This interview is an excerpt from our recent guide, The Future of Cybersecurity, which examines 15 trends transforming the way government safeguards information and technology.
Increasingly, consumers want to bring their own technology solutions and devices into the workplace. However, “shadow IT” – unauthorized devices used within the workplace without the knowledge of the IT team – creates challenges for organizational cybersecurity efforts, especially in the public sector. In a recent interview, Joel Dolisy of SolarWinds, explained why we are seeing a rise in shadow IT and offered suggestions to address such cybersecurity challenges.
The Problem
Why exactly are new trends like shadow IT and mobile technology challenging cybersecurity efforts? The answers lie in the growing commercialization of IT itself.
“Everyone is using mobile devices nowadays,” Dolisy said. “It’s so pervasive that everybody believes they need to be able to use those devices at the office. Therein lies the problem. Because of the popularity of mobile technology and devices, you’re going to try to use more IT capabilities that may not be secure.”
Even public sector employees seem determined to use their mobile technologies in the workplace. But many don’t realize the cyber risks they pose to their organizations, especially when IT departments are kept in the dark about the use of such technologies at work. This leads to loss of control of the cyber environment.
Better Understanding of the End User
Federal IT professionals need to identify triggers that cause users to implement their own unsecure mobile devices. Why do users seem willing to compromise their own security for their own tools?
Dolisy attributes this to the need to feel technology-forward. “They’ve all become IT managers in their own home, so they believe they know everything,” he said. Users always want to feel like they have access to the latest gadgets. Sometimes, a user’s need to feel technology-forward leads to the sentiment that they know better than their IT counterparts.
Dolisy also attributes the increase in shadow IT to convenience. “Security always takes a backseat to convenience,” he said. “People like the convenience of being able to use their own devices and don’t necessarily think about the consequences. They don’t think about how someone can easily gain access to their devices from outside the organization.”
Identifying triggers to unsecure mobile device use can help federal IT professionals better develop safe practices while ensuring their employees’ technological needs are being met.
Active Management as a Solution
To better secure federal IT environments while accommodating people’s need to use their own devices, Dolisy suggested focusing on the active management of endpoint security.
“You definitely don’t want to micromanage everybody. But at the same time, you don’t want to put your head in the sand and hope for the best,” Dolisy said. “What you need to do is actively manage endpoint security by tracking new devices and networks. Your IT team needs to understand what devices are connected to your network, to whom they belong, and what they are accessing.” Proactive monitoring from federal IT departments can enable employees to explore newer mobile technologies while maintaining information security for their organizations.
Combating Compromising Practices
In addition to proactive monitoring, Dolisy suggested two additional approaches to combat compromising behavior: awareness and network management. Awareness campaigns are excellent tools to educate employees about their mobile technologies and potential threats to cybersecurity. Network management ensures protocols are up to date.
“You need to make sure that there’s an awareness campaign in place and that, in managing configurations, necessary devices are regularly patched, protocols being used are the latest versions, and ensure systems don’t contain any vulnerabilities,” Dolisy said.
He emphasized the importance of having strong policies in place for controlling access to your organization’s networks. Such policies help IT professionals track who uses the network, how they access the network, and what devices they use.
Finally, Dolisy recommended keeping tabs on public and private sector business cycles in order to identify strong partners for better problem solving. Organizations can keep up to date on cyber risks and mobile technology by learning best practices from third party organizations and identifying common vulnerabilities.
Dolisy concluded, “The whole concept of shadow IT is that you want it to be hidden. The best thing is to shed light on those behaviors and practices. If you’re actively managing and monitoring, then you can move towards partial access of newer mobile technology and devices, which, in the end, will make your user happy.”
Totally missed the number one driver of increased shadow IT: The failure of the IT department to deliver useful technology and applications when and how end users need them. There are two types of federal managers outside the IT shops: those who never tolerate or allow any type of shadow IT whatsoever and those whose offices actually get some useful work done.