Shining a Light on Shadow IT

Cisco:  15 to 25 times the number of known cloud services are purchased by employees without IT involvement.

These are just two examples of the quiet, but pervasive, existence of shadow IT in enterprises today. Although the name “shadow IT” sounds like something that might appear in an espionage novel, it is very real and very alarming, as we discovered in gathering material to write ISACA’s new white paper, Shadow IT Primer. We interviewed business and technology professionals whose responsibilities include IT operations, audit and security, and who deal with shadow IT on a regular basis. Their insights and real-world examples give the ISACA publication a perspective that is not reflected in other articles on the topic.

Shadow IT can be defined as applications and services that are used within an enterprise without having been reviewed, tested, approved, implemented or secured by the enterprise’s IT and/or information security function. Or, as one of the professionals interviewed put it: If you want to know what specific and timely functionality employees need but your enterprise is not currently providing, take a look at the shadow IT discovered in your business.

Employees are at the heart of shadow IT – well-meaning, innovative employees. They want to do a good job but are hindered by a lack (or lack of awareness) of the tools they need to do so. They are drawn to shadow IT’s usefulness, which they can generally acquire and start using in minutes by skipping the IT department’s vetting process.

This seems fairly innocuous, so why do enterprises care about shadow IT? Because those applications can enable significant data breaches, which may result in substantial financial loss. In addition to the obvious security risk, the threats associated with shadow IT include regulatory noncompliance, inadequate or unenforced policies, and reputational damage.

Many organizations have found that a range of approaches to address the risk is more effective than a single solution. A few of the controls used by the professionals interviewed for ISACA‘s publication include:

• A shadow IT policy that outlines expected behaviors
• Transitioning the IT department from detection and punishment to acceptance and protection
• Using IT budgeting and procurement controls to shut down unapproved purchases
• Restricting users’ ability to freely install applications
• Educating users about the potential risk of shadow IT and the existence of an approval process

In ISACA’s white paper, these controls, and others, are fleshed out with implementation criteria and assessment methods.

Control does not necessarily equate to elimination of risk. In fact, many organizations are taking an “embrace” rather than “eliminate” approach to shadow IT. Of course, sometimes it is necessary to pull the plug. No matter how beneficial an application may appear, if it shows potential to harm the enterprise, it must be shut down immediately. The risk is too great to do otherwise.

But, even in an “eliminate” situation, there is room to “embrace” as well. A progressive approach entails realizing that, although a particular application needs to be dismantled, there is benefit in considering the problem the application is attempting to solve and empowering the IT function to find or build a safe and secure replacement – right away.

It is reasonable to assume that every enterprise contains shadow IT, given the ease and relative affordability of acquiring it, coupled with employees’ desire to fill needs or leverage opportunities with minimal delay. Savvy enterprises recognize this and mine the potential benefits, while managing the associated risk.

Jane Seago, Business Writer, and Terry Trsar, Business Consultant

[ISACA Now Blog]