How to Find Shadow IT and Uncover Unknown Apps in Your Organization
Hi, I'm Max Clark. And this is why your IT team hates shadow IT. Okay. What is shadow IT? Shadow IT is applications and infrastructure tooling IT systems that somebody in the business has gone out and acquired without the IT team knowing about it.
Speaker 1:Nowadays in the SaaS world is very easy for another department, another group to go out and say, hey, we need x, y, and z, and it's really cool. And let's just go give them a credit card and and start running this tool. And this creates a whole bunch of problems for your IT department. And this is why they hate it so much. Well, first off, your IT department and if you're an IT, you're gonna probably start nodding your head about this one.
Speaker 1:Your IT department's fundamental job, like the first job is keeping their IT systems and their infrastructure running. So that way the business can work and the rest of the other departments and teams and things can work and do their job. So if the IT team doesn't know that something is critical you see where this is going the IT team doesn't know that something is critical for you to function they have no awareness of what needs to happen to keep it working for you slash when it goes down and you can't do your job they're not even paying attention to it to make sure that they can help get it back up and running again. So usually what happens in those situations is IT starts getting phone calls and it's in like blah blah blah blah you know ring ring hello hello what's going on fill in the blank x isn't working anymore. I don't know what is x we've never heard of this tool what do we do about it okay so that's the first part right second part is whether it's inside of the IT team if it's a separate team within GRC governance and risk right or if you have a separate security infrastructure of a sec ops team or you know reporting up to a CSO of some sort shadow IT you know what's the credentials who's maintaining the usernames and password you know policies who's making sure that a single sign on is integrated who's checking to make sure that this tool has you know is is SOC 2 compliant and fits within our compliance mandate requirement over in health care do we have a BSA for HIPAA from this tooling because it's got patient data in it now what kind of risk does that create for the organization again see we're going here so yeah third reason why they hate it because at some point it becomes critical and it wasn't budgeted for or even worse the worst version of this one e discovery litigation there's an e discovery request that comes through we need all of the data communication chat email files whatever it is related to this topic between this date and this date with these people involved.
Speaker 1:Well there's this other thing running that is not known about. Now your company is reading responding to discovery requests that are incomplete. And then when it's discovered it's incomplete, bad things happen. Ask your lawyers or if you're a lawyer watching this and you're curious about shadow IP. It and the impact of you on you.
Speaker 1:You know, here's a good one. Right? Ask like you want to look at this. What happens if you respond to a discovery request? You know, h r employment law and, you know, action.
Speaker 1:Like, well, anything. Like, you know, companies just have stuff going on with them. What happens to you in that process? Is it good or bad for you? That's probably not good.
Speaker 1:Right? Data loss, intellectual property controls, backups. We don't wanna lose our data. Like, all these things. Yeah.
Speaker 1:I get it. Have you to go to IT for approval or run some tool or forget them to do it, you know, sucks sometimes. I get it. But you have to understand, like, their job is to, like, make sure all these other things are in place and are working. And, oh, And, oh, by the way, now we have this tool that we have to integrate with this other platform with this other platform over here, and they all have to talk to each other.
Speaker 1:Right? And for each tool that you bring in, it's not just one tool. Right? You know, there's, like, a lots of different, like, touch points and spokes and responsibilities and things that come out of it that go into these places. This is why your IT team hate shadow IT.
Speaker 1:And, you know, if you haven't seen it, if you, like, just search, like, why is shadow IT bad? Right? Anyways, if you're an IT team, you're on the IT side of the house or in the security side of the house, what you do about it well if you're not already running asset and vulnerability management against your devices that's a good place to start it'll tell you what's installed everywhere this is also important for licensing and compliance that won't show you SAS tooling but if you've got a secure web gateway or proxy that has CASB ish functionality into it that tool will start showing you like here's applications being accessed by our users and it's all hey it's very strange like we have all these users now of a sudden using fill in the blank like why is there a competitive chat tool running inside of our infrastructure when we are using or Slack or Microsoft Teams? Like, why is this other tool running? Like, this is very strange.
Speaker 1:Maybe we should figure this thing out. Right? And by the way, you don't have to go out and get a standalone Cassey for this thing. You know, if you're sassy, curious or SSE curious you know if it's sassy it's supposed to have CASB as an option and you can profile and you can see these sorts of things and you can then understand it and again non IT people watching this IT is not the devil they're here to help you their sole job is to make it so that way you can work and do your job like they are a customer service organization and you are their customer they want to help you they don't want to get yelled at and creamed because something isn't working so yeah when you go tell them that you want to bring x y z into the organization, you know, their reaction is gonna be like, oh, man, I gotta manage this. What's involved?
Speaker 1:And how do I take care of it? How do I not get yelled at? How do I secure it? And, like, their heads, maybe they're not responding to you in a in a like a like a golly gee, you know, this is great kind of response. And maybe they're just like their bedside manner, you know, could use them some improvement.
Speaker 1:But what they're thinking about is what they're thinking about is the requirement that is going to be placed on them in order for them to service you and for you to be a happy user of this whatever application tool platform whatever we want to call so don't hate on them because you know maybe they're resistant to it and also don't hate on them if there's a corporate policy that says the company has to use X tool because of y reasons so z you can't have a competing tool on that platform and that doesn't give you the license to go out and install it right or in this case not install it but just use the web platform for it anyways I'm ax Clark that's why your IT team hates shadow IT and why is a bad word. You know, you've got a good story about shadow IT and something blowing up as a result of it. Call me below. I'd love to read it. I'd love to hear about it.
Speaker 1:If you have questions, give me a call. Send me an email. I hope this helps you. I'm Max Clark. Have a great day.
