It was the spring of 1967. Ruth “the Rebel” Wilson hurried up the steps of the New York City Subway and into the flowing rush-hour crowd above. She turned right on Park Avenue and less than a minute later entered the lobby of an office building. “Good morning Steve!” she waved to the security guard and joined the line of office workers waiting for the elevator. Tony, the elevator boy greeted her with a tip of his hat. There was no need for Ruth to announce her floor and Tony didn’t ask, she has been working on the 25th floor in the typing pool for over three years now and everyone knew her. Ruth hung her coat and her hat, then made her way to her desk. Hanging her purse across the back of her chair, she carefully lowered the heavy bag carried over her other shoulder down to the center of her desk. She sat down, adjusted her seat, carefully removed her very own Olivetti Lettera 22 typewriter from its case, and got to work.
This story, as charming as it may be, never happened. No one, not even someone nicknamed “The Rebel” would make lugging an 8lb portable typewriter part of their daily subway commute. This was especially true when a perfectly good typewriter was already provided for them and waiting at their desk. The office typewriter could easily keep up with any personal typewriter and the vast majority of typists in the 1960s didn’t even own a typewriter. They did enough typing at work, why do more of it at home? Office equipment belonged in the office, and the office provided the equipment, supplies, and repairs.
Boy have things changed – but it took some time. Fast forward 30 years and in 1997 Ruth’s daughter was coming to the office to use a PC and an internet connection provided by her employer. She might have surfed the web for the news or a weather forecast, maybe she even accessed her own email account via a new service from Hotmail, but she didn’t bring her own computer to work. The office computer was comparable to her home computer or better, and the office bandwidth far surpassed her AOL dial-up connection at home.
Things are VERY different for Ruth’s granddaughter in 2017. The boundaries between “office” and “home” seem to have dissolved completely. Her personal smart phone has more computing power and more available internet bandwidth than her mom’s entire office did just 20 years earlier. And she brings it to work without blinking an eyelid. While she is at work she receives work emails and Instagram notifications on the same device. Work and personal text messages land in the same inbox.
Much to the IT staff’s dismay, this is out of their control. IT cannot control what is happening on her device as her use of the device is well within the company’s BYOD policies. They cannot control the internet traffic on her device – it is running on the cellular carrier’s network, not the company’s. And in fact, many company functions are thrilled with the situation: the CFO did not have to pay for the device or for the cellular service and the CIO’s staff do not have to support, repair or replace it. But the CISO and the CCO (Compliance) are certainly not thrilled. While available MDM solutions allow them some control over the device and the information it contains, the threat of Shadow IT looms darker than ever.
So, what is Shadow IT? Over the years, Shadow IT has evolved beyond its original meaning. In the past, Shadow IT was the threat of employees using unauthorized applications on company equipment and/or over company networks. It was a well-defined problem that could be addressed with the right tools. However, now, Shadow IT can also mean employees using personal applications on their personal devices for work purposes – a much different challenge. The application and the device are permitted for personal use, but their use for work purposes falls outside of the company’s policies and outside of its control. These types of application impact security, compliance, and corporate brand. It is a human, rather than a technical, challenge – but a challenge that seems insurmountable in some organizations. Getting employees to choose an approved application over a consumer application of choice is indeed possible. It is a subtle point to make: “Yes, use your phone to text your babysitter, but don’t text a coworker because that might contain confidential or regulated information. Use a different app on the same phone instead”.
Corporate policies and employee training are important baseline measures, but for employees to continuously make the right choices and stay away from the shadowy options, the company-provided tools and applications have to keep up with needs/ preferences. The vast majority of employees prefer to stay within policies and out of trouble, but at the same time, they will continue to choose tools that are available, fast, efficient and easy to use. Employers must understand that the IT services and tools they provide will effectively compete with the consumer-grade solutions that their employees use every day. Company-provided applications and tools must keep up, or they will be silently replaced by non-compliant alternatives.
Contributor- Avi Elkoni