- Business Risk and Resilience
- Risk Transformation
This article is a part of Risk Update 1.
In light of readily available cloud solutions, the duality of technical and business competence in the modern worker, and strategic misalignment between business and IT functions, Shadow IT has become a major concern plaguing modern organisations.
Shadow IT is an application, tool, service or system that is used within an enterprise to collaborate, develop software, share content, store and manipulate data or serve any number of other purposes without having been reviewed, tested, approved, implemented or secured by the enterprise IT and/or information security functions, in accordance with written policies and procedures.Seago, J. and Trsar, T. (2017). Shadow IT Primer. [online] Isaca.org. Available at: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Shadow-IT-Primer.aspx
For many in upper management, the term ‘Shadow IT’ brings about fear – and for good reason – simply ponder for a moment the exposure to potential security vulnerabilities or unsanctioned expenditure it can bring to an otherwise healthy organisation. In response, management typically takes a ‘detect and restrict’ or an ‘ignorance is bliss’ approach.
’Detect and restrict’ actively scans for Shadow IT, debarring the whole organisation in the process, and in many cases stifling any chance at creating a culture of innovation.
’Ignorance is bliss’ takes a more laissez-faire approach, trusting business functions to do the right thing. However, without the right skills to manage and govern these products, it can bring about significant potential for security breaches and costly remediation for the organisation.
Instead, an ‘embrace and manage’ approach should be examined. With the prevalence and persistence of Shadow IT creeping into organisations, effective management of it should be practised and prioritised.
“The costs of not managing Shadow IT can be hard-hitting… so the price tag to manage it cannot be ignored.”
How did we get here?
Shadow IT may pose a significant security risk and ballooning costs, but rarely do end-users engage in it with malicious intent. Although there are many ways Shadow IT can creep into an organisation, the more common means is through end-users who are looking for efficiency or a new exciting way to do their job.
At a large organisation, Operations field staff, who are tasked with recording vegetation and other geological data, are required to translate hand-written notes (gathered on-field) onto a system. This system, widely known as legacy, required the staff laptop to be connected on-site to the office network in order to record field data or assign work. One employee saw an opportunity and began trialling a free version of a cloud-based file sharing platform to store these field audits and assign work documents. This practice quickly grew a following within the Operations function, and by the time the IT function caught up, there were already hundreds of files uploaded – consisting of identifiable asset data, internal policies and procedures, timesheets and other sensitive information. Conscious that this trial version was on a public cloud, IT responded by withdrawing all sensitive files and procured a private instance. The rapid deployment also meant that proper procurement and risk assessments were not performed adequately, causing complication in privileged access management. Hundreds of non-IT users were given default access rights to modify roles, folder paths and hierarchies, further creating conflicting access structures. Additionally, data obscurity became an issue, where the usage of these two systems – the legacy and the cloud application – introduced source of truth conflicts, causing increased workload in reconciliation and clean-up.
The unaddressed pain points
Business functions often look to IT as their gate guardians and armourers. It is part of the IT team’s responsibilities to ensure business functions are well-equipped to do their jobs through technological enablement, as well as securing the organisation from external threat.
As organisations grow and business functions begin to perceive that IT is not keeping up or is not equipping them with more exciting software, it becomes more tempting to make ad-hoc decisions, often under IT’s radar.
There is also the view that IT’s tight oversight often means slowing down the business’ pace in chasing profits. Unaddressed, this misalignment can hinder any desire for collaboration, and even entice business end-users to bypass the traditional IT function for system development.
The innovation culture as a double-edged sword
Add to the cauldron a top-down celebration for agility, creativity, out-of-the-box methods and self-serve processes (on the basis that ‘the end-user knows best’), and you will often brew the optimal environment for Shadow IT.
With the modern landscape of easily accessible online courses, cloud applications, widespread technical literacy and abundant user-friendly development tools, gone are the days when application creation and customisation activities were costly and reserved only for the academically initiated.
While it can be exciting to jump on the innovation and agility bandwagon, doing so without appropriate safety measures can lead to disaster. In such a fast-paced technological age, effective risk and security behaviours have become a must.
Embrace and manage
For those facing this conundrum of responding to Shadow IT, one of the ways to better manage it is to discover, empower and educate.
1. Discover: enterprise-wide triage
Locating applications and vendor relationships outside of the IT function’s catalogue can be a time-consuming but valuable exercise. There are tools which can assist by automatically discovering non-compliant applications – one being Cloud Access Security Brokers (CASBs). These can be a quicker win than trolling through vendor invoices to spot outliers, or to undergo manual discovery through step-by-step walkthroughs.
Once these Shadow IT artefacts are identified, assess the potential for data loss, leakage and security compromise, and cull those that are deemed high risk (according to the organisation’s risk appetite thresholds).
For the remaining instances, consider whether it is acceptable to retain and secure them, taking into account the effort required and the capacity available from IT to onboard these systems.
2. Empower teams to manage their application portfolio
nstead of punishing business functions when their innovative drive paves way for Shadow IT, encourage them to better maintain and control their application portfolio. The IT function should still support the business in the BAU maintenance of security and troubleshooting (within capacity) of these systems, but the strategic use-case and dependency should be primarily headed by the business.
In this way, accountability is given to the business to define what applications or tools are considered core, with the IT function focussed on education and supporting simplified and secure technology use.
3. Educate: invest in end-user awareness
Data breaches and data loss events are relevant to all organisational functions in every industry, they can occur at any time and originate from any team. It is therefore imperative that the whole organisation stay aware and capable of good risk management practices.
Without such awareness, the average end-user may gather the confidence and impulse to implement unsanctioned systems out of a word-of-mouth referral or the perceived reputation of the system.
Risk and IT teams, with the support of senior management, play a key role in the education of end-users in promoting good risk management practices and curbing the unauthorised commissioning of Shadow IT services.
While the drivers are not new, the ease with which Shadow IT can creep into many modern organisations makes it more potent than ever.
The friction when aligning strategic objectives between IT and business functions, the desire to innovate, and the need to protect the organisation make an active approach critical to the modern organisation’s success.
Indeed, the cost of not managing Shadow IT can be hard-hitting – increased workload, ballooning costs and significant security concerns – so the price tag to manage it cannot be ignored.
If the ’detect and restrict’ approach inhibits innovation, and an ‘ignorance is bliss’ inclination leaves the door open to a large remediation price tag, let us instead take proactive steps, embrace the potential emerging out of Shadow IT and be alert to how to best manage it.