You’ve heard a lot about Shadow IT risk, but what is it and what should you do about it?
Shadow IT is the set of applications, services, and infrastructure that are developed and managed outside of defined engineering standards. Experts predict somewhere between one-third to one-half of successful cyberattacks this year will be on Shadow resources (data via Gartner, Spin Technologies). With the average cost of a breach at $4.2 million in the US, it is critical to address Shadow IT risk.
While this sounds scary, it’s also important to remember that most Shadow solutions are created with good intentions, and in some cases, there’s legitimate business need for a separately built solution.
Often, teams want to build or buy their own solutions because they can engineer them more affordably or faster themselves, or they have more control over decision making to meet specific needs. These benefits are immediately tangible to teams and often appear to be the right approach. However, the homemade solutions become a risk to the company if teams don’t comply with company standards.
Building a team at Microsoft
Shadow IT can exist in any department or group across the company. At Microsoft, we focused our efforts on addressing Shadow IT within business functions—groups that sit outside of traditional engineering organizations—such as Marketing, Sales, and Human Resources, since they need the most technical support. In 2020, we created a centralized team to address Shadow IT across the company with a focus on Security and Engineering Fundamentals. After two years, we added a workstream for Accessibility as well. While this work is ongoing as we continue to raise the bar on our compliance standards, we’ve made significant progress in all of these areas and learned many lessons along the way.
How to approach Shadow IT in 3 steps
It’s time to get to work, but where should you start? Here are three of the most important steps to take.
Set up the right team
Create and fund a Shadow team within your security department that is fully responsible and accountable for driving forward your plan every day. This team should be sponsored by the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) and supported by both the IT and Finance departments. Ensure that the central Shadow team has dedicated resources to assist with inventory, driving engineering tooling adoption, and the ability to provide engineering guidance.
Once the Shadow team is set up, appoint a Directly Responsible Individual (DRI) within each department across the company who will be accountable for their respective division’s security compliance. The DRI will become your security champion and primary point of contact. The Shadow team and the DRIs will work together to empower teams to self-manage their own assets.
Set up standardized reporting
Create a measurement system with a scorecard to provide metric-based, actionable progress reports to teams and leadership. Focus your reports and discussions on the level of risk instead of compliance. This allows you to prioritize work and look past non-compliant areas that have exceptions. It’s also important to note that red metrics on a scorecard are valuable indications of where you have gaps and how to prioritize resources. Once a red metric gets to green, it should be replaced with a new metric or a broader scope so that you can continuously improve your security posture.
Communicating status to the right stakeholders is key. At the beginning of your journey, conduct reviews with executives frequently to build momentum and reinforce accountability. Over time, teams will be empowered to continue this work as a regular part of their business rhythm.
Drive culture change
Foster a culture of security among all employees and vendors who own Shadow assets and services through trainings and customized support. Throughout the ongoing Shadow journey, encourage teams to break down compliance tasks into small, actionable tasks each quarter. By initially addressing the low hanging fruit, you’ll set teams up for early wins and success. Once they achieve these initial goals, they should set new, bigger goals. This means they’ll reset their metrics and KPIs back to a red state, continually expanding their scope and impact over time. At Microsoft, we celebrated teams who “embraced the red.” This allows for candid conversations about what’s causing the red and what support teams need to get to green.
To drive culture change successfully, it’s important to have support from the top down and bottom up. Senior leadership should reinforce your messaging. Meanwhile, your centralized Shadow team should provide customized support and specific guidance to each department about the resources, funding, and skill requirements they’ll need. Finally, remember to show empathy and appreciation for the work that is taking place. This often adds additional scope and creates a big learning opportunity for many employees and leaders.
Once you are ready to reduce your organization’s risk from Shadow IT, you can start putting plans in place to build and fund your centralized Shadow team, create a reporting system to measure and communicate progress, and drive culture change among leaders and employees. At first, your Shadow team will focus on the biggest engineering and security priorities. As your program gains traction, you will be able to empower departments to start managing this line of work on their own. To learn more about Microsoft’s ongoing journey to eliminate Shadow IT, read our Shining a Light on How Microsoft Manages Shadow IT paper. There’s no time like the present to get started!