Shadow IT Series: Threat Level vs. Value Potential

Posted inApplication Security, Cyber Security, Information Security, Information Technology

Shadow IT is a problem for many companies. Employees downloading apps and services without the knowledge of your IT department is a huge security risk. Previously, we covered what it is and why it happens. Now it’s time to discuss how to determine the threat level of the apps and services downloaded, as well as the potential value of these items.

In an ideal world, you have a system in place where there isn’t really shadow IT, but instead you have pilot IT. Pilot IT is when you allow people to introduce tools into your ecosystem in a transparent way. Once the tool is introduced and registered, it is scanned and evaluated for security standards and licensing. If everything passes, it can stay.

If you don’t have a pilot program in place, the alternative is to regularly scan all of the systems in your network. Make a list of installs and create a shadow IT list. Then scan through the installs and rely on your endpoint protection. The problem here is that this system will cause you to chase your tail. It perpetuates the negativity around shadow IT and should only be in place while transitioning to pilot IT.

Once you have assessed the potential threat level of an app or service that was installed by an employee, and you determine that it is safe, you then need to determine the value of this tool. Is this something you already provide for your employees but no one can get to it? Is this something you used to provide and took away? Or is this something new that you hadn’t considered? Once you determine the value of the app or service, you can decide if you want to make it a permanent tool for your employees.

The best way to determine the value of a tool is to ask the users. Ask your employees if they find the tool helpful. No product manager or UX designer worth their salt would make decisions isolated from their users. So, if your employees are using tools not provided by you, there has to be a reason. Most people do not intentionally set out to aggravate your security and procurement staff. You must find out why your employees have turned to this tool, where the gaps are. In fact, when you have new proposed tools, ask your employees to try out their options. Ensure that this tool is effective and useful for what they do, and make sure that your process for getting a tool is not overly complicated.

When your employees turn to shadow IT, it’s for a reason. Anything they download can be a suitable candidate for approved business use. You definitely want ease of use to be extended to your employees. When you make their jobs easier, they will be more efficient, happier and you will have higher retention rates and profits. Give your employees what they need, the cost of spending a little extra on a better tool or on securing a tool will often be balanced out by the efficiency of your employees. Efficient employees make for an efficient business, and an efficient business that is secure has a much higher chance of being successful.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY