Early one Monday morning years ago I rolled into work. I dropped my bag on the floor and slumped into my office chair. It spun around slowly to the window and I clutched my coffee feeling that without it I would be completely lost. After a moments reflection I spun back around and stabbed at my keyboard with my index finger as if it were something that had just crawled out of a drain.
I placed my cup down on the desk and launched my email client. I was greeted with “Sync pending for this folder”. While it pondered what fresh **** I was to face that Monday it occurred to me that I needed to follow up with one of the business groups about a project of theirs I had overheard people talking about in the coffee shop that morning. It had not crossed my desk in Information Security and I was curious to know more.
My email client finally decided that I was worthy to receive my pile of communiques that had queued up over the weekend. There was one that caught my eye which seemed rather fortuitous. It was an email about the project that I had caught wind of earlier. The project was live. Wait, what? I read on. Yes, it was live and they were sending intellectual property to partner organizations. I sat back in my chair wondering how I had missed this one. Then it hit me, I was cc’d be accident.
I was heated to say the least. I had the handset for the phone halfway to my ear when it hit me. This was an opportunity. I wanted to puzzle out what had caused them to route around the security team.
This was a skunk works project pure and simple. I had dealt with shadow IT issues in the past but, this was the first time when I paused to ask the question, why? They had gone out their way to get a project up and running and bypassing controls. This was an opportunity to learn. This team had built an application on a tight timeline and rather than face the proper gating process they had gone the shadow IT route.
Now, did I shut this project down? Yes, of course. But, I learned some issues that could be fixed. Our team worked with the project management office to ensure that any projects were not able to bypass the gating. We worked with the operations, servers and even procurement teams to make sure that they were aware of any abnormalities that might pop up.
This was a small example where a project was able to flout process in order to meet their deadlines. The problem was that they put the security of the organization in jeopardy as a result. So, while a shadow IT project can cause no end of trouble it must be seen as an opportunity to learn. These lessons will help to better secure your enterprise.
Originally posted on Forbes.