In this Help Net Security interview, Curtis Simpson, CISO and Chief Advocacy Officer at Armis, discusses how CISOs can balance security and innovation while managing the risks of shadow IT. Rather than focusing on restrictive policies, fostering proactive partnerships with business leaders to identify secure alternatives for unsanctioned tools is essential.
Simpson also discusses common misconceptions, security practices, and the role of AI and automation in ensuring asset visibility.
How should CISOs balance security and innovation when it comes to shadow IT?
Rather than taking a restrictive approach, security teams should work closely with business leaders to understand the needs driving shadow IT and identify secure, compliant alternatives. By embracing a model, rooted in proactive security, organizations can maintain a strong security posture while allowing employees to innovate safely.
The most effective means to get in front of shadow IT and mitigate most of the potential risks that it can introduce involves regular operational touchpoints with central points of contact within the teams most likely to or most commonly implementing solutions without involving technology teams.
These touchpoints should be focused on the challenges being faced by business partners like HR, finance, and sales and the potential for the technology organizations (e.g. Office of the CIO, CTO, or CISO) to solve these challenges on their behalf. When positioned from a place of “how can I help” versus “thou must or must not,” technology leaders will allow for true partnerships to be formed and will find opportunities to help business partners while also furthering the technology-related agendas in parallel.
From there, it’s also important that CISOs and CIOs maintain capabilities that enable full visibility into the business landscape, the technologies being used, and in particular, evolutions in such technologies that are introducing unmitigated risks. Employees will always seek out new applications and tools to boost productivity, but these unmanaged assets can introduce risk without proper oversight and controls. This is why CISOs must take a proactive approach and ensure that their teams have real-time visibility into the technology landscape and changes that are increasing the risk to important business capabilities and services.
Achieving this means adopting processes and technology that enable contextual visibility into all assets in the environment and facilitate the ability to identify and prioritize the risks of greatest importance based on the potential for business impact. As shadow IT elements are identified that introduce true risks, CISOs and their teams can then determine how best to mitigate such risks through additional controls or directing the business towards supported solutions that deliver the same business outcomes, and/or enhancing existing capabilities to meet all parties’ requirements.
All of this is not only possible but very much operational in many of today’s operating environments spanning all industries and sizes of organizations.
What are the biggest misconceptions about shadow IT risk among executive leadership?
One of the biggest misconceptions among executives is that shadow IT is a small, contained issue that can be ignored. In reality, most organizations significantly underestimate the scale of unmanaged and unauthorized assets in their environment, simply because they lack a full understanding of what their network contains. Without continuous monitoring, these hidden assets – whether SaaS applications, IoT devices or unsanctioned cloud software – can create major security blind spots.
Another common misconception is that employees will avoid shadow IT simply because it’s against policy. But in reality, employees turn to unsanctioned tools to stay productive, often unaware of the security risks involved. Blocking unauthorized applications outright isn’t always the answer either – it can drive employees to riskier workarounds. Instead, organizations need real time asset intelligence to monitor and manage shadow IT dynamically, allowing security teams to mitigate risks while allowing innovation.
How do you see AI and automation playing a role in asset visibility and shadow IT management?
AI and automation are transforming asset visibility and shadow IT management by allowing real time discovery, risk assessments and response. Instead of relying on manual processes, AI continuously scans the entire network – identifying both authorized and unauthorized assets, assessing their risk levels and prioritizing remediation based on potential threats.
AI acts as the brain, analyzing patterns and risks, while automation is the body – immediately flagging issues and enforcing security policies to contain threats before they escalate. This proactive approach ensures that security teams always have a comprehensive, up-to-date view of their attack surface and that they can truly focus employee attention on the work that is least effective and being managed by machines. Often, this means enabling staff to better align with the business on the problems that they’re attempting to solve through risky behaviors and tooling versus chasing down repetitive issue scenarios.
When it comes to shadow IT, AI-driven automation detects and flags unmanaged devices and applications as soon as they appear within the environment. By pulling in rich, contextual intelligence – such as user details, asset classification and network behavior and relationships – AI can help security teams understand not just what’s on their network, but how those assets impact risk. Downstream and because of the context achieved through the effective use of AI discovery and identification capabilities, automation then ensures swift action, applying policies, quarantining high-risk assets, or triggering alerts in real time can be executed with confidence. This allows IT and security teams to act swiftly and enforce policies without stifling innovation or business resiliency.
Are CISOs too focused on traditional endpoints when the real risk lies in IoT, SaaS sprawl, and cloud assets?
Due to the fact that solutions in information security portfolios have historically been designed around traditional assets and endpoints, it can be common to focus primarily on traditional endpoints. However, the reality is that cyber risk extends far beyond IoT, SaaS sprawl, and cloud assets – all connected assets contribute to an organization’s attack surface and exposures. The modern attack surface has expanded to include both managed and unmanaged assets, virtualized environments and supply chain dependencies, creating a much larger and more complex risk landscape.
Forward-thinking CISOs recognize that security can’t be limited to predefined asset categories – it requires real time visibility and proactive management of all cyber risk exposures that spans all forms of connected assets and the context around them. To stay ahead, organizations must embrace AI-driven security solutions that empower teams to anticipate and counteract emerging tactics, strengthening their defenses before threats materialize.
How should organizations rethink governance in a world where employees constantly adopt new SaaS applications?
Organizations need to shift from rigid governance models to a more dynamic and proactive risk-based approach. In a world increasingly dominated by AI, employees will continue to introduce new SaaS applications to stay productive, meaning eliminating them completely isn’t realistic.
Instead, organizations should focus on establishing regular service-oriented partnerships and cadences with teams and stakeholders that are mostly likely to positively or negatively affect the security, compliance and privacy risks within an organization. This is in addition to the establishment of modern capabilities that enable continuous, contextual and overarching visibility into their environment.
The most effective security programs begin with the foundational and continuous understanding of the entire organization’s digital ecosystem. From there, security teams can layer on to gain the benefits of a comprehensive security program – proactive and business-oriented threat mapping, threat and impact-based vulnerability prioritization, surgically prioritized mitigation and remediation efforts and beyond. Effective governance is not a ‘set it and forget it’ process. It demands continuous consideration and willingness to adapt.
