First off…if you aren’t familiar with the boogeyman, its the bad person in stories that are normally told to kids to keep them in line.
The boogeyman is also used by adults to scare other adults to make them stay in line. IT Professionals use the boogeyman to keep the organization in line (e.g., “you can’t do that because it will open a security hole”). Ooooh! The boogeyman!
But…the boogeyman IS real when it comes to Security. There really are people out there looking for flaws in IT security. There really are boogeymen out there. And they lurk in the Shadows.
I’ve written a lot about Shadow IT in the past. I like the idea of technology ownership outside of IT. It does two things: 1.) forces IT to stop saying ‘no’ to everything and start looking for ways to say ‘yes’ or at least “no…but we can help do that with our ____ system” ; and 2.) shows that technology is much more important to the organization than just a bunch of ‘computers’.
CIO’s should be taking advantage of the rise in Shadow IT. They should be using this time to push for more budget to help the organization. They should also be building up a ‘consulting’ arm to help the rest of the organization better understand technology and how to select, implement and manage said technology.
Part of this consulting arm will need to focus on education as mentioned by Christian Verstraete in his Enterprise CIO Forum article titled Shadow-IT, it’s forbidden to forbid. This education is important as it helps the organization understand the underlying issues found within Shadow IT (data disconnect, information optimization, etc) but it should also stress the security implications found within Shadow IT.
These security implications are extremely important. There’s nothing more dangerous to an organization than to have a non-secure system open for infiltration.
Because of the importance, IT must spend time talking about these issues and educating the organization. But..rather than use the old methods of ‘the boogeyman’ that most people are used to hearing, it needs to be done in such a way to explain the dangers while keeping people interested.
The second you talk about “PCI Security” or “compliance” or one of the other boogeyman avoidance terms that we like to use in IT, people’e eyes glaze over and they immediately go on the defensive. They are reminded of the boogeyman stories of their youth and how those stories weren’t really true…so why should they believe you?
Rather than use the IT terminology to talk about security, we need to build a conversation around real issues that the organization can understand. Rather than use “PCI Compliance”, why not talk about “stolen credit cards”? Sure they aren’t the same thing exactly…but the main point is conveyed.
Tell someone that they can’t do something because of “PCI Compliance Issues” and they’ll most likely go right ahead and do it.
Tell them they can’t do it because the system they want to use might allow credit card information to be stolen, and they’ll take a step back and ask you for help…or at least you hope they do.
I worked for an organization that had a HUGE PCI Compliance issue. A group was using a third-party web server to host their website. Credit Card information was being submitted via a plain text web form (!) with no security (!!) and stored in a local text file for reference (!!!) and then emailed (!!!!) to a person to run through the credit card processor. The CIO and many IT professionals spent many hours talking to the group who were collecting the CC info. They talked about ‘PCI Compliance”, “Personally Identifiable Information” and other key terms….but the group kept on doing what they were doing.
Now…there are two things to learn here. The first, the CIO didn’t have the power to force this group to stop doing what they were doing. That’s bad for the CIO and bad for the organization. That’s a bigger issue. The 2nd issue at work here is much easier to resolve. Its the issue of educating the organization on the dangers of collecting data. Rather than use “PCI Compliance” and the other big / buzz words, the CIO should have taken a step back and said “hey….look…I just downloaded your text file from your server and now have 2million credit card numbers”. He didn’t do that though….he fought the “PCI Compliance” fight.
It took a boogeyman sneaking into that group’s web server and stealing those credit card numbers (and a lot of other Personal information) and then contacting the company offering to sell the information back to them before the group realized they had a problem. But..it was too late. The boogeyman had come out of the shadows.
That organization spent a good deal of money to fix that problem. The group responsible stuck to their claim that they had never really understood the ‘dangers’ in doing what they were doing. After many months of begging and pleading by the CIO, 10 minutes of hacking by a boogeyman finally told the story of how dangerous their setup was.
Talking about the Boogeyman
These folks were doing everything wrong. The CIO had no ‘power’ to stop them either. Many things were going wrong in this instance…but one wonders if the approach to education had been a bit different, would things have turned out differently? There’s no way to tell but I would hope the answer is “yes”.
So…we in IT KNOW the boogeyman is out there. We KNOW the damage that can be done. But…we have done a poor job of communicating the danger to the organization. We tell stories of the boogeyman. We use big words and lots of jargon and the eyes of our clients glaze over.
We need to find ways to highlight the dangers of the boogeyman without actually making people think about the boogeyman. We need to talk about the dangers of Shadow IT while educating our clients to the real dangers that exist using language they can understand.
The boogeyman exists. He lives in the Shadows. Its our job to help shine the light on him and help them stear clear of him.
Image Credit: Boogeyman By Billie Jane on Flickr