This kind of problem is usually one that crept up over the years, often as a reaction to users having limited access to the tools they feel they require for their jobs. It’s highly likely they want to work on their data with the appropriate applications anytime, anywhere. This is not a bad thing and makes sense as a business need. Granted, there are risks that need to be mitigated.

Stepping back again to look at the big picture you ask: what is really at stake here? Company data needs protection. The primary risk is unauthorized access to that data beyond your organization’s borders. Once data leaves your walls, you’ve lost any semblance of real access control. Therefore, you’d need to map out the user needs and find appropriate secure solutions (insourced or outsourced) to those needs. Likely the CIO can help. Your job would be blessing the solutions that meet your security requirements. It’s not easy, but it’s a problem that is solvable, and with the plethora of SaaS vendors offering secure solutions, not infeasible. Second, the best control we have when we outsource is good authentication. To make it easier for the users and to meet your audit requirements, an easy path is federated authentication. This can also help drive the vendor selection process. Once you’ve got auditor buy-in to the solution, it’s time to roll this out.

Before you pull the trigger, remember the tactics for altering a system. You’d want to present this as a positive to the users and offer an amnesty program for anyone already violating policy. Start with a briefing to explain the risk and audit reasons behind why you’re doing this (Redefine the goals/paradigm) and the new security policy (Alter the rules). Explain that anyone using the blessed applications will get full IT support for the migration. On the back channel, you work with Finance to shut down expense reimbursements to non-blessed shadow IT (Regulate feedback loops).

System theory says things take time to flow from one state to another, so this adoption won’t happen overnight. Make sure the auditors and management know this and don’t have unrealistic expectations. A good way to ensure an orderly migration is to shorten the feedback loop so you catch problems early. Start small with a pilot and test, adjust, expand as you see success (Adjust parameter for rate of change).

In the end, you still probably won’t get 100 percent compliance. All things being equal, you’re likely to hit 80 percent adoption on the first run through with a long tail of slow adoption after that. So, plan for that as well. Publish organization-wide metrics on adoption (Alter information flows) so folks can see how well they’re doing. If they know they’re being measured and can see how their peers are doing, you’ll build momentum. For the final group of misfit applications/users, you can assemble a temporary task force to identify and assist them over the final hump (Adjust buffers & flows).

Through the lens of Systems Theory, security is an emergent property of a system, not an add-on that can be bolted on when needed. Organizations are in constant motion at many layers. Plan for this and your security control deployments will work more successfully.