The Return of Shadow IT – and the Need to Remain Vigilant

125
ROB PRICE

By Rob Price, Senior Specialist Solutions Consultant and Global Lead for Risk & Compliance, Snow Software

Over the years, shadow IT has been a bit like a fashion trend – from captivating the attention of security-conscious organizations around the world to being accepted as a part of doing business. However, with the shift toward remote working, cybersecurity generally has become a top concern for most businesses, and among that, they are witnessing a resurgence of shadow IT.

This trend seems to be a response to the larger fundamental shift over the past several years: with IT teams moving out of the role of technology gatekeeper and instead into the role of advisor.

As business units continue to drive budget and spend decisions for their required technologies, organizations must grapple with a two-sided reality: one where shadow IT is an indication of purchasing power changes for the foreseeable future and one where it is a serious security challenge that needs to be solved for.

Determining how to manage shadow IT in today’s era of remote or hybrid work environments – and during a continued evolution of the IT and security teams – requires a few considerations.

Read More: The Need for Safeguarding IT Infrastructure in the New Normal

What about your data?

CIOs along with IT and security teams recognize over the years of combating shadow IT that regaining complete control may never be attainable. New technology procurement stakeholders in business units or individuals have changed how IT and security teams can respond to shadow IT.

Methods like outright blocking the download and/or installation of specific applications can be challenging with the number of new applications available for businesses today. It’s inevitable that plenty of new applications will fall through the cracks – along with details on their cost, subscription terms and conditions, bandwidth requirements, and even potential vulnerabilities. Despite all the mountain of potential blind spots that organizations face, the biggest question that IT and security teams should ask is, what about the data?

As many global organizations have embraced digital transformation over the past year, data is one strategic asset that continues to evolve. The need for security controls rises as the value of the data increases.

Consider what would happen if corporate IP fell into the wrong hands – either as a result of a sophisticated cyber-attack or unintentional methods such as vulnerabilities or misconfigured S3 buckets. The private use of some enterprise collaboration applications, for example, could expose the data of an enterprise to its vendor as there are some who use the consumer version of their EULA for business customers.

For many applications, it’s incredibly easy to start using but, when looking to make a change, it can be difficult to remove or even get a copy of your data from the platform.

There are also data protection regulations that most organizations need to comply with. Many of these regulations – whether GDPR or a host of others – require enterprises to know where their data is at all times and effectively demonstrate how it is protected. Shadow IT causes serious challenges as you attempt to protect and keep track of your data.

Read More: Can Businesses Trust Zero Trust?

How do you get a handle on shadow IT?

Many cyber security frameworks like NIST or CIS recommend that organizations have IT or software asset management practices in place to provide the insight required to strengthen overall security posture.

Discovery and inventory capabilities within these programs (or their supporting technologies) provide additional transparency, answering essential questions like what an enterprise has, who has access to it and how is it being used? Additionally, these programs can bring details of duplicate or under licensed tools to the forefront to help optimize budgets and resources, minimize fees associated with vendor audits and generate red flags for data at risk.

This is where collaborating with additional stakeholders like a Chief Data Officer (CDO) may also come in handy. According to Gartner, three-quarters of larger organizations will have a CDO by 2021. Working side-by-side with a CDO, a CIO and their team can create a framework and enforce appropriate data governance.

Understanding how technology resources collect, store and protect data, whether software, applications, cloud or hardware, can inform the overall data strategy – and major initiatives like digital transformation. Not only that, but it’s essential for developing and driving data protection strategies.

How can IT enable the workforce?

Having the tools, governance, policies, and procedures in place to better manage shadow IT is only part of the equation.

While IT teams are under considerable pressure to find and maintain the appropriate balance when managing technology resources, budget and security measures, it’s difficult to be a part of every department-led buying discussion process.

Many times, these purchasing decisions are driven by a need to complete work or a project more efficiently or effectively – maybe even by using tools, the team is more familiar with than what’s available. In some cases, teams may not even know they have similar resources accessible to them. This is where creating a two-way dialogue and ongoing enablement is essential.

Read More: Performing Vulnerability Management the Right Way

Ongoing and engaging education – not just a running list of things that employees are not allowed to do – is important to ensure the workforce feels informed. Within this process, consider how to transform the perception of IT and security into that of a trusted advisor.

Whether that’s through office hours, ask me anything sessions or even dropping by team meetings to understand the resources available to them. In some cases, IT and security teams might be able to better assess the needs of teams and provide advice about tools that have been vetted, develop an internal software or application store, or offer assistance through the application purchasing process.

Ultimately, the best way to grapple with an influx of shadow IT is to employ various strategies and resources across the organization. IT and security teams need to ensure that appropriate governance and guardrails are in place so they don’t lose sight of what’s in their environment if something goes wrong.

However, continued dialogue with employees will provide that additional layer of transparency for IT and security teams to stay on top of potential shadow IT. In turn, employees need to become a part of the solution to better protect the organization by building security-conscious habits and making better choices.