Even if the former secretary of state set up a private mail server purely for the convenience of using a single phone for both government work and personal use, Hillary Clinton is now the poster child for the dangers of rogue IT. Intentions aside, a move like Clinton’s puts the security of confidential data at risk.
Let’s face it: Former Secretary of State Hillary Clinton pulled a fast one on Americans. She went to great lengths to create a private email system that gave her total control over all email communications, both personal and business-related. It’s not a trivial undertaking to build such a system.
When word got out about her private email system, critics cried foul. They conjured the image of cloak-and-dagger messages passing between heads of state, skirting the government server that secures, monitors and records sensitive emails. They hinted that our country’s secrets may have been stolen by hackers infiltrating a personal email server. They demanded answers.
After weeks of dodging, Clinton finally approached the podium and delivered a mea culpa, along with an excuse clearly meant to appeal to the masses. She said a private email system freed her from the inconvenience of having to carry two mobile devices. (A government-issued phone cannot have personal email.)
“Looking back, it would’ve been better if I’d simply used a second email account and carried a second phone, but at the time, this didn’t seem like an issue,” Clinton says.
Such matter-of-fact reasoning should resonate with Americans who face precisely the same inconvenience at their companies. They, too, don’t want to carry a corporate BlackBerry and personal iPhone. Like Clinton, many employees use personal consumer devices, apps and services for work-related purposes without telling the IT department, a trend known as shadow IT.
And shadow IT puts CIOs in a tricky spot.
Security of confidential corporate data is compromised with shadow IT, since hacking into lost or stolen consumer devices and personal cloud services is easier than into enterprise systems equipped with thousands of dollars worth of safeguards. One out of three business units regularly procures its own cloud applications, often leading to security breaches or system failures down the line, according to a recent CompTIA study.
Even worse, the most common corporate data theft is an inside job. With shadow IT, rogue employees can more easily steal intellectual property and give it to their next employer, usually a competitor.
Can IT beat (or even hope to contain) shadow IT?
So far, there have been two schools of thought on how to thwart shadow IT: the proverbial carrot and stick. Proponents of the latter draft draconian policies with severe penalties that may include firing employees caught using shadow IT or violating security protocols. Whether IT offers perks for compliance or comes down hard on perps, the issue isn’t going away.
“Heavy-handed approaches are not going to eliminate shadow IT, it’ll just go farther underground,” says Deputy CTO Steve Riley at Riverbed, an enterprise software vendor. “There’s no positive outcome for being a disciplinarian about something like this. You might end up with services that are even more dangerous, where people now actively seek to circumvent policies.”
Usually, employees who decide to engage in shadow IT don’t have bad intentions. They do so because what they’re getting from corporate IT isn’t good enough: Corporate-issued devices and apps are clunky, enterprise security measures ruin the user experience, IT is too slow to respond to requests.
CIOs need to change this perception but not in an antagonistic way. Riley advises CIOs to work with employees in areas where shadow IT tends to start and spread, such as file sharing and instant messaging. It’s easier to rein in data from five services than 30, Riley says.
Battling on another front, CIOs should reach out to shadow IT vendors with an olive branch. While it’s reactionary to slam vendors for bypassing IT, this won’t stop them from selling directly to employees. Instead, CIOs should focus on building a relationship with vendors so that their services can spread throughout the organization on a long-term basis rather than sold to individuals and business units on an ad hoc basis, Riley says.
CIOs can use Clinton case as a teachable moment
Ironically, the Clinton case might help CIOs fight against shadow IT by spurring employees to police themselves. Even if the political furor over Clinton’s private email system subsides and continued debate shows shadow IT as a common practice — “Colin Powell, Rick Perry and Jeb Bush used private email” for government business, Riley says — this doesn’t mean there aren’t severe consequences.
There will likely be inquiries about whether or not Clinton broke the law. Her reputation as someone to be trusted has been tarnished. Her peers might think twice about lending their support if she put her political party at risk. If a smoking-gun email surfaces or a national security breach comes to light, Clinton will be under fire.
CIOs hope these fears have lasting effects, at least in the workplace. Clinton proved that she wasn’t able to get away with her personal email system, and the fallout to her career can be great. Her situation should sound a warning to employees about the dangers of shadow IT.
“The message is, if you try to circumvent us, then you’re going to cause pain for yourself,” Riley says. “But if you work with us, we’re more than willing to give you whatever you need.”