Mar 01 2017

The FBI Wants to Make the Most of Shadow IT

There are benefits that come with allowing experimentation on technology procured outside of official channels.

Shadow IT — unauthorized technology services and apps that are procured outside of the IT department — has a great many negative connotations attached to it in the federal IT world. Among them: security risks, noncompliance and unauthorized applications, to name a few. However, there are clear benefits that agencies can glean from shadow IT, and the FBI is hoping to take advantage of them.

Some of the benefits include allowing workers to innovate on mission-specific IT, according to FBI CIO Gordon Bitko. Additionally, shadow IT can help bring attention to apps that give users greater flexibility in their daily work, IT leaders say.

At the FBI, Bitko argues that the innovative technology that helps bureau employees achieve their missions should not be shunned. However, he says that IT leaders need to be aware of and coordinate the use of tech that is not procured through official channels.

FBI Embraces Benefits of Shadow IT

Bitko told Federal News Radio that FBI agents and analysts sometimes need to use shadow IT “for operational reasons to keep the country safe and secure. And we don’t want to stop that.”

The FBI has discovered that there are “many people in many different field offices solving a lot of the same problems and using technology as a driver to help that.”

The bureau, Bitko says, is focused on letting employees take advantage of those technologies and finding those solutions, but wants to “do it more effectively so that we don’t have the same solutions coming in from multiple different parts of the organization, so we can focus on delivering the highest priority needs for the enterprise.”

The goal, therefore, is to find out how shadow IT is being used to help bureau employees do their jobs and then institute best practices across the agency, with the most mission-critical tasks being addressed first.

In many IT settings, duplication occurs on enterprisewide applications, not mission-specific tasks. “The mission side is not necessarily duplication, but different people tackling their own local problems and coming up with similar solutions, so that’s really where the consolidation of effort is really fruitful for us,” Bitko told Federal News Radio.

More broadly, the Justice Department wants to consolidate its IT systems, and DOJ CIO Joseph Klimavicz wants to use the cloud and shared services to make the department’s 40-plus components more in sync technologically.

“What we really want to try to do is drive DOJ’s information technology services at the pace of American innovation,” Klimavicz told Federal News Radio.

Bitko wants to try to take advantage of shadow IT innovations and simultaneously merge larger enterprisewide services. “One of the focuses for our office is how do we continue to encourage and actually incentivize innovation in general, but at the same time do it in a framework that ensures we’re doing things that meet our cybersecurity requirements, that meet our records management requirements, that meet our requirements to maintain the privacy and integrity of the information we collect for lawful purposes?” he said.

Agencies Must Balance Concerns with Shadow IT

Agencies need to balance competing priorities when it comes to shadow IT. On the one hand, allowing too much can lead to security vulnerabilities, as unsecured applications get used and data gets processed through them, or unsecured devices connect to department networks.

For example, Robert Westervelt, a research manager in IDC’s security products group, has said that, as agencies embrace security technology to guard against insider threats, they cannot make such technology too restrictive and cumbersome. That could push employees to bypass security for convenience.

“If you get too restrictive, shadow IT pops up,” Westervelt says. “That could be something as simple as an employee bringing in a cellphone and using it as a mobile hotspot to bypass the organization’s network, which could introduce a lot of different threats.”

On the other hand, allowing shadow IT to flourish to some extent can help an agency’s IT leaders find out which apps employees are using on a day-to-day basis — and why.

Joe Paiva, CIO of the International Trade Administration, says shadow IT has been helpful in this way. “I figure out what applications 80 to 90 percent of employees use and then drive the rest of the organization to them,” Paiva says. “Trying to block these applications is silly. You’ll wind up blocking the best ones.”

Wavebreakmedia Ltd/ThinkStock

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.