Shadow IT, or the use of technology without departmental approval, has long been an area of concern for tech teams, but remote work has exacerbated the problem and forced organizations to quickly adopt new IT solutions to support their workforce.
High entry barriers, slow acquisition processes and inadequate technology solutions cause organizations to use shadow IT, which leads to data breaches, theft of sensitive information, loss of control over an organization's technology environment, integration challenges and high costs.
"We realized very quickly that we were not set up to support everybody working from home," Korie Seville, technical director at the Defense Information Systems Agency's Hosting and Compute Center, said at GovCIO Media & Research's CyberScape: Insider Threats event Thursday. "But what we also learned is when you are downrange, enterprise IT services don't matter. … If it's not available, you're still going to share intelligence, you're still going to share data with your partners, and you're going to do whatever it takes to keep you alive."
In order to move at the speed of mission to support military operations efficiently, DISA builds automation into the applications from the start.
"We have to make our applications available and configurable anytime, day or night, across the spectrum of the wars that we fight, and so we're really pushing for a lot of self-service automation," Seville said. "Everything that we do and every system that we create, we're trying to embed and make available, repeatable and auditable processes to deploy applications, deploy systems and infrastructure and to configure those systems and infrastructure so that we're not forcing users to start from ground zero."
Because shadow IT increases the attack surface, Department of State Director of Strategy, Planning, and Budget Kenneth Rogers believes one of the biggest challenges is creating an environment where everyone understands that "cybersecurity is everybody's job."
"It's our data and our systems that we're protecting, and so that education of our user community, understanding the criticality, the importance of protecting data and systems," Rogers said during the event. "These are our high-value assets that we have … everyone's passport and visa information is protected by the State Department, how well are we doing that? That can't just be a top-down thing. It has to be a bottom-up thing. It has to be a cultural thing."
Balancing the security risk and the need for a capability and subsequently getting that capability to customers is another challenge, which requires education and changes in organizational culture, according to Customs and Border Protection CISO Scott Davis.
"When they're downrange, doesn't really matter if enterprise IT can or cannot get it. They need it now," Davis said during the event. "So that's where my boss, the CIO for CBP, is pushing all of it, including me from the cyber perspective, to get to yes as quickly as possible. Now, the yes may not be exactly what our users and our customers want. We just have to do an education piece so that they understand why that they don't get X they get Y that it meets at least 80% of their needs or requirements."