Most IT decision makers agree cybersecurity is the nut to crack in 2019 and beyond, but IT departments are surprisingly permissive with risky internal practices like shadow IT.
The cybersecurity industry is replete with studies analyzing the trends and the challenges in this vertical. But inconsistent, or even contradictory results, are not uncommon. One of the latest studies comes from NetEnrich’s 2019 Cloud Adoption survey on public cloud adoption in enterprises. While the report is geared toward cloud-related matters, it also highlights some interesting results on cybersecurity practices at organizations with 500 or more employees.
Cloud security “paramount” at 72% of the firms
Almost three quarters of those surveyed said cybersecurity will be their biggest priority in 2019. Some 33% said security was their biggest concern when migrating data to the cloud, and 20% cited privacy as a top concern.
“These data points reflect the growing challenge of how to protect company, employee, customer and product information, while simultaneously accessing the innovation, cost and efficiency benefits that come with moving more infrastructure and applications to the cloud,” the researchers said.
Security risks post ‘biggest concern’ for IT departments
In another key finding that seems to support the consensus on prioritizing cybersecurity, 68% of IT decision-makers said security risks were the biggest concern about the future of their IT organizations. IT spend and cost overruns came second, cited by 59%, suggesting that IT professionals are spending an inordinate amount of time on day-to-day maintenance, as opposed to tasks such as troubleshooting, root cause analysis and post mortems that might deliver greater cost savings down the road. Finding and hiring skilled staff was also a top cost concern for 48% of those surveyed.
From ‘keeping the lights on’ to achieving business objectives
Despite IT’s growing focus on securing the infrastructure and the data flowing through it, IT decision makers feel growing pressure to commit to driving successful customer engagement. Down the list of priorities are integrating software, and dedicated support.
“Here again, the data shows that IT’s priorities are shifting. Until recently, IT was focused mainly on ‘keeping the lights on,’ with only a passing interest in how the services it provided impacted customers. Today, with most companies recognizing the direct connection between technology and customer satisfaction, IT’s primary focus has shifted to how it can help the business achieve its stated objectives.”
Shadow IT getting out of control?
Here’s where the results begin to shake a little. In what researchers call an “alarming” statistic, 20%-40% of enterprise technology funding is now spent outside IT’s purview, according to more than half of survey respondents. These so-called Shadow IT initiatives finished last on a list of seven potential top concerns for IT in 2019, the report reveals. While some consider Shadow IT an important source of innovation, the practice often deviates from organizational requirements for control, documentation, security, reliability or compliance.
“Is this because IT is becoming more comfortable with the idea of business users driving technology decisions and acting as their own support staff, or has IT accepted that, despite its displeasure with this development, it simply doesn’t have the ability to control the problem?” researchers pondered. “Regardless, the statistics indicate that Shadow IT isn’t going away, and that IT pros may have to reevaluate their roles, skills and how best to add value.”
Shadow IT is generally described as any application or transmission of data not under the jurisdiction of a centralized IT department. Examples range from ordinary USB flash drives to Gmail. Other examples of shadow IT include the use of Excel macros, unauthorized cloud solutions, third-party business insights systems, VoIP solutions, and BYOD.
Since the IT department neither developed nor supports Shadow IT practices – and may not even be aware of them - such applications greatly increase the likelihood of ‘unofficial’ and uncontrolled data flows. They also make it more difficult to comply with the increasingly harsh data protection laws in today’s digital economy, such as the relatively new General Data Protection Regulation. The EU’s GDPR alone is capable of shuttering an entire business, should regulators decide that it was negligent in a data breach that seriously impacted end users.