Accompanying the increasing use of shadow IT—information technology tools and solutions that are specified, provided, and/or supported by teams outside the official IT department—are a number of major security risks that federal IT professionals do not have the control or confidence to manage, according to the results of a new survey.
SolarWinds, a leading provider of IT performance management software, and government market research firm, Market Connections, conducted an online survey of 200 federal government IT decision makers and influencers in June 2015 to assess how federal IT pros are adapting, managing and assuring oversight in the areas of shadow IT, mobile technology and IT shared services.
The survey results revealed most respondents believe the use of shadow IT is somewhat prevalent in their organization. Furthermore, 69 percent of respondents expect the use of shadow IT to increase in the next two years, with 25 percent expecting a significant increase.
Nearly half of those surveyed attributed the increasing use of shadow IT to a long, cumbersome acquisition process. These responses corroborate the findings of a report by cloud security company Skyhigh Networks released earlier this year.
As previously reported by Homeland Security Today, the Skyhigh Networks report found strict security requirements and lengthy procurement times are among the major factors driving federal employees to find their own cloud solutions. Consequently, shadow IT has become prevalent in the public sector, with SkyHigh Networks estimating shadow cloud services are 20 times more prevalent than sanctioned cloud.
The SolarWinds survey pointed to a number of other reasons triggering the use of shadow IT, including perceived lack of innovation by the IT department, overly restrictive security controls for standard IT projects, increased user knowledge of what is commercially available, faster implementation times by individuals than the central IT department and a disconnect between the agency’s overall strategy and the goals of the individual department.
“Fully securing a federal IT environment will undoubtedly remain a key concern for IT pros, and as control issues creep in with shadow IT and the mass adoption of mobile devices, security is brought to the management forefront,” said Joel Dolisy, CIO and CTO of SolarWinds.
Although shadow IT can create significant security gaps within an organization, shadow IT is not a high priority or area of leadership focus for many organizations. Even so, 71 percent of respondents indicated security consequences are the biggest issue with shadow IT. Duplication of IT efforts, lack of interoperability and lack of adequate performance monitoring were also cited as significant issues.
Despite the potential security risks, only 13 percent of respondents are very confident in their ability to protect against the negative consequences of shadow IT.
Organizations using management and monitoring tools, however, are significantly more confident than those who do not in their ability to protect against the negative consequences of shadow IT.
Respondents also recommended improving the security of existing systems, educating employees about the proper use of technology, involving department heads and end users in the decision making process and developing policies that strike the right balance between flexibility and control.
“SolarWinds’ study provides detailed insight into how federal IT pros are adapting, managing and assuring oversight as shadow IT, mobile technology and shared services continue to grow in their environments,” said Laurie Morrow, director of research services at Market Connections, Inc. “This research reinforces that fully implementing multiple management, monitoring and security tools provides significantly more control and confidence throughout IT organizations in the wake of this change.”
The report also addressed lacking confidence in data protection even with agency control of mobile devices. While over one third of respondents indicated only agency-owned mobile devices are allowed to access to their systems, 80 percent of respondents still believe that mobile devices pose either a significant or minor threat to their agency’s security.
Moreover, only 25 percent of respondents are very confident in their agency’s ability to effectively protect their organization’s data. A significant number of those who are confident in their organization’s mobile security controls have security training for all mobile users at their organization.
As with shadow IT, those organizations using management and monitoring tools are more confident in their ability to manage their organization’s mobile security controls.
As shadow IT and mobile device use continues to expand within federal IT environments and IT professionals’ confidence in their ability to manage the accompanying security risks wanes, the adoption and benefits of IT shared services are overcoming cultural resistance.
The report found IT shared services continues to gain traction in federal IT, delivering financial and performance benefits despite perceived concerns that IT shared services compromise security, performance and control. The key benefits noted include saving money by eliminating duplication, more consistent performance due to standardized delivery of IT services and achieving economies of scale.
More than 80 percent of those surveyed indicated either an internal shared services model or an outsourced private partnership is most likely to provide superior customer service versus no shared services. Cultural resistance, perceived decreased flexibility and lack of executive buy-in are cited as the major obstacles to adoption.
“Agency leaders must not only provide their IT pros with the right tools to maintain control and security of their infrastructure, but remain flexible in considering operational and organizational changes like IT shared services that can help institute agency-wide security protocols and more,” Dolisy said.