You’ve heard a lot about Shadow IT risk, but what is it and what should you do about it?
Shadow IT is the set of applications, services, and infrastructure that are developed and managed outside of defined engineering standards. Experts predict somewhere between one-third to one-half of successful cyberattacks this year will be on Shadow resources (data via Gartner, Spin Technologies). With the average cost of a breach at $4.2 million in the US, it is critical to address Shadow IT risk.
While this sounds scary, it’s also important to remember that most Shadow solutions are created with good intentions, and in some cases, there’s legitimate business need for a separately built solution.
Often, teams want to build or buy their own solutions because they can engineer them more affordably or faster themselves, or they have more control over decision making to meet specific needs. These benefits are immediately tangible to teams and often appear to be the right approach. However, the homemade solutions become a risk to the company if teams don’t comply with company standards.
Building a team at Microsoft
Shadow IT can exist in any department or group across the company. At Microsoft, we focused our efforts on addressing Shadow IT within business functions—groups that sit outside of traditional engineering organizations—such as Marketing, Sales, and Human Resources, since they need the most technical support. In 2020, we created a centralized team to address Shadow IT across the company with a focus on Security and Engineering Fundamentals. After two years, we added a workstream for Accessibility as well. While this work is ongoing as we continue to raise the bar on our compliance standards, we’ve made significant progress in all of these areas and learned many lessons along the way.
How to approach Shadow IT in 3 steps
It’s time to get to work, but where should you start? Here are three of the most important steps to take.
Set up the right team
Create and fund a Shadow team within your security department that is fully responsible and accountable for driving forward your plan every day. This team should be sponsored by the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) and supported by both the IT and Finance departments. Ensure that the central Shadow team has dedicated resources to assist with inventory, driving engineering tooling adoption, and the ability to provide engineering guidance.