When business decision makers decide to circumvent security controls, they typically are trying to gain operational efficiency, not put the organization at risk. But even when done with good intention, they are creating risk.
A recent study by Code42 found that CEOs are the top perpetrators of shadow IT, even though they know it’s a risk. The study showed that 75 percent of CEOs and more than half (52 percent) of business decision makers (BDMs) admit that they use applications or programs that are not approved by their IT department.
Rick Orloff, VP & CSO at Code42, said this is a prime example of the adage we want to have our cake and eat it too.
"They just want to do it their way. These behaviors are possibly an indication that their senior security person is not engaged high enough in the organization," Orloff said.
When the senior security folks are reporting to the CEO or the COO, they have a better understanding of what is happening and can make accommodations in order to allow implementation of tools that can be used correctly, Orloff said. "It's a problem that can be easily avoided if the security decision maker reports to the c-suite."
Of course, the c-suite folks are not the only ones guilty of these security-defeating behaviors. In some cases, it's security practitioners themselves who invite risk, Orloff says. "They download a tool and it turns out that the tool has all kinds of risk with it," Orloff said.
An example of this would be white hat hackers who download a password cracking tool to test the difficulty of passwords in the organization. "Cracking passwords then creates compliance issues," Orloff said, adding that "there is a way to do that without compromising risk, but it has to be thought through quite carefully."
In the case of executives who are engaging in shadow IT, Orloff said, it's likely they don’t have good relationships with the security practitioners. But, Bay Dynamics co-founder and CTO, Ryan Stolte said that for security professionals, self-defeating behaviors are an issue of information overload.
"The pervasive problem that causes them to cut corners is that there’s far too much data about vulnerabilities and threats coming at our security professionals," Stolte points out.
When practitioners feel overwhelmed, they default to trusting their guts. "They trust their experience and assume they can’t trust the data coming in."
Organizations are vulnerable and seemingly being attacked from everywhere. It's easy to get buried under all those alerts, and when they do, "they start falling back on what has worked for them in the past. In the face of insurmountable odds, they fall back on what they know."
Security practitioners who are drowning in noise end up taking the hunter mentality and abandon the data itself. "They spot check it and look for very specific patterns that have been successful in the past," Stolte said.
After the fact, when they send in the forensic experts, they find that the evidence was there, people just didn’t see it.