Shadow innovation cannot happen without embracing shadow security

The word ‘shadow’ seems to take pride of place in this year’s Logicalis annual CIO survey, which asked questions of over 700 CIOs in mid-market organisations across Europe, the Americas and the Asia-Pacific region. 

Four out of five organisations reported that their line-of-business departments now have dedicated IT staff supporting business-specific technologies and services. 23% of respondents said that decision making was shared equally between the IT function and lines of business. 

Much of this work may be targeted at app development – over 60% of respondents said they were targeting resources at internal applications, slightly more than customer-facing applications and services.

This should be unsurprising given the nature of the cloud and mobile development platforms, in that it is easier than ever to spin up a new virtual machine, plug into a scalable database or create a mobile app. 

Simply put, everyone is doing it. A term used was ‘shadow innovation’ — as lines of business grow in confidence, they are getting better at delivering the services they need to do the job, or to help their customers. 

While this could be applauded insofar as it helps business agility, a specific challenge is starting to loom. In another part of the report, 78% of CIOs noted how data security was the biggest issue they faced with relation to use of cloud services.
When this was broken into specifics, 61% reported the threat of increasingly sophisticated social engineering attacks, with ransomware and corporate extortion a close second at 56%. In other words, the most significant threats were people-oriented. 

The response is straightforward to state, in principle — that people creating new cloud-based and mobile apps and services should be thinking about, and mitigating the security ramifications. Are they doing so? 

Frankly, I doubt it. Survey after survey over the years has seen security as the poor cousin of technology, left until last in the priority list. Unless lines of business have reached some kind of epiphany about IT security that their forebears in the IT department never managed, this will still be the case.

Indeed, it is likely that the IT department will still carry the can for a security breach, even if the source of the problem is a line of business. This is a double whammy, given the challenges CIOs face if they try to impose security restrictions on lines of business.

As notes Vince DeLuca, Chief Executive Officer, Logicalis US, “The challenge for IT departments and CIOs is to find ways to support these specialists effectively – securing the network and vital data without stifling the ‘shadow innovation’ their skills support.”

So yes, we may be moving from shadow IT to shadow innovation, to the gain of the business as a whole. Lines of business also need to embrace the notion of shadow security, as they cannot expect to have all the flexibility without dealing with the very issues that such flexibility creates. Indeed, the business as a whole may depend on it.
Image credit: Purityofspirit via Wikimedia.