Discover how to balance productivity and security in the age of Shadow IT. Learn from CISO Chris Denbigh-White's insights on managing unauthorized tech use.
In a world where innovation and productivity are paramount, the rise of Shadow IT has become an unavoidable reality for many organizations. A recent survey by Next DLP revealed a startling statistic: 73% of security professionals admitted to using unauthorized SaaS applications in the past year. This finding underscores a critical challenge faced by CISOs, developers, engineers, and architects alike — balancing the need for productivity with the inherent security risks of Shadow IT.
Chris Denbigh-White, CISO at Next DLP, offers a refreshing perspective on this dilemma. "The security risk is not knowing what's in use," he explains. Instead of viewing Shadow IT as an insurmountable threat, Denbigh-White advocates for a more nuanced approach.
Understanding the Landscape
According to Denbigh-White, the first step is to gain visibility into what's being used within your organization. "To identify evil, you first need to understand what normal looks like," he quips, borrowing wisdom from the SANS Institute. This includes mapping out SaaS application use and determining whether current practices align with company policies and risk tolerance.
Denbigh-White points out the complexities of the current digital landscape: "We're not talking about IT people having admitted to using malicious online applications or illegal online applications, unsanctioned and risk assessed. And therein lies the risk — in and of themselves, they might not be bad, but they are bad from a data and information security perspective."
He highlights the potential legal implications, particularly concerning data protection regulations like GDPR: "You're violating GDPR if you are doing a transfer of data that isn't sanctioned, that the person who that data relates to hasn't consented to."
Guardrails, Not Roadblocks
Denbigh-White emphasizes the importance of instituting guardrails rather than roadblocks. "Business imperatives always win," he notes. "You stick a roadblock in, and people are like water — they'll find a way around it, often using even less trackable apps."
Instead, he advocates for creating a safe working environment that promotes innovation while maintaining security. "It's our responsibility to put the guardrails in place to promote innovation and business cadence, but like at the bowling alley when we take our kids, we've got those bumpers on each side to bring users back into compliance without impeding productivity."
He adds, "I always say to institute guardrails, not roadblocks, and I emphasize CISOs. And this is what I say to CISOs repeatedly: It is our responsibility, our mandate, to create a safe working environment for our businesses to flourish and thrive."
Education at the Point of Risk
Denbigh-White suggests moving away from traditional, often ineffective training methods when educating employees about Shadow IT risks. "Training someone at the start of the year on a list of dos and don'ts causes people to get repetitive stress from the next, next, next on their mouse," he jokes.
He shares an anecdote about the ineffectiveness of such methods: "I've been in companies where there have been unofficial competitions as to who can complete the awareness training in the fastest time. And we've had people sub 32 seconds for something that should be like an hour of training."
Instead, he recommends educating at the point of risk. This involves implementing systems that guide users towards compliant behavior when using unauthorized tools. "Hey, Chris, you've tried to do this. It looks like you're trying to send data outside the company. You know what you're doing is the wrong way. But guess what? This is the right way," he illustrates.
This approach not only corrects behavior at the moment but also facilitates organic peer-to-peer learning. "Bob has just been trained and knows the right way to do, and can go, 'Hey, actually, there's this new data room...' So you get organic peer-to-peer learning promoted by the guardrails at the point of risk."
Leveraging Technology and Automation
Visibility and control are essential when it comes to managing Shadow IT. Denbigh-White emphasizes the need for tools that provide situational awareness and the ability to act on that information. "If you can't see, you can't act, or if you are acting without proper vision and seeing, then you're like the blind man in the dark room looking for the black cat that isn't there," he muses.
Automation is crucial in this process, helping define and maintain a desired normal state. AI and machine learning can be leveraged to detect deviations from this state and guide users to compliant behavior. Denbigh-White explains, "These bumpers are automated shaped bumpers. So where somebody you define a desired state of normal, and once you understand what that is, and then deviations from that, that's where the automation comes in."
Looking Ahead
As for the future of Shadow IT, particularly with the rapid advancement of AI technologies, Denbigh-White predicts a "great reckoning" on the horizon. "After the initial shiny sheen of AI wears off, I think the true players that are using the tool for what it's meant for will exist," he says.
He adds, "I think the next few years will be end-users and software companies figuring out which is which," referring to the distinction between effective and ineffective AI-powered tools.
In conclusion, the key to effectively managing Shadow IT lies not in trying to eliminate it but embracing its inevitability while implementing innovative, flexible strategies to mitigate risks. By focusing on visibility, education, and automated guardrails, organizations can harness the productivity benefits of Shadow IT while maintaining a secure environment.
Denbigh-White leaves us with a final piece of wisdom: "As my grandma said, there's a reason because we have two ears and one mouth; that's the golden ratio." Managing Shadow IT means listening to your users' needs, providing guidance, and creating an environment where security and innovation coexist harmoniously.
Comments