Cisco Collaboration CTO on shadow IT, reducing risks, and his role in creating Internet standards

580 readers like this.
CIO Code

Like it or not, “shadow IT” presents huge risks for companies, says Jonathan Rosenberg, CTO of Cisco Collaboration. And, he says, it doesn’t have to be that way. The right approach will inspire users to prefer IT over outside vendors, thus reducing their use of shadow IT without draconian rules or turf battles. In an interview with The Enterprisers Project, he explains how.

CIO_Q and A

The Enterprisers Project (TEP): Most IT departments today can't control, or even keep track of, all the cloud-based apps employees may be using. Some have chosen to accept or ignore them. Does having employees use cloud-based apps of their choosing pose risks? 

Jonathan Rosenberg: It absolutely poses risks! The primary risk that companies need to worry about is data loss through these applications. Let me give you one example. Let’s say employees use a file-sharing service, and they upload company information into it. One such employee, Bob, later on leaves the company. However, his account in the file-sharing service remains active because it’s not tied to his company employer. As such, he remains in several shared folders and continues to have access to company information even though his employment has ended. This is a real problem – and not one that requires sophisticated attacks. Bob, if he does nothing, will have access to this data! The company will have to depend on his good will to terminate his account with the file sharing service.

The answer is to think differently about these applications. The right answer is to offer applications that do two things at once. They must be applications that users love to use and would choose on their own, but also ones that IT has sanctioned for use. To achieve this combination, enterprise applications need to embrace many of the characteristics of consumer applications: They need to be beautiful, easy-to-use, innovative, fast, constantly updating, cloud-delivered, allow users to communicate with anyone they want, and so on. IT departments should consider these kinds of characteristics much more strongly than they have in the past.
 
TEP: How do you balance the need for security against employees' need to do their jobs quickly and efficiently? How can IT enforce security measures without being seen as an obstruction to efficiency, a.k.a. "the land of no?"

Rosenberg: This is the true challenge. In many respects, it’s a challenge for the vendors of SaaS applications and gets driven by IT asking for different things from their vendors. But it is possible to build applications that still allow users to do their jobs, yet at the same time, provide adequate security controls.

One example is communication tools that facilitate collaboration outside the boundaries of the company. Typically, IT and information security departments have disabled such features in their products, fearing risk of data loss. This, in turn, has driven users to consumer apps that let them collaborate externally in ways that are completely unsupervised. That raises the overall risk to the business. 

Instead, IT should embrace tools that provide this capability but manage risk of data loss differently. First and foremost, most data leaks outside of the company are accidental – the mistaken auto-complete in an email client is a big source of data loss, for example. These losses are preventable by giving the end users themselves control over the propagation of information. For example, a tool might warn a user before sharing information externally. Or, it might enable users to explicitly decide to prevent a file from being shared outside of the initial group of recipients. This reduces risk without denying the ability of users to communicate. 

The communication tool can also provide techniques for IT departments to detect and later remove content that really should not have been shared externally. Though this may seem more permissive and thus riskier, if it reduces the risk of users utilizing unauthorized apps that provide no such controls, the overall risk to the business actually decreases. This is the new risk analysis that IT and information security departments need to do. 
 
TEP: On an unrelated matter, I see you are among the top creators of Internet standards in the world, and that you've been instrumental in the development of VoIP and chat technology. Can you tell us a little about how this came about? 

Rosenberg: Like many stories, it’s a combination of luck, timing, hard work, and persistence. I was doing my PhD at Columbia University and was seeking a dissertation topic. I connected with a new professor there, Henning Schulzrinne, who was just beginning some research on technologies for VoIP. He took me on as his first PhD student, and we began to work together in this area. 

At the time, much of the work on new Internet technologies was done within the Internet Engineering Task Force (IETF), which builds the standards that govern the Internet. The technology started to gain commercial interest, fueled by its visibility at IETF and due to its different approach to making VoIP work.

From there, things blossomed. I put my PhD on hold to go to a startup that was commercializing the technology, and spent a lot of energy promoting the technology in the industry while helping build a company to sell it. That was where the hard work really was – years and years of promoting the tech, talking to everyone and anyone that would listen. It all worked out, and the technology eventually went on to be adopted widely. It is now the foundation of modern telecommunications. I even managed to finish my PhD before the startup was later acquired.

Minda Zetlin is a business technology writer and columnist for Inc.com. She is co-author of "The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive," as well as several other books. She lives in Snohomish, Washington.

Contributors