Why a security team embraces shadow IT

A group within Western Union information security team relies on cloud software, including content management, social collaboration and single sign-on tools to let employees to get their work done while protecting corporate data.

When you hear the phrase "getting ahead of shadow IT," it typically comes from a CIO who is implementing new technologies so that employs won’t take it upon themselves to purchase tools. But you don't expect such proactive practices from an enterprise's information security team, which a CIO often enlists to place a moat around corporate assets.

mike bartholomy

Mike Bartholomy, Western Union's senior manager for information security

Mike Bartholomy takes a different tack at Western Union. The financial services firm's senior manager for information security says that companies that try to block everything may see it backfire. "What we've seen happen in other organizations is that when you take something away that is a great enablement tool that may be moderately risky, you run the risk of pushing users towards something that is very risky," Bartholomy says.

Shadow IT continues to plague companies. Over the next several years IT spending will increasingly occur outside the allotted IT budget, often exceeding 30 percent of total IT spending, according to Gartner analyst Matt Cain. The analyst says that rather than blocking shadow IT, IT should develop a system that outlines when it is appropriate for employees to use their own technology solutions and when IT should take the lead. The idea is to create a digital workplace that aligns corporate workflow more closely to employees’ experiences with consumer computing.

Why aninfosec team implements cloud

Western Union has developed its own system to protect and serve its workforce. The Western Union information security enablement (WISE) program is designed to give its 10,000 employees the technologies it needs to get their jobs done while ensuring that corporate data is secure. Under the purview of CIO David Thompson, Bartholomy and the rest of the information security team enjoy the unusual privilege of evaluating and implementing cloud solutions. “Not too many information security organizations have integrated a social intranet and collaboration tool enterprise-wide,” Bartholomy says.

Those tools include Okta single sign-on software and enterprise social offerings from Jive Software. But its latest project, a corporate-wide roll-out of Box as the company’s new enterprise content management system, may be his most ambitious to date. New solutions tend to come with a steep learning curve, but Box isn’t your enterprise software of yore. Most employees, particularly millennials who grew up consuming web apps, find it intuitive and easy to use from their desktops and mobile devices. To be safe, Bartholomy worked with Box to create videos tutorials and virtual training sessions to help acclimate employees to the technology.

Employees in human resources, legal, compliance, IT and other departments are increasingly using the cloud software to share and synchronize files across desktops and mobile devices. Bartholomy sees the implementation of Box, as well as tools such as Okta and Jive as necessary.

Some 60 percent of Western Union employees are millennials who fit the mold of individuals who will find the tools they need to perform their work most efficiently. By providing access to Box, Bartholomy says he is helping IT avoid the risk. "If you don't have an enterprise solution in a space, and you try to block everything, people will find a way," to consume the technologies they need, Bartholomy says. "Security is taking a seat at the table and trying to drive innovation through these projects."

Box competes in a broad market with Microsoft, Dropbox, Google and dozens of other vendors. Bartholomy says Box’ adherence to PCI, the payment card protocol, was a big selling point in the deal. Also crucial was Box’ automated retention capabilities, a big improvement over the company’s traditional approach of manually classifying records as those that can be shared externally versus kept in-house. Another reason: Box’ APIs integrate well with Okta, Jive and other cloud tools.

Now Bartholomy is trying to phase out the large pockets of existing file-synch technologies, including LAN-sharing and SharePoint sites. He says Western Union has a multi-year roadmap with which to migrate data to Box from those legacy tools. Ultimately, he expects Box to become the company’s de facto enterprise content management system.

Tracking unsanctioned cloud apps

Despite Western Union's proactive approach to enable end-user computing, shadow IT remains a concern for the company. Although it does not plan to block all unsanctioned software, it knows exactly what is being used at all times with the help of Skyhigh Networks, a cloud security platform companies license to track what SaaS tools employees are consuming as well as how much data they are generating. Bartholomy won't name how many cloud apps employees are using but noted the number is high. “It’s eye opening but also very valuable,” he says.

Bartholomy says the end-user technology unit also works with the broader IT unit on corporate technology strategy, including implementing other cloud solutions, such as Workday. While the company consumes a lot of cloud software for a financial services firm, it doesn’t adopt cloud casually. Like any other vendor Western Union works with, SaaS providers go through a risk assessment process to ensure that they meet the company’s rigorous security standards.

"Because we are in a financial services organization, compliance is a big part of what we do so making sure that those vendors are doing all of the right things to make sure that we feel good about using them,” Bartholomy says.

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxGartnerGoogleJive SoftwareLANMicrosoftOktaWestern UnionWorkday

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place