Posted on Dec 9, 2020
Balancing information security with employee productivity and systems access often feels like a Sisyphean task. Just as the IT department manages to gain visibility and a semblance of control over the corporate digital ecosystem, employees add new applications to their devices and introduce new integrations and workflows. Often, they add these applications and third-party platforms without telling the IT department, ultimately rolling the security rock back down the mountain and we begin again. With so many employees now working remotely, the IT department’s traditional controls limiting the types of applications employees can use may no longer adequately secure the company’s data. Mapping the organization’s security posture and attack surface means partnering with business units to ensure constant, consistent communication. Teamwork and transparency is necessary to maintain a robust security posture.
Shadow IT and rogue infrastructure risk usually arises within siloed business units who legitimately seek ways to enhance productivity and expand access to information and data. The intent is good, but sometimes the path is not entirely safe. Click-thru terms and conditions on many applications and sites are not only a security risk, but also a legal and business risk. For example, the 2019 report "The Upside of Shadow IT: Productivity Meets IT Security" showed that employees were most likely to use non-approved technologies for the following activities:
Given that these statistics represent a pre-COVID workforce, the rapid acceleration from in-office to remote work means that these are conservative estimates at this point in time. Additional data from the report notes that 80% of IT professionals felt their company needed to be more agile when deploying employee-suggested technology and that 42% felt a more straightforward policy around requesting could enhance compliance.
Fundamentally, with a workforce now sitting outside traditional network boundaries and controls, security professionals need to better accommodate business units’ needs in their IT programs. They need agile communication capabilities that promote giving employees a voice while also mitigating risk and architecting smaller attack surfaces with each new integration.
When employees and business units feel disconnected from IT and security teams, employees are more likely to add new technologies to their devices without discussing the potential cybersecurity risks. In fact, without engaging in a conversation with the IT and security teams, many employees may not know the security risks associated with a given technology.
In “The Upside of Shadow IT,” respondents suggested that straightforward processes for employee technology requests (36%) and training IT staffers on assessing/vetting technologies faster (25%) would make deploying employee-suggested technologies more agile, compliant, and responsive. Empowering people with the right tools that detail the business need while also engaging in basic risk assessments offers IT and security teams a way to create more agile, secure, and compliant technology choices.
Experts continuously discuss the need for organizations to create a “culture of security,” yet they rarely provide actionable suggestions. Platitudes within the industry suggest “starting at the top,” “making security part of the business,” and “ensuring employees understand risk.” Although often well-meaning, these comments do little to create actionable steps for making security an enterprise initiative and instinct.
When security teams provide employees with the opportunity to suggest technologies and new data integrations while also making them responsible for understanding potential risks, we are making security a shared responsibility throughout the organization. Security awareness needs to be more than check-the-box training. It needs to be baked into the organization’s business processes at every stage of development through towards deployment. Remember, we should not be in the business of deploying security features, we should be in the business of deploying features securely.
Security is a team effort that requires close cross-enterprise collaboration. When business units want to add new technologies to the IT stack, they must also be included in the risk assessment process. By creating and using internal risk assessments, business units read and respond to questionnaires and then pass the responses back to the IT department and infosec team.
Engaging in this collaborative process gives all involved parties control and visibility into the potential risks and available mitigations of those risks. Internal risk assessments provide the baseline information necessary for helping IT perform a more detailed and consistent review. For example, as part of the assessment process, the business unit looking to onboard a new vendor should be able to answer:
By engaging directly with the business units, IT and security teams can enable more agile technology adoption across the enterprise. Meanwhile, business units gain greater insight into potential security risks and how to mitigate them.
Internal risk assessments for business units looking to onboard new technologies seek to reinforce security awareness, not engage in deep technical assessments. By answering a few basic intake questions, business units become integral to the analysis of risk and the successful management of security.
At SecurityScorecard, we use our Atlas platform for sending and receiving vendor questionnaires as well as for internal risk assessments. Business units read and respond to custom internal questionnaires highlighting the information that we need to understand for making secure technology decisions. Business units don’t assess the risk, but they provide vital information necessary for security teams.
By working together our security team and business units reduce problems caused by shadow IT. By co-opting our colleagues into the risk assessment process we also increase their awareness. Over time this process ensures that business units view themselves as security champions and makes them more likely to understand risk proactively. Additionally, Atlas automatically compares vendor security findings and issues from our Ratings Platform with vendor questionnaire responses, ensuring appropriate objective, external validation of many potential risks.
In keeping with our mission to make the world a safer place, we’re offering our template for “Internal Risk Assessment for Onboarding New Vendors” as part of SecurityScorecard’s questionnaire template bundle. By leveraging this template, organizations can start moving towards a more collaborative approach to vendor risk management and begin the risk identification process before a vendor is selected and onboarded. Your security team sends the risk assessment template to the relevant internal business unit. By assigning this responsibility early, we have the ability to adequately assess risks and design mitigations.
Our Atlas platform also enables organizations to scale these activities. Within Atlas, security teams can send questionnaires to other departments within the organization so they can answer relevant baseline questions before onboarding a new vendor. If the marketing team, for example, is considering working with a new vendor they can suggest an appropriate data classification based on the kind of data the vendor will be accessing as well as answer questions about the contract, cost, and support. With Atlas’ robust collaboration tools, individuals within the business unit can delegate specific questions to the right people. Sending questionnaires to internal teams also allows the security team to control who can access what, thereby protecting the company’s sensitive data stored in Atlas responses. By maintaining all questionnaire data in the Atlas platform organizations create a single source of documentation across their vendor risk management process.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.