Survey: Shadow IT haunts DOD networks
- By Kevin McCaney
- Jul 29, 2015
As the Defense Department moves toward expanded use of cloud computing and a joint operating environment, it might want to pay some attention to shadow IT—that is, the use of unauthorized applications or other services by employees looking to speed up a process or find a workaround to a problem.
A recent survey by Solar Winds of federal government IT management and monitoring revealed that a majority of DOD IT pros said shadow IT is being used in their departments, nearly 70 percent of them expect the practice to grow at least slightly over the next two years, and they’re not especially confident in their ability to control the use of shadow IT.
The survey covered the federal government overall, but Solar Winds also separated results for DOD and civilian agencies. Among DOD respondents, 25 percent said that shadow IT was used “quite a bit” in their organizations, another 25 percent said it was “somewhat prevalent,” and 13 percent said it was used “a great deal.” And 69 percent said they expected to see an increase in shadow IT over the next two years—25 percent expecting a significant increase and 44 percent expecting a slight increase.
Respondents also were split on what to do about it, with the options “eliminate shadow IT entirely” and “embrace it because it is inevitable” each drawing 27 percent. The rest chose “somewhere in between” the other two options.
Even if organizations decided to eradicate shadow IT, it’s not certain they’d be successful. Only 16 percent said they were very confident in their organization’s ability to eliminate shadow IT, and 61 percent said they were somewhat confident. (That’s better than the civilian sector, though, where only 11 percent were very confident and 52 percent were somewhat confident.)
Shadow IT is a concern to organizations because of its potential to introduce security risks, as cited by 68 percent of DOD respondents. A duplication of efforts was cited by 45 percent and a lack of interoperability by 39 percent. And adoption of a cloud computing model—something DOD has put a priority on—can contribute to wider use of shadow IT. A June report by Skyhigh Networks on cloud adoption in government pointed out that dissatisfaction with cloud offerings can lead employees to adopt substitutes on their own.
The survey overall covers a lot of territory, from encryption to shared services, as well as another subject DOD has been wrestling with: expanding the use of mobile devices while ensuring security.
Forty-five percent of DOD respondents said mobile devices pose a significant threat to security and another 8 percent said it’s not a problem yet but it will be. On the more optimistic side, 42 percent said mobile devices posed only a minor and manageable threat, while 5 percent said they posed no theat.
If DOD IT pros are more concerned about the mobile threat than their civilian-agency colleagues, only 32 percent of whom said the threat was significant, they at least have stricter controls in place. Seventy percent of DOD respondents said they agencies had a formal mobile policy in place, with another 12 percent saying one would be in place by next year. That compares with respective numbers on the civilian side of 55 percent and 16 percent.
Not surprisingly, the Defense Department also has more places where mobile devices are simply banned, with 35 percent of DOD respondents saying no mobile devices are allowed, compared with 10 percent among civilian-agency respondents. Only 5 percent within DOD said personal devices would be used to access some functions, like email, but not others. Within civilian agencies, that number was 20 percent.
Kevin McCaney is a former editor of Defense Systems and GCN.