Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

Majority of CEOs Knowingly Raise Risk Level With Their Shadow IT

Despite the increased risk shadow IT poses to security, a majority of CEOs surveyed say they are willing to take the risk, according to a survey released today.

A majority of CEOs are willing to put their organizations at risk by using shadow IT, even though they are well aware of the potential security fallout, according to a report released today by Code42, a cloud-based security company.

The survey of 1,205 IT and business decision makers revealed 75% of CEOs surveyed acknowledge using applications and programs not sanctioned by their IT departments, despite 91% of surveyed CEOs acknowledging this behavior could put their organization at a security risk, the study found.

When the top dog behaves in such a cavalier fashion, it can potentially set the tone for the entire organization, says Rick Orloff, chief security officer for Code42.

If employees see the CEO doing their own thing, it gives them a sense of entitlement and contributes to the friction with the security team and employees feel they don't have to comply with policies and best practices, Orloff says.

He added there is also an additional impact to the company.

"When CEOs behave this way, then the CISO is not reporting high enough into the organization. CISOs should ideally report into the CEO and not the CIO," says Orloff. "I bring this up because when the CISO reports directly into the CIO, there is an air gap between the CISO and senior leadership. When you remove the air gap, then you don't have the shadow IT."

Without the air gap, a CISO can work with the CEO to find the tools needed to do the job using existing authorized technology, or bring in the right secure tool onto the platform, Orloff explains.

Source: Code42
Source: Code42

Driving this behavior to use shadow IT is a desire by CEOs and other company executives to put convenience and productivity ahead of security, the study found. This long-held mantra of productivity over security is nothing new when it comes to rank-and-file workers, but for top-level management to knowingly disregard best security practices is somewhat surprising, considering that they recognize there is a risk, and that these executives themselves are increasingly held accountable for security breaches.

Although 83% of surveyed business decision makers are well-aware of the security risks that their actions pose when using shadow IT, they are nonetheless willing to take such action under these circumstances. According to the survey, respondents would:

  • Use an unapproved application or program if it would improve their productivity (65%)
  • Use shadow IT if it would make their lives easier (52%)
  • Use it because the IT department does not understand what is needed to get a job done (27%)

But the figures that surprised Orloff the most were the percentage of CEOs who knew use of shadow IT was a security risk. "I expected it to be around 35% and 40%," he says, versus the 75% and 91% figures in the survey.

The survey also found that business executives tend to be more concerned than IT security executives that a major data breach will happen in the near future. For example, while roughly half of business decision-makers and also IT leaders say they encountered a security breach in the past 18 months, of those who have not, 88% of company executives versus 50% of IT decision makers expect a breach to go public in the next 12 months, the study found.

Business decision makers expecting a public breach within the next 12 months may have more heightened concern than their IT department because they have heard about the sizable breaches hammering companies over the past 18 months and do not understand their own company's security footprint, says Orloff.

Although business executives and IT professionals have a gap when estimating the next breach, their differences are narrower when it comes to the likelihood their companies would face serious repercussions if they lost all their corporate data held on endpoint devices. The survey found that 90% of IT and business executives believe it could be serious to potentially fatal for their organizations, with 88% of IT executives and 83% of business decision makers finding their companies need to shore up their breach recovery abilities in the next year.

Related Stories:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.