Despite years of modernization initiatives, CISOs are still contending with an old-school problem: shadow IT, technology that operates within an enterprise but is not officially sanctioned \u2014 or on the radar of \u2014 the IT department. Unvetted software, services, and equipment can be nightmare fuel for a security team, potentially introducing a lurking host of vulnerabilities, entry points for bad actors, and malware.In fact, it is as big a problem as ever and may even worsen. Consider the figures from research firm Gartner, which found that 41% of employees acquired, modified, or created technology outside of IT\u2019s visibility in 2022 and expects that number to climb to 75% by 2027. Meanwhile, the 2023 shadow IT and project management survey from technology review platform Capterra, found that 57% of small and midsize businesses have had high-impact shadow IT efforts occurring outside the purview of their IT departments.Experts say that a shift in what comprises shadow IT and who is responsible for it is driving such statistics. In the early days, shadow IT might have been an unsanctioned server that a developer set up for skunk works. Later, it was systems implemented by business unit leaders without IT involvement because they favored a particular vendor or application over the one deployed and maintained by IT.Although those earlier forms of shadow IT created risk, the main worries in such examples were additional work and costs that the extra systems added to the organization\u2019s technology bill as well as the inevitable absorption of the shadow systems into the official IT department portfolio.Today, shadow IT is broader and more pervasive, and it\u2019s being brought into the organization by a growing number of employees who are capable of quickly and easily launching tech products and services for their workplace needs without consulting IT or the security team.Shadow IT today is like \u201c10,000 flowers blooming\u201d\u201cShadow IT is back, and it\u2019s back in a big way. But it\u2019s different today. It\u2019s individual employees creating, acquiring, and adapting technology for work. These people have become technologists,\u201d says Chris Mixter, a research vice president with Gartner. \u201cNow shadow IT is like 10,000 flowers blooming. And you can\u2019t stop it. You can\u2019t say to the employees, \u2018Stop doing that,\u2019 because you as security don\u2019t even know what they\u2019re doing.\u201dA mix of tech products and services constitutes shadow IT today. IT can still be comprised of a few unauthorized servers tucked away somewhere, but the ease of operation of modern software means it\u2019s more likely to be made up of more substantial and pervasive technology deployments. Cloud-based and software-as-a-service applications set up by a business unit or even a single employee are common culprits.\u201cCloud has made shadow IT easier to exist because in the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier,\u201d says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at professional services firm PwC.IoT interfaces and undocumented APIs add to the shadow IT dangerOf course, the cloud isn\u2019t the only factor in today\u2019s shadow IT. The ease of deploying internet of things (IoT) components and other endpoint devices also contributes to the problem.Undocumented, non-tracked third-party application programming interfaces (APIs) are another type of shadow IT that has become common within many organizations. A May 2023 report from tech company Cequence Security found that 68% of the organizations analyzed had exposed shadow APIs.The ease of accessing cloud resources is certainly a contributing factor to the proliferation of shadow IT today. \u201cYou have all these things where all you need [to deploy them] is a credit card \u2014 or not, sometimes they\u2019re just free,\u201d says Raffi Jamgotchian, CEO of Triada Networks, an IT and cybersecurity services firm. That ease of access, however, belies the serious risks that shadow IT now presents.Jamgotchian says workers typically don\u2019t know whether or what security layers the applications they\u2019re buying have or whether anything needs to be added to them to make them secure. Then, to make things worse, they\u2019re often putting sensitive data into these applications to get their work done.As a result, these workers are creating entry points that hackers can use to access the enterprise IT environment to launch all sorts of attacks. They\u2019re also exposing proprietary data to leaks and possible theft. And they\u2019re possibly violating data security and privacy regulatory requirements in the process.Shadow IT can increase compliance and regulatory issuesJamgotchian worked with one company fined by a regulatory agency because the apps being used by workers did not adequately secure and archive data as required by law; in that case, the company\u2019s manager had given workers tacit approval to download and work with apps outside IT\u2019s (and, thus, the security department\u2019s) view, which resulted in the compliance violation.Furthermore, experts say shadow IT greatly increases the chances that products and services as well as the vendors selling them are excluded from any due diligence review, as IT and security are excluded from the selection process. \u201cThis is part of the challenge when people are using these applications without asking if they\u2019re from a trusted vendor,\u201d says Joseph Nwankpa, an associate professor of information systems and analytics at Miami University\u2019s Farmer School of Business.The resulting cybersecurity risks are significant. Take the findings from a 2022 report by Cequence Security that noted 5 billion of the 16.7 billion malicious requests observed, or 31%, targeted unknown, unmanaged, and unprotected APIs. Capterra\u2019s 2023 study found that 76% of the responding small and medium-sized businesses reported that shadow IT efforts posed moderate to severe cybersecurity threats to the business.Lack of security review is shadow IT\u2019s biggest problemAnd Gartner found that business technologists, those business unit employees who create and bring in new technologies, are 1.8 times more likely than other employees to behave insecurely across all behaviors.\u201cCloud has made it very easy for everyone to get the tools they want but the really bad thing is there is no security review, so it\u2019s creating an extraordinary risk to most businesses, and many don\u2019t even know it\u2019s happening,\u201d says Candy Alexander, CISO at NeuEon and president of Information Systems Security Association (ISSA) International.To minimize the risks of shadow IT, CISOs need to first understand the scope of the situation within their enterprise. \u201cYou have to be aware of how much it has spread in your company,\u201d says Pierre-Martin Tardif, a cybersecurity professor at Universit\u00e9 de Sherbrooke and a member of the Emerging Trends Working Group with the professional IT governance association ISACA. Technologies such as SaaS management tools, data loss prevention solutions, and scanning capabilities all help identify unsanctioned applications and devices within the enterprise.Look for spending that points to unauthorized technology useJon France, CISO at (ISC)\u00b2, a nonprofit training and certification organization, says he advises CISOs to also work with their organization\u2019s procurement team and finance department to spot spending that could point to shadow IT. He says scanning worker expense reports is particularly useful in uncovering shadow IT because it helps find reimbursement requests for tech spending that is too small to go through the procurement process.France and others say CISOs also need to educate workers on security risks posed by shadow IT, but temper expectations on how well that awareness training will help prevent it, Mixter says. He says most workers know the security risks they\u2019re creating but move forward with their plans anyway: Gartner research shows that 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months.Educate employees about how to onboard new techMixter says workers who deploy shadow IT aren\u2019t malicious in their activities. Rather, they are trying to get their job done more efficiently and looking for tools to help them accomplish that goal. This is why, in addition to awareness training, CISOs should work to empower them by building up their security competence.\u201cCISOs need to shift to competence building, to \u2018Let me help you figure out how to do that safely,\u2019\u201d Mixter says. According to Mixter, that means:Developing guidance targeted at business technologists.Offering options for business technologists to secure their work.Helping business technologists gain relevant security certifications.Integrating cybersecurity solutions into business technologist workflows.Building policies that explicitly cover business technologist activities.\u201cCISOs have to figure out how much security skill they need, understanding that they can\u2019t make everyone into a security specialist so they must determine what is the minimum competency they need,\u201d Mixter says.That work pays off, he adds. Gartner has found that those with training targeted to their technology-related activities are more are 2.5 times more likely to avoid introducing additional cyber risk and more than twice as likely to move faster than those business technologists without such training.