Internal IT vs. Shadow IT and impact on data security & privacy

Companies have traditionally viewed data security through the lens of perimeter security. That was a practical approach when all data stayed inside a company’s perimeter. The IT department was responsible for monitoring the perimeter for intrusions and stay one step ahead of potential hackers, using both technology (firewalls, DLP, etc.) and organizational resources. 

But now welive in a world of cloud applications and multi-layered data chains spanning across multiple 3rd parties, all collectively doing their small bit to serve a consumer. Although this approach has reduced cost and made our supply chains more efficient, it has also exacerbated the problem of data sprawl.  This sprawl, over time, has exposed data across multiple points in the data chain, which has resulted in massive exploitation by both state and non-state actors.  In light of this new reality, traditional methods of securing the perimeter simply do not work.

Traditionally, data collection had caused friction within companies even before data regulations came into play.  Companies started realizing the effects of mass data gathering through solicited and unsolicited consumer feedback, especially after a high-profile breach.  This feedback sometimes created fault lines, for example, between marketing and other business departments within a company.  Marketing would be concerned with negative consumer sentiment and subsequent effects on brand value. In contrast, different lines of business would continue to make the case of collecting data haphazardly in hopes of monetizing it in the future.  As a result of these fault lines, companies always struggled to reconcile consumer trust. 

Now, a vast array of best-of-breed cloud applications available to businesses have created “shadow IT” in most companies outside the purview of internal IT. This phenomenon has enabled individual business leaders to achieve desired results quickly but at the cost of an increase in data sprawl and a diminished quality, affecting companies at a strategic level due to fragmentation at lines of business level. Data is traversing ever more applications without any controls which remain outside the control of internal IT. Internal IT finds itself in a position of diminished influence when it comes to containing this sprawl past internal boundaries. The security and privacy groups within these companies continue to grapple with an ever-increasing data attack surface stretching across multiple business partners. The legal groups are now scrambling to contain added risk and liability from regulations.

With added scrutiny from regulators, the fault lines between internal IT, security & privacy, legal, and business groups have become more pronounced. Some companies have taken the drastic step of curtailing or outright banning the use of their consumer personal data by 3rd parties, significantly impacting business operations and outcomes because the risk to the brand otherwise is too high.

Although regulations have increased the risk to companies, at the very least, they have also provided a common legal framework for companies to reconcile internal competing demands for consumer data.  But it also requires a solution that allows companies to balance data security & privacy with business requirements and not just force companies to swing the pendulum one way or the other.  Companies who understand the challenge beyond just achieving compliance will not only be able to align competing priorities internally but will also be able to operationalize consumer personal data effectively and empower their business and consumers. An empowered consumer in this age is a retained customer.

Leave a Comment