While IT teams dream of curbing shadow IT activities, a better solution may be embraced with better IT governance …

With remote-working and hybrid arrangements still common in many offices, workers have often resorted to using personal hardware devices and online services and applications without the knowledge of their IT departments.

This practice—referred to as “shadow IT”—exposes the corporate network to the increasingly aggressive cyber threat landscape, and in large firms can be a nightmare to manage.

In fact, according to Bidhan Roy, Managing Director (Commercial Enterprise & Mid-market Segment, APJC), Cisco, shadow IT is expected to be a mainstay of pandemic-era IT governance. See what he has to say in this Q&A with CybersecAsia

Bidhan Roy, Managing Director, Commercial Enterprise & Mid-market Segment, APJC, Cisco

CybersecAsia: How can firms strengthen IT governance amid two challenges: fast evolving global workplace dynamics and heightening cyber threats?

Bidhan Roy (BR): The right IT governance infrastructure is one that can support smooth and seamless operations amid a fast evolving landscape.

Amid increasing demands and regulations on data privacy, firms need to recalibrate business priorities and ensure that IT teams are given the right resources, deadlines, and tools to lay down a solid IT infrastructure.

This entails cooperation across different departments and active involvement from leaders, to ensure privacy and IT requirements are prioritized. By aligning with the relevant regulations and guidelines, coupled with achieving a mindset shift and organization-wide focus on creating an environment that supports concerted efforts across multiple teams, it will be possible to strengthen IT governance. 

CybersecAsia: How can shadow IT be restricted or eliminated?

BR: Serious security gaps may result when an IT department does not know what services and applications are being adopted, and this can lead to new challenges like collaboration inefficiencies and wasted time and money.

However, rather than restricting shadow IT, IT security leaders can look at securing it. This is because many business leaders view this as an essential ally to effectively and quickly execute mission critical business strategies such as digital transformation. In particular, cloud services, especially software as a service (SaaS), have become the largest category of shadow IT.

In view of this, to secure shadow IT applications, firms can introduce processes that enable complete visibility (or Full-Stack Observability [FSO]) into application use across locations and users, assess the extent of shadow IT risk in the organization, and optimize and reduce risk through a combination of enablement and control.

At the same time, workers should be continually trained to exercise caution when utilizing shadow IT applications and ensure they access and store their data in a privacy-preserving and secure manner. 

CybersecAsia: In your view, will more organizations be relying on shadow IT in the immediate future?

BR: As hybrid work arrangements become a mainstay in the future of work, employees will increasingly value flexibility with regard to where and how they get work done.

End users will be accessing applications remotely, along with worldwide digital transformation acting as a main driving force behind shadow IT acceleration. We can therefore expect the use of shadow IT to continue.

To keep up, multiple teams within the IT department—from network operations to application developers and security operations— will need to be in sync. Also, the increase in cloud usage has also created challenges, with the typical organization being only aware of a small fraction of its overall cloud activity. The resultant lack of a coordinated cloud enablement strategy can lead to a broad set of productivity, expense, security and support issues.

One way to secure the network amid the complexity is to adopt a Secure Access Service Edge (SASE). As a cloud-based, as-a-service model, SASE converges comprehensive networking and security functions to support the hybrid workplace. It is designed to provide strong, secure edge-to-edge access, including the  data center, remote offices, employees, and beyond.

CybersecAsia thanks Bidhan Roy for his insights.