Are you managing ‘Shadow IoT’ in your organisation?

Many words have been written about Shadow IT in the past few years. This is the increase in IT deployed in organisations without the knowledge of the IT department, far more prevalent now that software, and indeed more complex arrangements like virtual hosting can be acquired in the cloud, using a credit card. I have seen it described as the biggest headache for CIOs and the source of uncontrolled data, damaging regulatory compliance, risking ISO 27001 accreditation and bringing about The End Of The World As We Know It.

I’ve always been more ambivalent about shadow IT, I see it as a necessary part of the evolution of business systems, as people innovate to improve their service.  The idea that the IT department knows best is a futile one, as they do not operate at the edges of the business.  In fact best practice is for them to maintain Enterprise Architecture from the centre, a position that has many advantages for organisations that want to maintain consistent business logic, reporting, and investment plans.

I’m less sanguine about the arrival of a new phenomenon, which is ‘Shadow IoT’.  Innovation in the management of buildings, using smart technology exploited by more forward thinking Facilities Management teams, is on the rise and is bringing great efficiency benefits across the board – particularly in energy use.  However, my experience is that this is very rarely aligned with corporate IT policy and practice.  Indeed, much of this is managed by third parties and implemented during construction and commissioning of a new building.

Barely a day goes by without another report of poorly implemented security in ‘smart’ IoT devices used to control lights, heating etc, whether it’s an inherent design flaw or simply bad practice during installation.  A recent survey into security in Building Automation Systems revealed that whilst 86% of systems are connected to the Internet in some way, and over half the respondents thought an attack could do significant harm to the organisation, only 29% had implemented security systems around their BAS.

Whilst attacks on buildings and systems can undoubtedly bring about serious problems, basic security flaws in design and commissioning can be more serious when the building network is connected to the corporate network.  In the survey mentioned, this was the case around half the time.  This can provide a soft ‘back-door’ into the wider information systems.

This is a concern for CIOs and corporate boards in general, managing information security on behalf of customers and their employees.  Often the response is a corporatediktat prohibiting all connected systems without the express permission of the IT department, but this rarely works – see the example of Shadow IT.  Realistically, the IT teams must be constantly communicating with their stakeholders across the whole organisation, including Facilities Management, to help them make sure they are doing their bit to maintain security.

Just like Shadow IT, the increase of Shadow IoT is inevitable and adds another layer of complexity to our digital footprints.  It cannot be wished away, however, and must be managed with the co-operation of all involved.

Chris Weston

Helping organisations large and small exploit business opportunities through smart technology - #30 in 2016 CIO Magazine top 100 IT Leaders - Working on a number of projects with diverse clients involving Machine Learning, Internet of Things, smart buildings. application development (including off/ nearshore) and business growth planning, from startups through to established service organisations. They say that 'culture eats strategy for breakfast' - very true, but they also say breakfast is the most important meal of the day... I am convinced that a coherent technology strategy makes a huge difference to all organisations. I'm not happy if I haven't done someone a good turn each day, if I can help you with a problem, make a useful connection or provide a second opinion please get in touch, I'd be delighted to help. I'm half of the WB-40 podcast with CIO columnist Matt Ballantine, join us at https://wb40podcast.com/ I'm available for advisory, media or speaking engagements, call me on 07977 011116. Recent speaking highlights 360° Club - Business growth through agility IT Directors Forum - Brexit and the impact on IT Strategy British Computer Society - Winning at the Internet of Things IT Directors Forum Spring - Brexit and the impact on IT Strategy The Service Desk Show - Brexit - Impacts and opportunities for IT teams Finance Directors Forum, Oct 2017 - Betting on Blockchain - stick or twist? British Computer Society - Practical Applications of Artificial Intelligence

Have Your Say: