Shadow IT refers to any technology that is used in a company without the oversight of the IT department. The scope of Shadow IT is commonly underestimated. A recent survey by Cisco found that, on average, IT departments assumed their companies used 51 cloud services when, in fact, employees were using 730 cloud services.
We see this “shadow” firsthand at Pivot Point Security. In delivering our ISO 27001, ISO 22301, and Vendor Risk Management services we are increasingly struggling with the challenge of Shadow IT. For example:
- During a recent ISO 27001 consulting engagement, we were working through scope definition with a technology consulting services company. Their scope was centered on the sensitive technical information that they gathered, augmented, and returned to their clients. The company believed that they had a highly structured and consistent approach across their different practices, which should have resulted in a relatively straightforward scope with already well-contained risk.However, as we extended our interviews into the different practices what we found was a very different picture. Different practices, and even different consultants within each practice had developed alternative “Shadow IT” approaches to challenges they encountered around the project management, collaboration, and document delivery systems that the practices run on. Rather than a single model, there were a number of additional project management tools (e.g., Smartsheet, Basecamp), collaboration (e.g., Slack), and document sharing (e.g., Dropbox, Box) in use. They were shocked to learn how much of their clients’ sensitive information was currently within the control of unauthorized, un-vetted, outside parties.
- Helping an organization develop a Vendor Risk Management program generally involves getting a list of all current vendors. The most common strategy is to get this from the Accounts payable group. With Shadow IT, that approach leaves large gaps as most Shadow IT firms are not paid in that manner. We have turned to two strategies here: 1) Reviewing expense reports (credit card payments) to identify all paid Shadow IT vendors, and 2) Reviewing outbound firewall logs and map destinations against a known Shadow IT vendor list. Neither approach is perfect, but there currently is not a perfect alternative.
As you might expect, containing the risk associated with Shadow IT isn’t easy. Critical steps include:
- Identify its use.
- Identify the data that is being consumed by Shadow IT and the risks associated with it.
- Identify whether a Shadow IT service is managing the risk to an acceptable level.
- If possible, ensure that the necessary risk treatments are contracted, including incident response requirements.
- Where necessary, find an alternative approach.
We know a bit about this. As Pivot Point Security was going through its own risk assessment earlier this year, we were surprised to learn that our staff was using Shadow IT for information that we classify as “sensitive.” Joy.