If government CIOs want to bring IT out of the shadows, they need to start by understanding what kind of tools agency personnel need to do their jobs.
That's one of the chief takeaways from a new study looking at shadow IT in the government -- those unauthorized applications and services that employees use without the permission of the CIO and the tech team.
The new analysis, conducted by cloud security vendor Skyhigh Networks, identifies a startling amount of applications in use in public-sector organizations. According to an analysis of log data tracking the activities of some 200,000 government workers in the United States and Canada, the average agency uses 742 cloud services, on the order of 10 to 20 times more than the IT department manages.
That's a large number, but not out of step with what Skyhigh has observed in the private sphere, according to CEO Rajiv Gupta.
"The first thing I would say is yes, it's alarming, but it's not unique. Some of these issues are what we see in the commercial sector, as well," Gupta said in an interview.
Gupta points out that the rise in shadow IT is a logical outgrowth of the easily accessed, often free cloud-based applications employees use in their personal lives, and increasingly expect to bring to the office.
So the use of unauthorized applications, though a potentially severe security risk, often results simply from employees trying to do their work more efficiently, Gupta says, urging CIOs to connect with the business units of their enterprise to get a better sense of where the needs lie.
"The first thing that CIOs need to do, and some of the forward-leaning CIOs do well, is to understand the reason that my employees are using different file-sharing services is because they need file-sharing," Gupta says. "The first thing is to appreciate and understand that your employees are using cloud service to get the job done."
By category, collaboration tools like Microsoft 365 or Gmail are the most commonly used cloud applications, according to Skyhigh's analysis, with the average organization running 120 such services. Cloud-based software development services such as GitHub and SourceForge are a distant second, followed by content-sharing services. The average government employee runs 16.8 cloud services, according to the report.
Lack of awareness creates Shadow IT problem
One of the challenges is that not all storage or collaboration services are created equally, and users, without guidance from the CIO, might opt for an application that has comparatively lax security controls, claims ownership of users' data, or one that might be hosted in a country that the government has placed trade sanctions on.
"The problem is our employees are not aware of that and they just use the service that seems most appropriate," Gupta says.
"The lack of awareness creates this massive shadow IT problem," he adds. "Each of us -- inadvertently or otherwise -- violates these policies, because many of these policies are anachronistic."
But Skyhigh's analysis indicates that the problem is real, and compounded by a significant lack of awareness within the IT department about the use of unauthorized applications. In a poll of security and IT professionals, only 7 percent said that their organization had been exposed to an insider threat over the past year. According to Skyhigh's own research, 82 percent of agencies it evaluated "had behavior indicative of an insider threat in just the last quarter."
Slightly more than 96 percent of government organizations were found to have at least one user with comprised identities. The firm points to weak passwords that employees are inclined to use for multiple services, amplifying the potential damage an agency can suffer when one account is compromised.
Shadow IT can give CIOs insight
Gupta argues that CIOs can make an opportunity out of the use of shadow IT in their organizations. Through a closer collaboration with the agency's end users, they can better address the needs of the business and improve the security posture of the enterprise.
"The mindset shift has to move from shadow IT being a real threat and a problem to shadow IT giving me insight," Gupta says. "Rather than become the department of no, how do I become the department of yes?"