[ISN] The security and risk management of shadow IT

http://www.computerworld.com/article/2975024/data-security/the-security-and-risk-management-of-shadow-it.html By Robert C. Covington Computerworld Aug 24, 2015 Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, “Are we surrendering the cyberwar?” Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address. In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT. According to Techopedia, the term “shadow IT” “is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization.” The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department’s perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director. […]