Mar 21, 2024
Table of contents
For the fast-moving startup community, change is the only constant. This can have profound security implications, especially if that change entails rapid expansion of IT infrastructure and assets. Every new SaaS account or cloud instance could potentially expand a company’s digital attack surface, as well as expose the organization to insider threats. According to one 2022 report, 43% of global organizations admit their cyberattack surface is “spiraling out of control.”
Compounding the challenge for CISOs is the growing problem of shadow IT: the use of unknown (by IT), and therefore unmanaged, assets for work. This can obscure the true size of the attack surface and expose organizations to unquantifiable risks. Gartner predicts that by 2027, 75% of employees will “acquire, modify, or create technology outside IT’s visibility.” That’s up from an estimated 41% in 2022.
Some of the IT security leaders AccessOwl co-founder Philip Eller spoke to are more discouraging of shadow IT than others. But each seems to have their own way of dealing with it.
Why is shadow IT a challenge?
One of the most common shadow IT scenarios is an employee using an unsanctioned SaaS application at work. This is quick and easy for the user and often difficult for IT to spot — especially if the employee uses a personal email account to sign up for the application. And this makes identity and access management (IAM) the frontline in the battle against shadow IT.
So why is shadow IT so damaging for an organization?
Cost is the obvious place to start. As Zepto Head of Infosecurity Mariana Paun says, “If people have various access to tools that they shouldn’t have, there’s a cost associated with that.”
Sometimes these costs can quickly get out of hand. Owkin CISO, Leo Cunningham, says that in a previous role approximately $60,000 was spent over a number of years on shadow IT.
“This could have helped to support the business in terms of the P&L and growth,” he adds.
Security is an obvious second risk associated with shadow IT. If the CISO or IT team doesn’t know what applications or assets employees are using for work, they’re unable to ensure these tools are properly patched, configured and protected with enterprise controls. And they also don’t know how much regulated data is flowing through them.
As Moneytree K.K. Director of Security and IT Sergio Arcos Sebastián says, “With shadow IT, we can’t assess, we can’t protect, and we can’t advise.”
Owkin’s Cunningham points to personally identifiable information (PII) as a particular troublesome area where shadow IT can introduce security and compliance risks.
“I’ve been in cyber 20 years and most start-ups, scale-ups and companies that I’ve worked with haven’t even considered security until a series A to B funding,” he explains. “Or they may have 300 or 400 employees but start to think about security only when a person comes in and says, ‘You have 100 systems you haven’t even checked’”
TSC Security Managing Partner, Dave Anderson, agrees that shadow IT is likely to increase compliance risk.
“One of the things that any company has to do to maintain compliance and just good practice is review their vendors. You need to know what data is going to go there, what security posture they have, how they are treating the data — and then you’re getting into data privacy and data sovereignty,” he explains. “So one of the major challenges with shadow IT is that you don’t get the data; you don’t get the chance to actually do that review. Having the ability to identify those issues quickly is huge.”
A final risk factor with shadow IT is efficiency. Zwift VP IT & Security Fudong Yin argues that different team members may be using apps with overlapping functionalities, which is highly inefficient.
“When I joined the company, we had 180 different tools, for a company of 700 employees. That’s a lot, right?” he says.
Yet not every CISO we spoke to is prioritizing the challenge of shadow IT — highlighting that for many startups, other goals are more important.
“In the current phase of the company, we are prioritizing flexibility and agility over security, so everyone has admin access to their laptop, and even when we decide to disable that, we are going to start with the non-engineers,” Vay Senior Engineering Manager Mehdi Asgari explains.
How to manage a problem like shadow IT
No two organizations are the same. And no two IT and security leaders we spoke to approached tackling shadow IT the same way. Here are some ideas:
Cut your users off:
Zwift’s Yin took the nuclear option. He asked every employee what they were using, drew up a list of approved apps, and then asked the finance team to delete all virtual credit cards linked to tools not on the list. It caused friction with employees but helped the firm to reduce the number of tools in use from 180 to around 80, while saving money and sending a clear zero tolerance message about shadow IT.
“Of course, some people were not happy about it. But it’s not personal; it’s about being professional,” he says. “We just can’t have so many different tools around us … we needed to pick one.”
Engage staff with an open-door policy:
At the other end of the spectrum is Coveo Team Lead R&D Security Defence Jean-Philippe Lachance He admits that shadow IT will always happen, and says that — from a DevOps perspective — it’s better to engage with employees, in order to keep them honest.
“Shadow IT will always exist. How do you fix it? I have no idea. You need to make sure that people, when they have a question, know who to ask. And they also need to feel like if they ask, they won’t get no for an answer. They’ll get help,” he argues.
However, Lachance admits that even in an R&D context, he has had challenges, such as employees creating shadow Kubernetes/AWS infrastructure.
“That’s why creating a good strong software catalog for the stuff that you already own is important. And the issue with the software catalog is to maintain it,” he adds.
Sit back and monitor:
Others share more innovative approaches. Intercom Director of IT Emanuele Sparvoli explains that when he found some shadow IT apps, the company asked all employees to migrate to an established solution. However, he kept the account active with a single seat for the shadow vendor solution, enabling IT to monitor usage and block the logins from anyone still attempting to use it. The cost of maintaining these single user accounts appears to be worth it.
Change approval workflows:
SecurityScorecard CISO Steve Cobb believes that shadow IT was significantly reduced when the firm rolled out Coupa as its financial AP system.
“It has approval routes for every new requisition that comes through or renewal for SaaS tools. So let’s say somebody puts something on their own corporate credit card and tries to get reimbursement. It gets flagged and has to come through for review,” he explains.
“People are not always going to do the right thing, unless you hit them in the wallet.”
Scan for shadow IT:
TSC Security’s Anderson recommends tools that integrate with employees’ Google Workspace and scan for specific vendors and subject line keywords such as “free trial” and “activation.” They would then notify key stakeholders so they can take action, as well as the individual employee. Unlike Cobb’s approach, the benefit of doing things like this is that it also catches employee use of free apps.
“I’m definitely encouraging my customers to do something around this,” he says. “The challenge is, there are free apps out there — so that even if you partner with the finance team, they’re never going to know, because they’re never going to get a bill for it.”
This is by no means an exhaustive list of approaches to tackling the shadow IT conundrum. But it highlights the range of options that startup CISOs have. And there are many more that might be the right fit for your organization — if and when it decides to prioritize security and cost over speed and agility.