Shadow IT is the bane of existence for CISOs and CIOs. For decades, individuals working in lines of business have been bringing their own technology to work because they’re more comfortable using it than what the company provides.
The trend started with Apple Macintosh computers back in the 1980’s, then Macbooks and Bring Your Own Device (BYOD) which is specifically about mobile devices. Since the late 1990’s it’s also been easy to procure software and services through SaaS subscriptions. More recently employees have been bringing in wearables and signing up for cloud services. Just whip out a credit card and voila.
The biggest cybersecurity issue CISOs face is a lack of visibility into the devices connected to networks. While Mobile Device Management (MDM) arose in response to the BYOD trend, mobile devices are not the only problem. SaaS subscriptions can also be a headache in the absence of governance, security and privacy measures. Users need guardrails that limit the company’s risk, but they also want the freedom to choose their own solutions since they understand their own needs and their department’s needs better than anyone working on a centralized IT or security team.
The shadow IT trend has been somewhat legitimized by the emergence of departmental IT budgets which are essentially a license to buy what the department needs. CISOs and the security team are often not consulted about purchases, which means they’re probably not aware of them. And, of course, the CISO can’t protect that which is unknown. Hence the need for asset management and CASB tools that help explain the actual ecosystem. Advisory firm CEB estimates that 40% of all IT spending occurs outside the IT department.