; not to mention the fact that it’s a growing concern for almost every CIO on the planet.
Secondly, if every other technology vendor is flogging the term ‘Shadow’ for all its worth, it will inevitably be dismissed as just propaganda and the importance of the message itself, will quickly become grossly diluted.
A message from the other side
I was chatting with a CIO recently; someone known to me but nonetheless a living, breathing example of a respected, capable person in a role (and organization) within which ‘Shadow IT’ represents a massive concern.
I asked him openly (and with no agenda…ahem), what he thought the biggest issues were with the ‘Shadow IT Solutions’ being offered in the market today and his reply was frankly sobering.
He explained that many technology providers who profess to address Shadow IT are a little too fast and loose with the term ‘Solution’; because in reality, they simply have a product which produces an output that tells you…’You have a problem’ – well, gee, thanks Captain Obvious. That may be interesting but it solves nothing.
Now, this particular CIO is one smart cookie by anyone’s measure, so it’s the equivalent to turning up at his door, telling him that water is wet, the sky is blue and Donald Trump is a bit crazy…some things are just blindingly obvious.
Understandably so, he has grown weary of being told his organization has a problem but not being presented with a clear path to resolving the issue – let’s face it, that’s not helpful.
Don’t say CAC, if you don’t mean CAC
I’m currently leading (what feels like) a one-company charge in making sure the term Cloud Application Control (CAC), or if you prefer, CASB delivers on its promise and doesn’t become the latest marketing calling card for the Security world.
The truth is Cloud Access Security Brokers (CASBs) can be a real-world answer to Shadow IT but you have to be able to back it up with facts and capability or you don’t deserve a seat at the table; let alone position yourself as a credible option.
As CAC is evolving, there is also a palpable growing nervousness among the traditional Security vendors and with good reason; most of the world’s biggest brands have barely changed or improved their market offering in recent years, frankly lack context and are fast becoming borderline redundant; particularly when the term shadow is uttered.
As my good CIO friend pointed out, being told Shadow IT is a growing issue is one thing; being presented with a solution that has a meaningful impact is another and here’s a simple fact; that conversation has little substance without CAC.
He quickly found however that capability is scarce which is why consumers of ‘solutions’ should demand proven CAC specialism; vendors that can clearly demonstrate real-time discovery, analysis of cloud applications by enabling true visibility and authentic control.
Proven CASBs don’t exist to pay marketing lip service to virtual shadows, they’re here to solve problems; focus on the user, their behavior and keep the productive world turning, whatever the threat. They’re not thrown by shadows but encourage the use of Cloud Apps and services while keeping the user safe and happy. It’s that simple.
CAC at the top of its game should have the depth to be able to analyze the risk, audit and log all usage, maximizing visibility at the time that an issue or misuse occurs; not act as a forensics tool, that points out the obvious long after it’s all gone horribly wrong.
Ditch the virtual bandwagon before the wheels fall off
Shadow IT may enjoy many-a-marketing headline for some time to come but it makes the issues no less real to those that need to find a solution; of which there are few to say the least.
I’ll also save you the suspense, the term Shadow IT is here to stay for the foreseeable future, so it may be worth coming to terms with it. Cloud Applications aren’t going to disappear anytime soon which means the need to provide answers head-on and quit dancing around virtual handbags is on the rise.
And before somebody in the security market suggests going back to a ‘block and deny’ ethos, I’ll happily remind them that the market has moved on; the role of security, in or out of the shadows both enables and protects or simply ceases to be relevant.
As I told my despairing CIO friend, shadows aren’t the enemy; they just need a little light shed on them.