Sunday, September 15, 2019

Cyber Security Has Its Own Shadow Problem


Shadow IT. A common cyber security term for the use of unauthorized software applications. 




An issue of unapproved software use represented by little review, oversight, or security controls. Normally, found in the crusty corners of accounting, HR, devops, or anywhere really even IT.



With those apps that connect to unsafe remote hosts

Or that save data in unsafe ways. 


Or those commerical apps out there unknown to anyone else purchased with a long departed employee's personal credit card and lurking for years with an out-of-date version that's never been patched.


Rightfully, a real risk to organizations. Sometimes, even a real threat.


But, conversely, allowing users to do real work.


But what is the process when cyber security teams discover shadow IT, want to enforce standards around a given business use case, and there are no approved alternatives?


Agree or disagree with Burnham himself, Law #10 of Burnham’s Laws might provide some guidance. 


“If there's no alternative, there's no problem.”


Take a deep breath and soak in that law. There is a simple wisdom to this law that extends far into other cyber issues beyond shadow IT.  It's a sound basis for short term exceptions in all but the most egregious situations.

But there is also a work item for the cyber security team in that law. Dealing with their own shadow. Their own spectre. Their own possible inflexibility.

Before your team can complain about that standard being broken by some team’s shadow IT, it’s your team’s job to find or delegate finding an approved alternative. One that reasonably meets that shadow IT user’s same business requirements. 


Then the business unit’s shadow IT rightfully becomes a problem. 

Until then, Burnham’s Law tells us isn’t a problem. The business unit using the shadow IT and their execs likely won’t see it as a problem until that alternative is available either.


The onus is on you. 


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO

A Cyber Security Message In A Bottle

Some Potential Indicators of an Immature Cyber Security Program 

Improving Cyber Security Program Predictability

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)