Willful blindness and security culture – the risks of shadow IT

As revelations about former studio executive Harvey Weinstein stream in, it may seem unbelievable that the clearly unacceptable practices continued unchecked for decades. Each hour seems to bring a new revelation or disclosure, and a common theme; there was a general awareness of his behavior within the industry and the organization. Where does awareness become acceptance, and acceptance endorsement?

Enter shadow IT. Shadow IT refers to ‘systems and solutions built and used inside organizations without explicit organizational approval.’ Examples of shadow IT include cloud solutions (e.g., software as a service), hardware, software, non-company email accounts, Excel macros and personal devices that have not been sanctioned by the IT department. It is worth noting that many shadow IT solutions contain sensitive corporate data.

Why does shadow IT exist? In some cases, business unit appetite for innovative solutions exceeds IT’s capacity to deliver. In others, business users are looking for easier ways to get their work done, and find ways around the security and process that allows them to get things done faster. Technology vendors actively pursue business unit executives, Board members, and trusted partners. Finally, shadow IT may originate with demands from a prized customer or strategic partner, one that the business deems at risk and too big to lose.

HPE shares that ‘IT spending by non-IT business units is growing more than twice as fast as traditional IT departments;’ although this figures includes projects with IT support aware of, shadow IT flourishes under such conditions.

Shadow IT is often, but not always, invisible to the IT department, and as such is essentially ungoverned. Regardless of the source, shadow IT may start out as a seemingly innocuous proof-of-concept. IT leadership may not learn of shadow IT until support, integrations, or large amounts of data are requested months, even years later. Respected business unit leaders may even be able to identify a resource deep within IT to help them support their project, without the awareness of IT management.

This is where willful blindness comes in. In some firms, the existence of shadow IT is an open secret. In others, while it may be suspected, rumors are not investigated and practices are allowed to continue unchecked. It is worth noting that not all firms enable shadow IT, and make active efforts to prevent it from taking hold. The tolerance level for the risks presented by shadow IT come down to organizational culture, politics, the strength of and respect for the IT leader, and the degree of respect for information security and governance at all levels of the organization.

Make no mistake, shadow IT represents a material risk and liability to organizations, particularly when it comes to data security governance. A data breach is a data breach, whether it originates from a legitimate, authorized application or shadow IT. Apart from data breach and other risks, shadow IT contributes to inefficiencies, inconsistency and strained relations between business units and the IT department.

So, what is the solution? Illuminate shadow IT, and bring it to the surface. Check out next week’s blog for ideas on how to tame shadow IT in your enterprise, and leverage its root causes to transform your business.

© 2020 by Illuminar Consulting, Inc. Proudly created with Wix.com

  • LinkedIn Social Icon
  • Follow us on Twitter