Alan Brill (firstname.lastname@example.org) is a Senior Managing Director in the Cyber Risk Practice of Kroll, a Division of Duff & Phelps.
One of the challenges facing the compliance community involves what is known as “stealth IT” or “shadow IT,” which refers to cyberactivities that occur in a company that the information technology (IT) team does not know about. Sometimes called the “do-it-yourself information technology,” it consists of services that are arranged by units of an organization, set up without the knowledge or approval of the IT or legal departments, and are often paid for with employees’ credit cards and reimbursed as an expense account item. These services may include specialized calculations provided through online (cloud) services or remote storage, and in large organizations, they can proliferate and eventually cause problems.
Now consider the challenges that many organizations in both the public and private sectors had to face as the coronavirus pandemic forced them to transition from their office-based operations to a work-from-home environment. The end-state was clear and fixed—on a specific date, the company had to be transitioned to remote work, even for those employees who never worked from home before. This often provided organizations only a few days, or even a few hours, to prepare.
In that situation, you can’t expect IT to develop a formal plan, have it reviewed by everyone, then negotiate with vendors for rapidly needed hardware (laptops, tablet computers, headsets, printers, shredders, etc.) or software following the formal guidelines in place in many companies. Instead, they had to answer this question: “What do I have to do to keep us operating in the new environment on day one of the transition?” Once that was answered, the follow-up question had to be, “How can I carry out those tasks to meet the deadline for having the resources, having them scaled to our environment, and making sure they’ll work on day one?”