Shadows of the night
Shadow IT is problematic in the best of circumstances. In the worst cases, it poses a massive cybersecurity risk to the entire organization, as sensitive data stored in the cloud or other third-party applications may not be secured properly or adequately and is therefore exposed to all types of tampering and unauthorized access. Nonetheless, shadow IT persists throughout organizations large and small, and will continue to be a plague until we manage the root cause: leadership.
Shadow IT is a problem that is not going away any time soon. It has been reported that the average organization uses 1,427 cloud services, and you can bet that the security team wasn’t aware of or involved a vast majority of those implementations. Technologies necessary to run the business are thought of as enablement tools, and therefore when the head of a business until requires budget to purchase a service or tool that will allow her or his team to operate more efficiently and effectively, whomever holds of the purse strings is not likely to stop and ask, “Is it secure?” In some cases, the acquisition of tools is so inexpensive (or free, like Dropbox or Google Docs, for example), that business units don’t need to seek approval for funds. If the security team is diligently inventorying assets and monitoring endpoints, it might account for where the organization’s data is flowing, but at that point securing data is like stopping a leak in a rusty old pipe: Your efforts might fix the surface issues, but the pipe is still eroding and could burst at any moment.
When shadow IT is found, security teams get angry; hasn’t everybody been following the media? Cybersecurity is mainstream now, and everyone knows what happens when data is leaked or stolen! Though the average person may be aware, and security has crept into enterprises’ board rooms, in others’ views, securing data and keeping the organization safe from cyber attacks is the job of the security team. Non-security employees are not likely to consider the challenges of retrofitting security onto pre-installed systems or data that has “left the barn.”
Dominic Vogel, Chief Security Strategist at Cyber.SC says that shadow IT is an incredibly divisive issue between security/IT teams and the business, and therefore the focus is typically on the technology in use or the data itself, along with each department’s “authority” to implement new technology. At its root, however, Vogel asserts that shadow IT is a symptom of a much larger issue: disconnect between the IT department and the business.
The tone at the top is an extremely powerful business driver, and organizations that aren’t “security first” often bump up against these roadblocks when it comes to security policies and procedures. The issue: With the exception of security firms, most companies don’t prioritize security over efficiency and efficacy. Half of organizations don’t even employ a CISO, proving that despite the headlines and invitations into boardrooms, security isn’t yet viewed as a critical business driver.
For security professionals, it’s frustrating to hear, but it’s the truth, which is why security needs to recruit the C-suite to assist with issues such as shadow IT. Says Vogel, “The current prevailing thought from security teams is that shadow IT is detrimental and problematic and should be stopped at all cost. It’s, ‘rule with an iron fist.’” Doing so, he warns, often backfires; the business is going to do what allows it to move forward as quickly and nimbly as possible.
To start making progress towards wrangling shadow IT, Vogel recommends a different approach: “IT leaders need to focus on building stronger relationships with the C-Suite and line-of-business leaders to better understand what high value tasks/activities need to be accomplished. Once gathered, that knowledge and insight can be used to provide solutions or platforms that can help the business better accomplish their goals, such as increasing effectiveness and efficiency.” In other words, it’s a two-way street in which the IT/security team needs to listen and learn and then use that information to influence decision making. It is, of course, in the best interest of the C-suite to reign in shadow IT, says Vogel, as doing so decreases business risk. Unfortunately, though, in today’s business climate a breach or cyber attack is seen as a line item, a cost of doing business—not a strategic business risk.
This thinking needs to change.
Security teams have historically not been terribly effective at translating security risk into business risk, hence the need for better business alignment and leadership. For the C-suite to trust security, even if a CISO has been appointed, security needs to stop talking about what bad things can happen and focus on how security enables business advancement. How does including security in the decision to purchase or use a new cloud service or third-party app help the business? What are the potential gains of doing so? What are the tangible risks if security is an afterthought (or never introduced)? How much money can be saved? What is the time savings? What is the likely cost of a data breach?
Vogel advises clients to paint a picture for the C-suite that illustrates how better security/business alignment leads, for instance, to a more controlled software procurement process which, in turn, ensures higher efficiency in budget spend. In other words, working together directly contributes to the organization’s balance sheet. What executive wouldn’t want to hear that? By approaching the shadow IT problem in this fashion, as opposed to a gladiator death match, the business gains a partner and security earns a role in software or technology service acquisition. “Treat shadow IT it as a business problem,” offers Vogel, “not an ‘IT-only’ problem."
When Shadow IT is managed by the C-Suite instead of IT it becomes a business driver and source of innovation. It’s up to security and IT teams, though, says Vogel, to convince executives that there is a more cooperative approach to “internal service improvement of corporate applications—making sure the business is giving its workers the most effective tool(s) to complete their job (i.e., providing the right tool for the right task mentality).”
Currently, few CEOs and CFOs consider shadow IT a problem for the business, which is why they present a risk. If the leaders of the business don’t have an interest in reigning in shadow IT, security/IT can’t reasonably expect departmental units to care either. After all, their focus is on driving business; it’s your job to secure their “stuff.” It is incumbent upon security and IT teams to demonstrate to the C-suite why shadow IT is holding back the business—in terms of both cyber and business risk.
Shadow IT will never be eradicated, but security has a much stronger chance of stopping insecure implementations if security review is a step in the procurement process. Muscling security into business operations hasn’t been effective to date, so perhaps looking at the problem as an opportunity to step up leadership skills and work cooperatively with business leaders will yield improved results. Strive to bridge the disconnect with the business by showing leaders the business benefit of working together. Don’t focus on FUD (fear, uncertainty, and doubt); explain the risks and the benefits and you’ll be off on clear footing.