Shadow IT: Resistance is futile

By John McClurg, Chief Security Officer for Global Security Organization, Dell

There are many reasons why employees turn to “shadow IT.” These tools are built to exploit the limitations of some corporate IT departments. They are generally convenient and easy to use. They are fast and affordable. They help people share and access information from anywhere, at any time. Bottom line, they help employees get their jobs done, on their terms. 

It is not unreasonable to feel anxious about this. Having employees use so-called shadow IT solutions is inherently less secure. But it is futile to resist. The proverbial train has left the station. 

The source of both shadow IT’s appeal and the anxiety it causes IT departments is the same: the ease with which data is shared and accessed.  We, the CSOs, CISOs, and IT managers of the world, spend our days and nights thinking about data – how to manage it, secure it, contain it, and comply with regulations. 

But data cannot and should not be fenced in. To limit the flow of data is to stymie the innovative capability of your organization. The very competitiveness of your company is at stake. 

So here is what we suggest: 

1. Manage what is constant. Secure the data 

The way we access, store, and share data will always change. Cloud and mobile are just two of the latest advancements in the relentless evolution of information technology. But the one relative constant, at least in the sense of its ever-ubiquitous presence, is the data itself. All other IT decisions, from networks to laptops to mobile phones, are advanced in service or support of the data. 

So when it comes to securing the enterprise in the face of shadow IT, it makes sense to focus on the data itself. It’s unlikely we’ll ever be able to manage all of the ways data can be stored and shared. But we can exercise control over how the data is secured. 

2. Work to secure shadow IT, not shut it down 

As stewards of enterprise IT, we have an obligation to express our needs and share our expertise with the industry that designs and builds shadow IT solutions. We should advocate for enterprise-grade security to be built into shadow IT solutions, integrated from the start, and advise these companies on the requirements. 

This would not only address the reservations of IT managers, but also help build the market for the vendors of these solutions. Together, we can create a more symbiotic relationship. 

3. Create a culture of information security 

Studies have shown that up to 70 percent data breaches aren’t typically caused by failures of security hardware or software, but by the humans using those systems. IT security technologies will become more sophisticated and efficient, but they are only as effective as the people who use them (or don’t). 

Everyone must be part of the solution and appropriately accountable for both its successes and failures. And the key to establishing a culture of information security is clear and consistent communication of expectations through employee education and training.  

If we work together to implement these changes, we can ease the pain between shadow IT and approved IT, and lessen the size of the gap through which an adversary might attempt to attack. And we will empower employees to work more securely, enabling the collaboration and innovation that are in the DNA of any future-ready enterprise

Saying “no” to shadow IT is not a winning strategy. But with these approaches in place, you can protect your data rather than fencing it in. You can work with service providers and employees to articulate stronger security practices. You can say “yes” to shadow IT. 

Learn about Dell’s end-to-end security approach at

About the Author: Power More