Shadow IT is the bane of existence for CISOs and CIOs. For decades, individuals working in lines of business have been bringing their own technology to work because they’re more comfortable using it than what the company provides. The trend started with Apple Macintosh computers back in the 1980’s, then Macbooks and Bring Your Own Device (BYOD) which is specifically about mobile devices. Since the late 1990’s it’s also been easy to procure software and services through SaaS subscriptions. More recently employees have been bringing in wearables and signing up for cloud services. Just whip out a credit card and voila.

The Issues

The biggest cybersecurity issue CISOs face is a lack of visibility into the devices connected to networks. While Mobile Device Management (MDM) arose in response to the BYOD trend, mobile devices are not the only problem. SaaS subscriptions can also be a headache in the absence of governance, security and privacy measures. Users need guardrails that limit the company’s risk, but they also want the freedom to choose their own solutions since they understand their own needs and their department’s needs better than anyone working on a centralized IT or security team.

The shadow IT trend has been somewhat legitimized by the emergence of departmental IT budgets which are essentially a license to buy what the department needs. CISOs and the security team are often not consulted about purchases, which means they’re probably not aware of them. And, of course, the CISO can’t protect that which is unknown. Hence the need for asset management and CASB tools that help explain the actual ecosystem. Advisory firm CEB estimates that 40% of all IT spending occurs outside the IT department.

The reason CISOs tend to be left out of purchasing decisions is because they tend to say “no” too often in the minds of employees. So, people in lines of business proceed thinking what the CISO doesn’t know won’t hurt, but obviously it can. Cybersecurity firm McAfee estimates that the average company uses 1.083 cloud services, 108 of which are known and 975 of which are unknown.

That which is unseen results in security gaps that can be exploited. A common problem is the uploading and sharing of sensitive data to SaaS-based solutions and services which can expose the company to all sorts of risks – legal, compliance, privacy, financial, reputational, etc.

Another issue is a lack of understanding about cloud vendors’ shared responsibility policies. Non-security professionals and even some people in IT may be under the impression that basic services provide adequate security which they clearly don’t. The problem is that basic services provide basic security, which may sound like enough to the uninitiated.

Cloud service configuration management is another issue plaguing organizations. While not every misconfiguration will result in headline news, data is often exposed inadvertently. Data leaks also occur as the result of using SaaS-based file sharing services.

Shadow IT can also result in IT ecosystem disruptions as software and firmware are updated because a dependency somewhere has failed.

Shadow IT in its purest form is bad for the business, security and IT. Anyone involved in the procurement of technology should involve the CISO and CIO in an effort to minimize the company’s risk. However, IT and security may not be available when a business professional is under pressure to get something done right this second. So, shadow IT continues.

How to Handle Shadow IT

Thou shalt and thou shalt not, presented as a set of principles doesn’t help curb shadow IT. For one thing, it only fuels the belief that security and IT are obstacles to progress. Relationships work better.

Some CISOs make a point of engaging people throughout the enterprise to understand what they’re trying to achieve, what they hope to do, the technology they think they’ll need, and the technology they have. Instead of saying “no” outright, they work with the business to find a way to enable whatever the business wants to do, albeit in a safe way.

Still, CISOs are busy people and so are their teams, so availability can become a problem. Recognizing this, some organizations have created their own internal “marketplace” of security and IT-vetted technologies which users can choose from. That way, enterprises risks can be managed centrally while end users have “choice.”

Nevertheless, it’s always wise to monitor the network, applications and users because internal threats are all too real. It also helps to automate as much security policy enforcement as possible, given the complexity of today’s IT ecosystems, users’ frailties and the amount of pressure cyber security teams face. Zero trust is the way to go.