Shadow IT and the impact on supplier assurance
Shadow IT isn’t what it used to be. It once meant business units buying in IT services without involving IT teams. Today, it’s harder to put a new cloud service on the company credit card. In many cases IT teams now understand the requirement for faster IT services and have responded. But Shadow IT still exists – just in a different form.
New Shadow IT
Shadow IT has expanded beyond the confines of the organization. The term could now quite easily encompass a loss of control externally too. Since technology dominates the way we do business, most organizations are part of an IT ecosystem that includes suppliers, distributors and customers. Each of these players may have an access point onto the corporate network. Just one breach – in an unsecure WiFi system at a supplier depot, for example – could affect the entire ecosystem by opening the back door onto valuable information further up the supply chain.
Our digital landscape means IT casts an ever-longer shadow over organizations and their supply chains. The cost of a breach amplifies, impacting not just one organization but many. And in multiple ways – from system downtime to reputational damage and even loss of confidence among partners. Plus there is much greater potential for legitimate IP or email addresses to affect the network too – making it harder for the central IT team to spot issues. With complex networks of companies working together it is difficult to put a perimeter around individual systems or even business partners. So protecting the organization requires a different approach.
It comes down to building security into every relationship and every IT connection. Knowing what these are, staying on top of them and providing the right level of controls (access rights, for example) is essential. But acting on this intelligence is a procurement activity just as much as an IT activity. That means IT security should be a key part of any partner agreement. And while the CIO has overall responsibility, various business lines must take responsibility too. They have to recognize that a new business relationship means new security questions to answer.
ConclusionThe evolution of Shadow IT is a product of the rapid expansion of our digital world and the simple fact that no business is an island. Extending IT security rigor to an entire supply chain is never going to be easy. But the organization at the heart of that ecosystem can take control.
With an intelligence-led approach to security, IT will already understand what is required to protect critical data and systems. Using this knowledge it can then extend internal IT security controls beyond traditional organizational boundaries. The result is like switching the lights on, banishing the shadows and preventing mission-critical IT connections from becoming major security costs.