October 14, 2024 at 09:56PM
The commentary reflects on the challenges of “shadow IT” in the security industry, emphasizing the prevalence of outdated systems (“beige desktops”) running unvetted code. While organizations implement controls, shadow IT persists. The author questions whether the Chief Information Security Officer or the Chief Financial Officer should bear responsibility for this risk, advocating for a balanced approach to innovation and security.
### Meeting Takeaways
1. **Reflections on Early Career**:
– The speaker shares nostalgic reflections on their early career in security, emphasizing the sense of adventure and the valuable lessons learned.
2. **Pervasiveness of ‘Beige Desktops’**:
– The term ‘beige desktop’ symbolizes outdated technology still in use, often running critical unwritten or poorly documented code from the past. This situation causes frustration in the industry.
3. **Shadow IT Phenomenon**:
– Despite companies having controls to manage shadow IT, it continues to exist. A discussion revealed a discrepancy between the acknowledgment of shadow IT and the enforcement of controls, highlighting a paradox in IT security.
4. **Ownership of Risk**:
– The speaker raises the question of who should be responsible for the risks associated with shadow IT. While the CISO traditionally handles security controls, there is uncertainty about whether this risk should also fall under the Chief Financial Officer’s purview due to its potential material impact on the organization.
5. **Origins of Shadow IT**:
– Shadow IT projects are often initiated not from malice but from the need for innovation, speed, or dissatisfaction with existing systems. The culture of “asking for forgiveness, not permission” contributes to the growth of shadow IT.
6. **Need for Safe Innovation**:
– There’s a call for creating environments in organizations that encourage innovation while maintaining security. Businesses should aim to eliminate outdated systems (‘beige desktops’) and adopt technologies that support safe and secure innovation.
7. **Call for Broader Discussion**:
– The speaker expresses interest in further dialogue among the CISO community regarding the responsibilities and management of shadow IT risks.