Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, "Are we surrendering the cyberwar?" Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address.
In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT.
According to Techopedia, the term "shadow IT" "is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization." The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department's perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director.
According to a recent study by Cisco, surveyed CIOs reported that, on average, there are 51 cloud services running in their organizations. Cisco determined however, based on data analysis, that the number is closer to 730. They found that those services typically fell into the software-as-a-service and infrastructure-as-a-service categories. The reasons for this could fill a small book, but the fact is they are out there, and must be considered from the perspective of security controls.
I am a fan of the old saying "ignorance is bliss," but it certainly does not apply in the case of shadow IT. Ultimately, IT is responsible for the technology within the organization, even that which it doesn't know about. That may seem unfair, but it is reality. If there is a security breach or audit failure, the IT head will be summoned to the CEO's office, regardless of the source.
The challenge for corporate IT, therefore, is to find and secure such applications. I perceive that many IT heads are reluctant to apply the necessary controls, because they want to avoid the conflict, especially when faced with the fact that they don't have the resources to handle all of the requests that such controls would generate. I would suggest, however, that the risks posed by such systems are far greater than the probable backlash resulting from their control. Perhaps it is just me, but I would rather be fired for doing my job than to work in a conflict-free company, just waiting for that call from the CEO.
Sign up for CIO Asia eNewsletters.