A recent survey by the Cloud Security Alliance reveals that nearly three quarters of CISO (and CISO equivalents) are not fully aware of IT products and projects used in their organization, simply because they are not being implemented (or monitored) by the IT department.
When you think about it, this should not be all that surprising. After all, today’s IT landscape make it increasingly easy for departments other than IT to acquire, implement and use technology without involving their internal IT department. Many vendors indeed make that ‘flexibility’ part of their sales pitch. Why would Marketing involve IT in their selection of a Cloud product that does not require any of the traditional integration points into existing systems?
The danger is obvious, though. What would happen – and who would be blamed – if this Cloud solution proved to be an attack vector through which malware finds its way onto the organization’s systems? The IT department will be asked not only to clean up the damage caused by this ‘shadow’ implementation, but will need to find ways to secure the application going forward as well. Naturally, as Security professionals, we would find this situation unfair, to say the least. How can we be expected to secure applications we did not know existed in our environments?
On the other hand, Security pros cannot simply use the “out of sight, out of mind” stance. We are tasked with securing our organization’s IT systems, whether they make sense or not.
In short, CISO’s need to elbow their way into a lot more internal conversations to avoid being blindsided.