Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
The Lingering 'Beige Desktop' Paradox
Organizations are grappling with the risks of having outdated hardware handling core workloads, mission-critical applications no one knows how to update or maintain, and systems that IT and security teams don't know about.
COMMENTARY
When I began my security career, everything was an adventure — new technologies, new opportunities, and new lessons to learn. Some of those lessons have stayed with me over the years. Simple on the surface, these lessons have had a significant impact and proved valuable over time. Yet, when I look at the wider industry, I often find myself vexed at the current state of affairs.
The Beige Desktop Is Everywhere
The best example of this flustered feeling is the pervasive nature of the "beige desktop." We have all seen them in our industry travels — machines that predate many of the technologies we rely on today. Hardware that soldiers on from the dark recesses of a data center's raised floor.
You can see where this is heading. That system is invariably running code written by a summer student long ago and has now become mission-critical. Code that was not properly commented or documented. An application that has somehow become indispensable to the business.
How does this keep happening? I've often pondered this question. Whenever I bring it up at conferences, heads always nod in understanding. Those systems that lurk in the shadows of a data center.
Hard to Get Rid of Shadows
We often hear the term "shadow IT." It usually finds its way into conversations with a sense of derision. A few months ago, I was giving a talk at a conference when I asked the audience if they had encountered the beige desktop in their environments. The audience laughed, grimaced, and hung their heads — confirming my thoughts. I paused and asked how many companies present had controls in place in their environments for shadow IT. Every hand went up.
I let the question hang in the air for a moment. Then I asked the audience a follow-up query: "How many of you here have shadow IT in your environments?" There was some hesitation. Eyes darted around nervously. Slowly but surely, every hand went up again.
We had an interesting conversational moment. These companies all had controls in place to guard against shadow IT, yet … it still existed. We had discovered Schrödinger's IT security problem. It simultaneously exists and doesn't.
Who Owns the Risk?This begs the question: Who truly owns the risk of shadow IT? While the knee-jerk reaction might be to assign this to the chief information security officer, I wonder if that is fair. The CISO puts security controls in place. The CISO ensures that there are policies and procedures around handling the risks presented by shadow IT. But it continues. Is it fair to say the CISO is responsible at that point? Just thinking out loud. Could this risk be more appropriately assigned to the chief financial officer, as it presents a potential material enterprise risk so thereby is this executive's responsibility? I would love to see this develop into a broader conversation because, honestly, I'm unsure of the answer and would love the input from the CISO community.
How We Wound Up Here
Shadow IT rarely, if ever, originates from a place of malice. These projects are quite often built to satisfy the need for innovation. Other examples of why this happens could include the perceived inadequacy of the deployed systems that support development in the enterprise. Or it simply occurs out of a need for speed and convenience.
It's often easier to ask for forgiveness than permission. While the beige desktop may be a tongue-in-cheek story, it serves as an example of what happens in environments across the globe.
Top Dead Center
How do we move toward an enterprise or SMB environment that supports innovation while remaining safe and secure? There is a need to provide visibility and security to deal with tools and projects that may not have been vetted or approved by the IT and security teams.
It's time to move away from the beige desktops and toward a technological engine that empowers businesses to drive innovation safely and securely.
About the Author
You May Also Like