The Lingering Beige Desktop Paradox

COMMENTARY

When I started out my career in security everything was an adventure — new technologies, new opportunities, and new lessons to learn. Some of those lessons have stayed with me over the years. Simple on the surface, these lessons have had a significant impact and proved valuable over time. Yet, when I look at the wider industry, I often find myself vexed at the current state of affairs. 

The Beige Desktop is Everywhere

The best example of this flustered feeling is the pervasive nature of the beige desktop. We have all seen them in our travels in this industry — those machines that predate many of the technologies that we rely on today. Hardware that soldiers on from the dark recesses of a data center's raised floor. 

You can all see where this is heading. That system is invariably running code written by a summer student long ago, which has now become mission-critical. Code that was not properly commented or documented. An application that has somehow become indispensable to the business. 

How does this keep happening? I’ve often pondered this question. Whenever I bring it up when delivering a talk at a conference, there are always heads nodding in understanding. Those systems that lurk in the shadows of a data center. 

Hard to Get Rid of Shadows

We often hear the term ‘shadow IT’ mentioned. It usually finds its way into conversation with a sense of derision. A few months ago, I was giving a talk at a conference when I asked the audience if they had encountered the beige desktop in their environments. The audience laughed, grimaced, and hung their heads—confirming my thoughts. I paused and then asked how many companies present had controls in place for shadow IT in their environments. Every hand went up. 

I let the question hang in the air for a moment. Then, I asked the audience a follow-up query: “How many of you here have shadow IT in your environments?” There was some hesitation. Eyes darted around nervously. Slowly but surely, all of the hands went up again. 

We had an interesting conversational moment. These companies all had controls in place to guard against shadow IT, yet…it still existed. We had discovered Schrödinger's IT security problem. It simultaneously exists and doesn’t. 

Who Owns the Risk?This begs the question: who truly owns the risk of shadow IT? While the knee-jerk reaction might be to assign this to the chief information security officer, I wonder if that is fair. The CISO puts security controls in place. The CISO ensures that there are policies and procedures around handling the risks presented by shadow IT but it continues on. Is it fair to say the CISO is responsible at that point? Just thinking out loud. Could this risk be more appropriately assigned to the Chief Financial Officer, as it presents a potential material enterprise risk, and thereby falling under the responsibility of the CFO? I would love to see this develop into a broader conversation because, honestly, I’m unsure of the answer and would love the input from the CISO community. 

How We Wound Up Here

Shadow IT rarely, if ever, originates from a place of malice. These projects are quite often built to satisfy the need for innovation. Other examples of why this happens could include the perceived inadequacy of the deployed systems that support development in the enterprise or simply be done out of a need for speed and convenience. 

It’s often easier to ask for forgiveness than permission. While the beige desktop may be a tongue-in-cheek story, it does serve as an example of what happens in environments across the globe. 

Top Dead Center

How do we move toward an enterprise or SMB environment that supports innovation while remaining safe and secure? There is a need to provide visibility and security to deal with tools and projects that may not have been vetted or approved by the IT and Security teams. 

It’s time to move away from the beige desktops and towards a technological engine that empowers businesses to drive innovation safely and securely.