If shadow IT is a problem with business decision makers, that may be a sign your senior security person isn't engaged at a high enough level. Credit: Thinkstock When business decision makers decide to circumvent security controls, they typically are trying to gain operational efficiency, not put the organization at risk. But even when done with good intention, they are creating risk. A recent study by Code42 found that CEOs are the top perpetrators of shadow IT, even though they know it’s a risk. The study showed that 75 percent of CEOs and more than half (52 percent) of business decision makers (BDMs) admit that they use applications or programs that are not approved by their IT department.Rick Orloff, VP & CSO at Code42, said this is a prime example of the adage we want to have our cake and eat it too.“They just want to do it their way. These behaviors are possibly an indication that their senior security person is not engaged high enough in the organization,” Orloff said. When the senior security folks are reporting to the CEO or the COO, they have a better understanding of what is happening and can make accommodations in order to allow implementation of tools that can be used correctly, Orloff said. “It’s a problem that can be easily avoided if the security decision maker reports to the c-suite.”Of course, the c-suite folks are not the only ones guilty of these security-defeating behaviors. In some cases, it’s security practitioners themselves who invite risk, Orloff says. “They download a tool and it turns out that the tool has all kinds of risk with it,” Orloff said. An example of this would be white hat hackers who download a password cracking tool to test the difficulty of passwords in the organization. “Cracking passwords then creates compliance issues,” Orloff said, adding that “there is a way to do that without compromising risk, but it has to be thought through quite carefully.” In the case of executives who are engaging in shadow IT, Orloff said, it’s likely they don’t have good relationships with the security practitioners. But, Bay Dynamics co-founder and CTO, Ryan Stolte said that for security professionals, self-defeating behaviors are an issue of information overload.“The pervasive problem that causes them to cut corners is that there’s far too much data about vulnerabilities and threats coming at our security professionals,” Stolte points out.When practitioners feel overwhelmed, they default to trusting their guts. “They trust their experience and assume they can’t trust the data coming in.” Organizations are vulnerable and seemingly being attacked from everywhere. It’s easy to get buried under all those alerts, and when they do, “they start falling back on what has worked for them in the past. In the face of insurmountable odds, they fall back on what they know.” Security practitioners who are drowning in noise end up taking the hunter mentality and abandon the data itself. “They spot check it and look for very specific patterns that have been successful in the past,” Stolte said. After the fact, when they send in the forensic experts, they find that the evidence was there, people just didn’t see it. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe