Hidden Risk for CIOs: A Guide to Managing Shadow IT Security

Shadow IT is rampant in many organizations, representing as much as 50 percent of a company’s technology spending, on average. And it can have a number of consequences for a business. First and foremost is the shadow IT security issue: Gartner has predicted that, by 2020, one-third of all successful cyberattacks on enterprises will be made on their shadow IT resources. It can also be a huge drain on IT resources, as well as having the unintended effect of slowing down the business over time.

Shadow IT essentially allows anybody with a credit card and access to the internet to become their own IT department, says Gene Fredriksen, Chief Information Security Strategist for PSCU. With the cloud, this phenomenon is especially prevalent: 80 percent of employees admit to using a non-approved cloud application at work. And many are using them to add value to other applications or customers.

But while the intent and outcome of shadow IT is generally positive, says Fredriksen – driving business results, serving a customer need – it can negatively impact an IT department, and the overall business, in several ways.

How Does Shadow IT Affect IT Operations – And the Business as a Whole?

First and foremost, CIOs need to recognize that shadow IT can often be a symptom of a deeper problem.

“The whole cycle starts with the business saying, ‘You guys aren’t really responding to my needs, technology is changing, my business needs are changing rapidly, so I’m going to go out and do something on my own,” Fredriksen said on the webinar “Solving Shadow IT: Information Security and Governance Strategies.”

Eventually, this backlog can drive multiple departments to choose their own tools and vendors, resulting in an inefficient and insecure patchwork of solutions throughout the company. Over time, business units may also begin approaching IT to integrate these cloud applications with back-end data sources. This can place an additional load on IT resources – all because a business unit didn’t want to involve IT in the first place.

“Your resources are taxed by managing all that extra complexity, and you become slow to respond to the business units and emerging technology,” said Fredriksen. “That’s the IT death spiral.”

According to Fredriksen, the impact of shadow IT can be measured in two ways:

Impact to the business unit. The business unit needs to quickly solve a customer demand. It doesn’t have time for an 18-month implementation cycle, nor does it have the budget for an internal solution or contract with a big-time vendor. Agility is key, and decentralization is the norm. This leads to a leaner organization and a flatter hierarchy, which has been shown to benefit companies financially and strategically.

Impact to the IT department. The IT department, on the other hand, may be glad the business units are taking this initiative, but are aware of bigger issues lurking on the horizon. They’ll want to know if the business unit leader has considered disaster recovery and backups. What is their plan if the vendor goes away? Who is providing vendor governance? How are they managing shadow IT security?

“If you want me to help you with your technology, I need to be aware of what you’re using,” warned Fredriksen. “When things go bad, if you expect IT to help you do the firefighting, they need to be included in the process and have security guidelines to prevent fires from happening in the first place.”

How Can CIOs Manage Shadow IT and Security?

So what can CIOs do when faced with shadow IT? It all starts with policies and communication.

“You can’t say no,” Fredriksen said. “You can’t break fingers when somebody goes out and tries to do something to solve a customer need. But you have got to all get on the same page.”

Here are some steps that can make shadow IT a value, rather than a threat, for a business.

1. Establish a policy and implement identity and access prevention. This is not an IT-centric activity; the entire business needs to be involved in establishing a future-facing direction and. “It might be, in the long term, to reduce the number of vendors in this area, but you need to give people the ability to define a migration path that meets their business needs,” Fredriksen advised.

2. Develop a strategy for resolving business needs. An effective CIO is broadminded and inclusive; a protectionist technology leader will only end up harming the business, so a balance must be struck. IT’s role is to allow the business to support its business. But communication is essential. “Let the business know the repercussions of bypassing IT, particularly if you want to get to the back-end data,” Fredriksen said. “But you’ve got to earn their respect. If they honestly believe you’re being too rigid and never deliver on time, they will continue to go around you.”

3. Find out what applications are being used. New solutions crop up every day, and there’s evidence that CIOs underestimate the prevalence of shadow IT in their organization – the average CIO believed they had 51 cloud services in their organization, while the actual number was 730. This underestimation is even higher in the financial services industry, with 17 to 20 times more cloud applications running than the CIO originally thought. Shadow IT security can be easily overlooked if you don’t even have a handle on what applications are being used.

To find out what’s out there, many organizations are leveraging internal audit teams to uncover any shadow IT or distributive processing in business units. Ask other unit heads about their policies, plan for availability, and oversight.

“Nine times out of 10, they’ll say, ‘We haven’t thought of that’,” Fredriksen said. This isn’t always the most comfortable task, as some users of unauthorized applications may sit in the executive suite. Still, it’s important to identify who is leveraging unapproved apps. In addition to internal audits, look at outbound proxy and web traffic. You can also outsource these tasks to a third party.

4. Find out what data lies in the applications. Once you have an idea of what’s being used, you need to satisfy auditors and regulators and find out what data these third-party applications are capturing. The data may not always be obvious – they may be buried in a screenshot or an attachment. But watch out for personally identifiable information (PII), personal health information (PHI), financial information, card data, intellectual property, and other valuable information that could be sitting on cloud applications and servers.

5. Focus on controls. Now that we know the data that’s proliferated, how is it being controlled? Are the units leveraging real-time monitoring? Who has access? What types of external threats exist? Who did the risk assessment for the application? Who’s accountable? That last question is particularly important in a corporate structure.

“If an external data source or service is being used, someone has to be accountable, accept the risk, and sign the bottom line,” Fredriksen said. “Very few people want to do that, and that’s where they look for IT’s help.” Make sure you’re bringing everybody in, including internal auditors and executive management, to develop firm foundations based on best practices.

6. Develop a monitoring strategy. A monitoring strategy can help ensure that any software, extensions, and add-ons are clear of malware, viruses, or bots that can pose a significant internal threat to your data and applications. And it can spot the potential use of shadow IT by monitoring for unauthorized API access and other calls. “It’s your job as IT to identify the users of your data and what threat it may pose,” Fredriksen said.

7. Leverage clear, easy-to-use tools. Many applications, like Salesforce, offer audit logs. These audit logs contain valuable information about how users are interacting with Salesforce. They are, however, often complex and difficult to interpret. PSCU’s solution, Imprivata FairWarning for Cloud Solutions for Salesforce, provides Fredriksen and his team with an easy-to-read report that delivers immediately actionable insights. This is especially important when dealing with the decision-makers and end users of these shadow IT applications.

“They won’t understand anything about a dump type of report,” Fredriksen said. “You have to provide feedback to them in a way they understand.” Rather than developing a program from the ground up, organizations may prefer to leverage the experience of industry leaders that can offer prebuilt reports and database monitoring to bring structure to a data and application governance program. Not only do these simple tools provide valuable insight to business-minded users, but they also help IT deliver more quickly and effectively, and to better manage shadow IT security.

“Remember that the thing that started this whole thing was IT’s inability to respond. If you’re saying it will take a year to develop controls, you’ve shot yourself in the foot. You have to keep pace. You’re building a respect and a relationship with those business units, and you’ve got to maintain that.

The tidal wave is coming, said Fredriksen: 90 percent of IT spending will take place outside IT within 10 years. “You have to learn to swim,” he added. “Buying a bigger boat won’t do it.”

CIOs, then, need to position their IT departments and the overall business for success.

“Develop the tools that allow you to operate at the speed of business and satisfy demand,” Fredriksen said. “We have to change, they have to change, and we need to meet in the middle – or there will be serious problems going forward.”