Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Out of the Shadows

Published 11/23/2016

Out of the Shadows

By Patty Hatter, Vice President and General Manager, Intel Security Group Professional Services

How to Bring Cloud Usage into the Light

private-cloud-shot-2016-07-22-1On any given day – with a quick spot-check – you’ll probably find that up to half of your company’s IT usage is basically hidden in the shadows of various business units. Marketing, finance, sales, human resources, and engineering are using file sharing services with customers, online collaboration tools with contractors and suppliers, and multiple SaaS solutions in addition to on-demand IaaS compute resources. Business areas oftentimes make swift decisions to keep their business operations running. As departments look for the best way to do their jobs and efficiently meet their business objectives, they opt for immediate solutions that often operate outside of corporate IT security policies and guidelines.

When it comes to business units – if you haven’t created an environment of trust – IT can quickly rank the least-loved group in a company. Worse yet, you could be seen as the department of prevention. While the business units are looking for new apps or elastic compute to increase productivity, IT is looking for efficiency, security, and compliance. Departments will side step IT if they believe the needed services won’t be available in time, or if the value proposition is weak.

In today’s cyberattack-riddled environments, “shadow IT” is undeniably risky. To ensure optimum safety, you’ve got to bring IT into the light. Multiple file sharing services have been breached, and credential theft can potentially allow an adversary into any of these services. You’ve got to have IT security experts involved in the selection of these cloud services or construction of private clouds. Period.

Soon after joining McAfee, I took on the added responsibility as CIO in addition to my role as VP of operations. No easy task – but I saw what the business functions needed to move forward, and I knew that IT had to be at the center of it, as a “reliable and trustworthy business partner.” My first objective was the transformation of IT into a more collaborative and positive role. There was a lot of shadow IT at the company then and a pervasive attitude of mistrust.

Transformation is an issue of trust. If other groups within the company felt they could not work with IT, we needed to counter that perception. We started with the business functions, which tend to have simpler IT needs, such as marketing and sales, and moved up to the big challenge of winning over engineering.

Start with forgiveness

“It’s easier to ask for forgiveness than permission” is something you often hear when groups are discussing a shadow IT project. I suggest approaching with an attitude of forgiveness and understanding – to rebuild what are often strained relationships. Recent hacks and breaches will make this easier. You may have to remind your colleagues that their data is better off under the IT security tent if something bad happens, and that you will be their partner in this. Having to face the board of directors because the new marketing strategy, product designs, or customer data was stolen is a scenario that should convince most managers to at least participate in talks.

Build trust with transparency

You still need to address the agility and cost issues that are the root cause of shadow IT, or the problem will persist. We put together an effective governance model that enabled a high level of transparency on what was and wasn’t working. IT doesn’t always think the same way as the other groups, and clear communication and governance were important steps to understanding the business unit’s needs and building trust. Developing the cost models together, our business units realized that they got a much better financial deal when working with IT. Moreover, they were operating within the boundaries of corporate security policies.

Set up a cloud architecture team

Tackling shadow IT from the engineering department brought new issues to light. With their own technical resources, “do it yourself” is often the default path for engineering. This not only results in a gap between IT and engineering, but different development stacks and services between the various product teams, which makes it costly and difficult to scale. We set up an engineering/IT cloud architecture team to build a consistent set of use cases and identify big bets that we could put our joint resources on, so we could move forward quickly. It took time to get this started, but we were playing the long game here, working to bridge these two groups, not trying for a quick takeover.

In the end, the teaming approach among IT, the business functions, and engineering enabled us to develop a total view of business needs and a joint architectural approach. We had full visibility of the on-prem and SaaS managed infrastructure and capabilities that allowed us to get the results we needed like rapid achievement of new capabilities and an improved cost model.

Share this content on your favorite social network today!