Ep. 18: Shining a Light on Shadow IT

Summary

Any time a worker uses their own IT service, solution, or device and their IT department hasn’t approved it or doesn’t know about it, that’s shadow IT – and it’s a growing problem. The employees generally have good intentions but don’t realize the dangers to the organization. It’s the security team’s job to find out why they’re turning to these outside apps, and provide safe, secure ways to accomplish their goals.

“I think you nailed it when you said…security needs to be in service of the business,” says Tanium’s Stephanie Aceves. “It’s not: Do these 40 things so that we can check this box.”

Host: Stephanie Aceves, senior director of product management, Tanium
Guest: Candy Alexander, CISO and cyber practice lead, NeuEon Inc.

Show notes

For more info on shadow IT and the best ways to keep it in check, explore these articles in Focal Point, Tanium’s award-winning online cyber news magazine, and these other useful resources.

• Shadow IT Is ‘Out of Control’ – Here’s How to Manage the Risk | Focal Point
• 6 Reasons Why People at Your Organization Are Using Shadow IT | Tanium
• What Is Asset Discovery and Inventory? | Focal Point
• With Tanium Asset, You Can Combat Shadow IT by Leveraging Real-Time Data | Tanium

Transcript

The following interview has been edited for clarity.

We can’t presume that position of being the “department of no.” That went out in the ’90s, right? So we need to be more understanding of what the business is trying to accomplish and what their challenges are.

Stephanie Aceves: Odds are, if you’re like most workers, you’ve broken the rules: Maybe you’ve ignored company policy and used an unapproved app like Trello or Dropbox, or used a fitness tracker connected to the business network, or you sent work home to your personal email.

Hi, I’m Stephanie Aceves, senior director of product management at Tanium, and today on Let’s Converge, we’re talking shadow IT and its newest, most troubling version, shadow AI.

In the next three years, 75% of employees will have created, altered, or somehow acquired technology that their IT department hasn’t approved and doesn’t know they’re using. That’s according to research from Gartner. And the coming AI revolution is only going to make things worse.

Joining me today to talk about this issue is Candy Alexander, CISO and cyber practice lead at NeuEon Inc., a leading business management consulting firm. In addition to developing and managing corporate security programs, Candy has been elected twice as international president of the Information Systems Security Association, or ISSA, and she’s been a longtime director on their international board. Welcome to the podcast, Candy.

Candy Alexander: Thank you, Stephanie. It’s a pleasure to be here.

Aceves: We’re so excited to have you. So I want to start with the basics. Shadow IT is a growing problem for enterprises, and it takes many different forms. Any time a worker uses an IT service, solution, or device and their IT department hasn’t approved it or doesn’t know about it, that’s shadow IT.

When I started my career, before I was really in cyber, I was an intern at an aerospace company, and I would go on the internet and just download my own versions of Notepad++ or whatever tool you name, without really understanding the risk. I think most people listening have a sense of this problem. But Candy, what are some of the sneakier forms of shadow IT and the products and practices that employees might not even realize are problematic?

Alexander: Some of the sneakier ones are – actually I would even say riskier ones – are those that have to deal with the sensitive data. What I mean by that [is] everybody knows, I hope, that the common shadow IT uses like with Dropbox or Google Drive – [she chuckles] I’ve even found people who have signed up for Google using their company domain and everything else – that obviously is a concern.

But I think the sneakier or more dangerous uses of shadow IT are those, again, dealing with confidential or sensitive information. And so what does that mean? Let’s face it: When we have our user community and businesses, they just want to get their jobs done. And the best way to do that is through the use of tools. I know that a lot of users find that requesting use of software can be a long and really difficult journey to go through in corporate or enterprise America, and global, for that matter.

So they go out and they try free versions of fill-in-the-blank. Some of the ones I’ve seen most commonly used, believe it or not, are like project management applications – like the Mondays, the Asanas. I mean, I’ve even come into instances of people using their own private personal Microsoft versions of Planboard or whatever, and that’s the most concerning to a CISO – because it’s company data now outside your control.

So to me, those are the sneakier ones, the ones that are for legitimate reasons, and the intentions of use are always good. I think that’s the important thing to really call out is that when employees have or use shadow IT or go outside the parameters of corporate-approved software, they’re doing it with good intentions. And I think that we need to understand as security people that they really try to do the right thing. So again, those are the ones that concern me the most, the [less-understood] use of those applications.

Aceves: Yeah, I love that. And you kind of touched on the risk associated with data loss,… sensitive information leaving corporate devices or corporate managed assets. Is there risk in the other direction, where maybe I as an employee am installing some application and there may be the potential for an attacker to come inwards? Is that risk bidirectional, or do you see CISOs typically more concerned about outbound communication or outbound traffic?

Alexander: Well, I think it’s a little of both, right? A lot of security professionals look at it as the outbound, the use of SaaS [software as a service], and things of that nature. But I think you also need to understand that bidirectional problem. You will have employees, if they have local administrative privileges on their endpoints, they’re going to install things, I promise you. Because they lose the concept that this device they were provisioned is not their device. “It’s my endpoint.” But it’s not your endpoint. It’s yours to use, but you do not have the right to install things.

So that goes to the question that you raised: What about when employees do install applications on their endpoint? It’s very dangerous because there’s no verification that it is a good app. For example, at least with Apple, you have the App Store, and even Google [vets] to some extent with their app store, but at least with Apple, they do vet that significantly.

But even if you go and download an application from the Apple Store that’s been pre-vetted by Apple, that doesn’t mean it’s not risky for your company’s business to use. So as a security group, you might have no idea what is installed, or if it is a somewhat legitimate application, how is it being used?

Where’s the data? Because it’s all about where the ultimate golden egg is. Is that stored within your environment on the endpoint, or is it out there somewhere in the cloud? If it’s on the endpoint, a lot of companies, I promise you do not back up those endpoints because everybody’s going to cloud computing. So guess what? Now you’ve got a contingency issue.

And I mean, I’m sure we all have those war stories where we have users [saying], “Oh, I downloaded fill-in-the-blank, and I’ve got all this data on my hard drive and my device went kaplooey, and now it’s gone.” And here come the tears and the heartache because that work’s gone. And hopefully it’s not business-critical. So there’s a whole bunch of dangers from that aspect, no matter where the data is, as long as it’s not managed – remember the unmanaged data rule – it’s very dangerous.

Aceves: And I love that you’ve started to talk about where the risk lies, and not having some of that visibility. Can you talk to me about how you advise? I know we have a lot of executives who listen to this podcast, so how would you advise them to maybe start getting a handle on what their current risk exposure is and where to even start. They might have some type of visibility into what’s going on, but if I’m a new CISO and I’ve inherited maybe a company that is prone to mergers and acquisitions and I just have no idea what’s going on, how do I start?

Alexander: No matter where I go to begin work, whether it’s a project with a client or a new job or whatever, there’s a couple of questions I begin with, for the purpose of scoping the risk and the environment. My first questions are: Can I have a topology map? What are the devices used? And then, believe it or not, an org structure, so I know who to blame. [She chuckles] I shouldn’t say blame, that’s wrong. [She and Stephanie laugh.] But who do I go talk to? Because the governance structure needs to reflect the organizational structure. So that’s why I ask for the org chart. But without knowing what the parameters are – and so that’s a little bit of the old-school, on-premises computing – or understanding what the SaaS environment is, right? Everybody’s going cloud-native now, but you need to start somewhere in understanding the environment, because if you don’t understand the landscape, then you can’t protect it.

So the first step is to get an idea, a high level of what it looks like from a scope perspective. Are we talking on-prem servers? From an endpoint perspective, are we talking Windows and Macs, or iOS? Is it just Windows from a SaaS environment? Where are those authorized instances? Are you using Microsoft? Are you using Paylocity? What is the realm of that business? So that’s where you need to start, and that way you can begin to understand and build out what that risk profile is.

Aceves: Yeah, absolutely. Now while we’re talking about how executives can start to get a handle on it, can you share a little bit about what you’re starting to see, say, in the wild or with the organizations that you’re working with?

Alexander: Lots of times an organization may not officially, or the IT group may not have the skill set to, for example, support Apple devices. But the organization also recognizes, for example, that their marketing group or sales group needs iPads. So that’s still a nod, a recognition that that’s a corporate device. So that’s what I mean by owned and supported. So there’s differences there, but they’re both sanctioned, they’re all within the realm. Anything outside that is what we would call shadow IT.

So how do you begin discovering what is used in that shadow IT? It’s a couple of approaches: It’s the approach of the old, shall I say, proverbial “people, process, and technology.” And so it’s understanding those different sectors. What have you got there for endpoints? What do you have for servers? Having an asset inventory to identify those is key. And that even includes the cloud, which is of course the most challenging.

Aceves: Yeah, I love that. Something you said in the beginning has kind of stuck with me – that employees want to do the right thing. Right?

Alexander: Mm-hmm.

Aceves: And a lot of times they’re just trying to get their job done and they’re trying to be more efficient. And that really hones in on something: How do we know, if they have local administrative privileges, how they’re going to use them. And the goal is to prohibit them from exposing the company to additional risk but not from doing their job. And this is the aaaage oooold tension that we handle in IT, which is how do you make sure that you have policies in place, whether people policies or the actual technology, that harden the systems and limit the risk but doesn’t obstruct the business from running as a business and doing the things it needs to do to operate?

Can you share a little bit about how we can really help the end users understand what the risk is or even enforce policies around shadow IT that are not obstructive to their day-to-day? How do we keep them moving at the velocity that they want to be and support them at the same time?

Alexander: It goes back to two things, and the first is: To every golden rule, there is an exception. I think we need to remember that the security controls and requirements that we have, and policy, that those are in fact there for a reason. However, nothing is absolute. And we can’t presume that position of being the “department of no.” That went out in the ’90s, right?

Aceves: Yep.

Alexander: So we need to be more understanding of what the business is trying to accomplish and what their challenges are. So when we have users going to install or use a shadow IT, like project management applications,… if they’re going to use Monday, Asana, or Riker or whatever, the first question out of my mouth is, well, why? What is it about that application?

So again, I think we just need to step back and understand that as security professionals, we’re there to support the business. We’re not there to be a gatekeeper or (again) the department of no. We are there to support the business. And how can you support the business if you don’t talk to the business?

So I can promise you the clients that I work with… Here’s a little story: I worked for this one account and we reported to the CFO. And so first of all, I got used to really explaining things in business terms. So that was a good exercise. But then he came in, he said, “Listen, I know you got to go talk to so-and-so in R&D, and let me know if you have any problems. I was like, “Well, that’s kind of an odd way to put things, but sure, I’ll let you know.” So I go and talk with the R&D vp. And I approached it as, “OK, help me understand your business. What are the challenges you are facing?”

So right away, by starting the conversation in that way, it became obvious that I was there to assist him in doing his business, not stopping [him]. Let me understand what your business is, what are your challenges, and let me help you identify a solution that is both safe and secure. Because again, people want to do the right thing. They don’t have the skill set, nor should they, right? That’s why we’re there. So when other security professionals say, well, I’m trying to teach the executives about security, it’s like, why in god’s name would you do that? Does your CFO come to you and say you need to learn how to do whatever? Absolutely not. So why are we doing that to them? We’re putting them in a position to fail.

So I go and say, listen, I bring these skills to the table. Let me work with you to figure out how to make that business happen in a safe and secure manner. Every conversation I have with the business is in that regard, and that immediately establishes a partnership and a collaborative manner to move forward.

So it gets to the point where through that approach, there’s a trust there. I’m now truly the cliché: I’m their trusted adviser in regards to security. And that’s what we’re supposed to be. So once they understand the risks, by me working with them to understand what their use case is, it’s a much easier process. So once I understand that they need to use this project management software, guess what? We’re going to set the parameters around the use and approve it.

Aceves: Yeah, and it’s funny, I have kind of a polarizing view on something that I think it triggers a lot of people, but I personally don’t believe in discipline, and I’ll explain. I think that discipline is eventually going to fail at some point. And so until you make the right choice the easiest one – one of my colleagues told me this, and it’s been kind of a philosophy for life since then. Until you make the right choice the easiest one, that is, the path of least resistance. Think of water flowing down a hill. That is how you affect longstanding change. Asking people to kind of walk uphill every day, one day they’re going to get tired and they’re not going to do it. One day, there’s going to be other stuff, there’s going to be too much that they’re trying to manage, and the system will fall apart.

And if we know anything about human psychology it’s that if it happens once, nothing bad happened, OK, I’m going to keep doing it. And then we start the downhill slope the wrong way.

So I think you nailed it when you said we are almost in service. We are trusted advisers, security needs to be in service of the business. It’s not: Do these 40 things so that we can check this box. It’s: How do you need to run your side of the business? Let me figure out how to put the bumper rails in the way for you so that you can do so safely. I’ve done a lot of education and enablement in the cyber space and even to my family members or strangers I meet on airplanes, and they’re fascinated by these things that we in IT think are normal. [She chuckles.]

We see it because we’re in this world every day. I always get asked the question, how do I make sure my information doesn’t get hacked? Well, start with the basics, right? Really start with password management and all that stuff. But how do we get that to a place where – I have my parents on password managers. They still have, god love ’em, like three passwords that they reuse. And so there’s something that has to be done in the technology space to really kind of lure and entice the users that they’re getting value out of it, where that then becomes the path of least resistance. I think discipline inevitably will fail at some point, and you run the risk of it failing long-term.

Alexander: Have you ever tried to train an animal?

Aceves: Oh, yeah.

Alexander: Such as a horse or a dog?

Aceves: Not a horse. A dog, yeah.

Alexander: So positive encouragement works best and discipline is a failure because they’ll turn on you. And you can’t have that in a business. You can’t have the business turn on you. And by establishing that rapport, they will come to you proactively. And I’ve had that happen: “Jeez, Candy, we want to go and do this. What do you think?” That’s when you know you’ve succeeded.

Aceves: Yeah, absolutely. Well, Candy, thank you so much. This has been one of my favorite conversations to date.

I’ve been talking with Candy Alexander, CISO and cyber practice lead at NeuEon Inc.

If you’d like to learn more about shadow IT and shadow AI, check out Focal Point, Tanium’s online cyber news magazine. We’ve got links to relevant articles in the show notes, and you can check these out by visiting tanium.com/p.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app, and if you like this episode, please give us a five-star rating.

Thank you all for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.