Building a Shadow IT Policy: What CEOs, CTOs, and CISOs Need to Know

The problem with shadow IT isn’t really the need for new tools, it’s the fact that people use them without IT security teams knowing. This usually happens because they perceive security policies as restrictive and antagonistic toward their productivity. In this way, Shadow IT is a process issue—not a software issue.

Hidden risk is increasingly challenging cybersecurity leaders as digital supply chains grow and more apps are added to the network. Teams rely on file storage apps, task management tools, messaging, and email platforms everyday. One company with hundreds of employees across unlimited channels clouds any leader’s chance of clarity in a hurry in this reality.

So how can leaders encourage employees to involve IT without reducing their autonomy? And more importantly, how can they embrace shadow IT and transform the risk into opportunity? Put simply, the solution to shadow IT relies on people, processes, and technology.

If you are a CEO, CTO, or CISO, or are somehow involved in technology decision making, here’s what you need to know to combat Shadow IT.

For more insights into managing hidden risks, as well as policy and strategy suggestions to protect your expanding digital footprint, download our guide titled “What’s Lurking in Your Environment? How Cyber Leaders Can Address Shadow IT & Hidden Risk”.

Understanding the Shadow IT Issue

First, answer the question: What is shadow IT? Gartner defines it as any IT devices, software, and/or services used in an organization that are outside the ownership or control of IT teams. In other words, it’s the use of hardware, software, or cloud services without the approval of the Information Technology (IT) area, often introducing security and compliance concerns.

Shadow IT can encompass enterprise-grade tools or consumer tech. Some common examples of Shadow IT, only when they’re not officially licensed or sanctioned by the IT department, include:

• Productivity tools like Slack, Trello, or ClickUp
• VOIP tools like Skype
• Google Suite apps like Sheets, Docs, Gmail, or Drive
• File-sharing tools like Dropbox
• Messaging apps like WhatsApp
• Flash drives

It’s important to note that these applications are not inherently dangerous, but only pose a threat when they’re used as a workaround that’s different from the solutions proposed by IT. Imagine a scenario where a work file is too big to send via Gmail (the official company email app), so someone decides to use a personal Dropbox account instead. That’s shadow IT.

Why is Shadow IT a concern for IT and security leaders?

The use of unsanctioned apps creates a shadow digital supply chain—a complex web of unknown cloud applications, user accounts, data, and permissions scattered across the internet that are connected to the enterprise network.

Corporate users have long ago developed a habit of adopting cloud apps and services to assist them in their work, sometimes bypassing IT security policies if they found them to be too restrictive or attempting against productivity. Business units often assume the cloud service provider will take care of security, when in fact it’s the organization’s responsibility. But security can’t protect what they can’t see.

Hidden risk presents a multifaceted challenge for cybersecurity leaders due to its inherent nature of expanding the attack surface and diminishing overall visibility. As employees increasingly turn to unauthorized applications and services, the organization's digital landscape becomes fragmented and difficult to oversee comprehensively. This lack of visibility means security teams may struggle to monitor potential threats effectively, creating vulnerabilities that could be exploited by malicious actors.

The expansion of shadow IT also compromises operational efficiency. With different teams adopting varied tools independently, there's a potential for duplication of efforts, resulting in inefficiencies and increased costs.

Beyond security concerns, hidden risk encompasses issues of regulatory cybersecurity compliance, integration difficulties, and loss of strategic control over IT resources. Addressing the issue goes beyond security protocols; it's about regaining command over the organization's digital landscape, ensuring both security and operational harmony in an increasingly complex technological ecosystem.

How to Build a Better Shadow IT Policy

Reducing the shadow IT risk starts with building a company-wide policy that’s not perceived as restrictive but protective of the network. Incorporating new apps isn't necessarily detrimental to the organization, but they must be addressed appropriately. It’s important that everyone in your organization knows this.

Your shadow IT policy should include the following sections:

• Objective
• Intended audience
• Ownership
• Monitoring and enforcement methodology
• Accountability and employee responsibility
• Allowable scenarios or exceptions

The goal of this policy is twofold: To educate users so they don’t need to turn to shadow IT and to be prepared to act if they do.

The truth is that hidden risks will exist, so you need to be able to discover, list, and classify those assets. To that end, consider the following categories:

1. Sanctioned
2. Authorized (not sanctioned yet irrelevant)
3. Prohibited (not sanctioned and dangerous)

This list should be continuously updated as part of routine security reviews. The next step is to decide what to do with each piece of unsanctioned and prohibited asset. Before making any decisions, try to understand the use case and the reasons why an employee decided to incorporate that technology.

Some useful questions for this discovery process include:

• What business needs, if any, does this asset satisfy?
• Do any of our approved tools already cover that need?
• Is there any other solution that IT could provide?
• What risks does the Shadow IT asset create?
• Does the asset benefit many and outweigh the risks?

Depending on how necessary the asset turns out to be, the IT team will move it to the Authorized list, replace it with an existing function, or discontinue its use.

Why Shadow IT Could Be a Strategic Opportunity

While creating different types of risk and expanding the attack surface, shadow IT can be both a risk and an opportunity for cybersecurity leaders. In fact, it can help you align your technology strategy with your cybersecurity and risk management strategy.

More than 80% of employees are using software applications that haven’t been approved by IT. They do so because they trust that these apps will increase their productivity and efficiency, and ultimately benefit the organization. In this way, Shadow IT provides insight into what tools employees need to achieve their goals.

Rather than applying more restrictive policies, security leaders could leverage shadow IT with appropriate caution to empower the overall business, while significantly reducing the rogue use of applications. To solve this issue, security professionals must bring shadow IT apps into the light and use them as insights to create a more productive workplace.

Once the policy facilitates the detection of unknown apps in use across the network, if the decision is made to keep it, you can ensure it is properly deployed and protected. You can even survey employees periodically on what tools would help them and proactively explore the marketplace in search of opportunities to benefit the organization.

Leveraging Technology to Address Shadow IT

Comprehensive visibility into your digital ecosystem is the only way to detect and combat shadow IT. To find these hidden assets, your teams need tools to monitor and scan your network continuously—but the challenge is finding the right technology. Many monitoring solutions and manual scanning techniques don’t deliver visibility into cloud services, making digital footprint monitoring very difficult.

Effective solutions for detecting shadow IT should provide capabilities for:

• Automatically and proactively searching for shadow IT without needing to rely on manual reporting or asset tracking.
• Providing a view of your attack surface and security posture based on external, objective verification, rather than on tools that deliver a biased, internal view and confirm information you already know.
• Continuously monitoring your entire digital ecosystem to discover hidden assets and cloud instances.
• Visualizing the location of all digital assets broken down by cloud provider, geography, and business unit.
• Analyzing the nature of each shadow IT instance to reveal critical or excessive risk and identify areas of greatest exposure for faster remediation.

Bitsight Attack Surface Analytics makes it easy to discover hidden assets and cloud instances on your network and assess each area of shadow IT for inherent risk to your business. This unique set of tools analyzes externally observable internet traffic to detect areas of unknown risk, delivering crucial information about where cloud assets are located and what risks are associated with them. In addition to highlighting shadow IT lurking in your network, this tool helps your team understand where risk is concentrated, how to prioritize resources, how to consolidate assets, and where to reduce costs.

When it comes to addressing third-party hidden risk, Bitsight Vendor Discovery extends risk monitoring into the far reaches of your vendor network—it captures shadow IT records, including usage of cloud applications or vendors that IT teams are unaware of, and maps network discovery data into standard third-party risk assessment questionnaires. This means increased and immediate visibility into vendor relationships to monitor, either because they're known critical vendors or because they represent shadow IT requiring attention.

What to do About Shadow IT

Once you have a solution for visualizing shadow IT, your next task is to find ways to reduce it. These seven steps can help.

#1 Continuously monitor your cloud to discover hidden risk
As your digital footprint expands, your security teams must constantly monitor the cloud for new instances of shadow IT and bring them into line with your security policies.

#2 Empower employees with the right tools
IT teams must work with employees to better understand what technologies can help improve their workflow and boost their productivity. The use of shadow IT will drastically reduce if employees already have the tools they need.

#3 Leverage security basics
Support your shadow IT policy with basic security measures such as VPNs, multi-factor authentication, encryption, patch management, antivirus technology, and a Zero Trust security model based on the principle of least privilege.

#4 Educate your workforce
Continuous security awareness training can help users understand the potential security risks of each kind of shadow IT, and how those risks extend beyond the corporate network to the connections, devices, and practice of security hygiene in their homes.

#5 Prioritize your remediation efforts
Your tools for visualizing shadow IT should allow you to identify the highest concentrations of risk so you can remediate the most dangerous instances first.

Reporting your progress

Establishing KPIs for measuring and reducing shadow IT will help to ensure —and communicate— steady progress toward a stronger security posture. Regular cyber risk reporting can help fuel your efforts to reduce shadow IT in several important ways.

Reporting for business stakeholders
As they realize that cyber risk is business risk, a majority of corporate boards now expect detailed and regular reporting on the security posture of their companies as well as important third-party relationships. Reporting on shadow IT and efforts to eradicate it will become increasingly important as more high-profile stories emerge about cyberattacks related to unsanctioned use of IT assets.

To provide meaningful information, reports for key stakeholders should summarize efforts in language that can be easily understood by non-technical members of the board. Reporting should also quantify the business and financial impact of risk and exposure related to shadow IT.

Reporting for internal teams
Shadow IT management must eliminate traditional data silos that exist between DevOps, GRC, and IT security teams. By developing reports based on comprehensive data gathered from departments throughout the company, you can more easily increase collaboration and enhance outcomes.

Bitsight provides tools for executive cybersecurity reporting that ensure everyone is on the same page about how to defend against hidden risks like shadow IT and how to best allocate and prioritize budgets to eradicate it. Bitsight’s tools quantify cyber risk in financial terms to clearly communicate the cybersecurity posture of your organization and your supply chain, so you can see how your shadow IT efforts and security programs stack up against peers and use digestible metrics to gain support for your cybersecurity initiatives.

Solving the Shadow IT Dilemma

As technology and IT environments continue to evolve at a blistering pace, shadow IT is bound to remain a significant area of concern. It’s impossible to eradicate it completely—there will always be oversights as businesses grow, merge, or acquire new subsidiaries.

The key to reducing hidden risk is to continuously educate your employees, monitor your digital ecosystem for signs of new shadow IT, and mitigate the threat by bringing it under your security controls.