In a recent posting on Enterprise Tech, author Alison Diana delves into the positive side of shadow IT while still espousing the dangers inherent in the practice. In the article she quotes Hank Marquis, research director at Gartner,
"Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It's called innovation. It's happening in the edges where we don't deliver the solutions. You might not agree with it but you should think that way. The people today who are innovating are the people who will take your jobs in 20 or 30 years."
In order to meet consumer demand for more interaction and higher levels of convenience, customer facing departments must rapidly feed mobile, web and social channels with endless supplies of web apps, mobile apps, login portals, web forms, etc. Outsourcing is an attractive option when operating under tight release schedules.
Research released by IDG suggests that 28% of IT spend occurs outside the IT department today and this trend is growing at 5% year over year. Information security is now in a catch-22 -- incidents may occur outside of their field of vision, yet they must figure out to be proactive in their remediation. Marquis points out that,
when these shadow IT investments run into technical problems, IT staff get the support phone calls. Often unaware of the implementations, the solutions or services in place, and the integration techniques used, IT then must scramble to address technical, governance, security, and risk issues -- sometimes critical concerns that endanger the entire organization.
The challenge for CISOs is figuring out how to centralize control and keep a watchful eye over what is created. How can a Vulnerability Management team be effective if their application inventory is incomplete? How can incident response be effective when they don't even know what they're looking for? When it comes to breaches seconds count, and when it comes to vulnerabilities it only takes one.
In the article in Enterprise Tech, the author describes info sec horror stories such as PHI being leaked because it was transmitted between AWS instances and internal IT over insecure FTP. Similar security compromises stemming from shadow IT may be happening in your environment at this very moment -- but how would you even know?
The answer is DIME: discover, inventory, manage, and enforce policy against your digital footprint. Using a system that endlessly and rapidly discovers, inventories, manages and enforces infrastructure components existing outside of IT -- CISOs can discover shadow IT installments and centralize policy enforcement along their entire digital footprint.
To learn more about the Enterprise Digital Footprint and how you can get insight into shadow IT operations occurring at your organization contact us. If you have questions reach out on Twitter @riskq. For more learning materials and potentially data specific to your industry vertical please visit our resources page.