Apps and Horses
Any CIO can attest to the increasing pressure to use hosted applications. Why pay for and maintain infrastructure when you can pay-as-you-go with services? As apps and services become more common (and their quality improves), employees, management and boards are increasingly more willing to try new things. With greater familiarity, the typical concerns related to security are lessening. For example, The Journal of Accountancy lists a monthly feature, “App-titude,” encouraging CPAs to try new apps in an ongoing quest for greater mobility and productivity. To date, I have yet to see any disclaimers in these presentations to make sure IT approves of the app, its use, and how it fits with strategy.
All of this adds to the growing issue of “shadow IT:” the apps, services, and devices containing sensitive data used by your organization’s employees, that exist beyond the control (and frequently, knowledge) of IT management. These may be beta-version apps being used to share sensitive data, applications that are either updated without foreknowledge (or never updated at all), and apps that pull data from existing sources and make it available in ways neither intended nor understood. If it is hard to secure what you don’t own, it’s even tougher to secure what you don’t know about. Often, app providers have the ability to inspect the data they host, and can even share it (or its metadata) to generate additional revenue. While most of us understand that data does not exist in actual clouds, that doesn’t mean we know where cloud-hosted data actually does reside, or what providers do with the data once they control it.
Why does this matter?
Many IT shops are not structured to support cloud applications. The necessary skills in vendor management and risk assessment are often skills that IT managers need to learn on the job, if they learn them at all. There is a frequent dynamic of “my network” versus “your applications”, and clarifying responsibilities can be a tough task.
Increasingly, core applications are coming with plug-ins and interfaces that facilitate the leakage of secured data. With ease of sharing, employees can purposefully or unintentionally migrate data to additional systems beyond the reach of IT – home computers, mobile devices, or other services. Data analytics? Open-source databases? There’s an app (or thousands) for that… and the barriers to get that data out of the company are lower than ever.
Recently, we saw the types of wide-spread outages that can happen when a web provider is taken offline. Single points of failure are challenging for IT, especially when they have no control over even that single point.
What to do?
When checking in with clients I like to ask the following to get a sense of how they are managing emergent opportunities and risks from apps:
- What kinds of apps are you using? (I prefer the term “services” as being inclusive of both applications and infrastructure as a service.) Are they supported by IT? Does IT know about them? Frequently the response is: “How would I know? And how can I find out?”
- What apps are you considering? (I have yet to have anyone respond with ‘None.’) Office 365 is frequently considered by those looking at new ways to augment the standard Microsoft Office package. DropBox and other collaborative applications are also common, as are WebEx for remote meetings and document collaboration. As an example, each of these offerings showcases the ability to “automatically” and “safely” store data in the cloud.
- How are you managing these services? Often the vendor relationship is managed by someone outside of IT, a business line “superuser.” Depending on the application, this may be fine – or it may be keeping IT management in the dark about data leakage and security threats.
No CIO wants to say no all the time, and most apps are very useful. Many are transformative. The opportunity to make use of these services in a collaborative manner with employees to both educate and enable great productivity is something no IT shop should discard out of hand. Closing the barn door after the horse is out is a weak and ineffective strategy. That said, it IS a good time to locate the horse, ask if any more are wandering about, and consider what kind of fence is needed.
Horses need to run, but it’s best to keep them out of traffic.
For questions on the article, contact your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.