Forward-Thinking CISOs Are Facing Shadow IT Head-On (Not Just Blocking It)

Justin Dews

Founder & CEO

Published on

April 13, 2025

Based on insights from Help Net Security's interview with Curtis Simpson, CISO at Armis.

TL;DR

Shadow IT isn’t going away — not because employees are bad actors, but because current workflows, procurement delays, and corporate friction force them into shortcuts. Forward-thinking CISOs know this. Instead of blocking tools and killing morale, they’re embedding themselves into business conversations, showing up as partners, and getting full visibility with the help of AI. Shadow IT isn’t a user problem — it’s a visibility and collaboration problem.

Key Takeaways

Shadow IT happens when employees try to move faster than IT can keep up.
Blocking everything just pushes people toward more dangerous workarounds.
AI and automation give teams full visibility and context on unauthorized assets.
Proactive governance beats restrictive policies every time.
Today’s attack surface includes way more than traditional endpoints — ignore IoT, SaaS, and cloud assets at your own risk.

Introduction

There’s a frustrating myth in security that says you can stop Shadow IT with stricter policies. That if you just clamp down harder, employees will comply. That myth keeps getting a lot of people burned.

The truth is simpler (and a little uncomfortable): your team’s been using unauthorized tools for years — because they had to.

Shadow IT isn’t about defiance. It’s about people trying to get their work done despite red tape. That means the solution isn’t to play policy cop. It’s to become a partner. And to do that, CISOs need full asset visibility, real-time intelligence, and leadership buy-in.

Curtis Simpson, CISO and Chief Advocacy Officer at Armis, said it well: "When positioned from a place of 'how can I help' versus 'thou must or must not,' technology leaders will allow for true partnerships to be formed."

Why Shadow IT Happens (And Why It Won't Stop)

If an HR manager needs a tool to automate offer letters and your team’s timeline is 8 weeks out, they’re not going to wait. They’ll grab something off the shelf — maybe a free-tier SaaS platform. And now that app is talking to employee PII, completely invisible to your stack.

Multiply that by finance, sales, ops, and product — each pulling tools that help them move faster. That’s how you end up with dozens (sometimes hundreds) of unsanctioned tools across your environment.

Shadow IT will never fully disappear because:

Business units don’t always loop in IT during tool selection.
Procurement cycles are often slower than the business demands.
Employees aren’t trained to see the risk.

The answer? You stop pretending it’s avoidable and build governance for the world you actually live in.

The Real Risk Isn’t the Tool — It’s the Lack of Visibility

Let’s be clear: the problem isn’t Dropbox or Notion or that one rogue Zapier workflow. It’s that those things are unmanaged.

You can’t secure what you can’t see. And when your monitoring is limited to approved devices and licensed endpoints, you’re blind to:

IoT devices being brought online without notice
SaaS tools signed up for with corporate email
Scripts and automations running in shadow environments

This is where traditional endpoint management breaks down. You need contextual, real-time asset intelligence that:

Knows what’s on the network — even if it’s new or unauthorized
Understands relationships between assets and users
Assesses actual risk — not just existence

Misconceptions Executives Still Hold

There’s a stubborn belief in some executive circles that shadow IT is a fringe issue — a few stragglers using Google Drive or Trello when they shouldn’t. That’s outdated thinking.

The bigger blind spot? Assuming people will stop using unsanctioned tools because it’s “against policy.”

They won’t. They’re trying to stay productive. And if you force them into inefficient workflows or block useful tools, they’ll go underground.

You can’t govern behavior you can’t see.

Governance Needs to Evolve — Not Just Policies

Governance in 2025 means:

Regular touchpoints with high-risk business units
Security embedded in solution discussions early — not as gatekeepers, but as partners
Capability to continuously monitor and assess new assets

Curtis Simpson put it like this: "Effective governance is not a 'set it and forget it' process. It demands continuous consideration and willingness to adapt."

Governance should follow how the business actually operates. Not how you wish it did.

AI and Automation: Asset Visibility Finally Done Right

Real-time scanning. Risk-based prioritization. Automated mitigation. That’s where AI flips the game.

With AI, you're not waiting on agents to report in. You're not chasing endpoints through spreadsheets. You get:

Continuous asset discovery
Contextual awareness (who’s using what, how, and why)
Smart prioritization and automated enforcement

AI becomes the brain — flagging risk, mapping impact. Automation becomes the body — taking action before humans even get involved.

The result? Security teams can focus on strategic problems. Not chasing down spreadsheets and audit logs.

The Expanding Attack Surface: IoT, SaaS, and Cloud Assets

Most orgs are still endpoint-focused. But attacks don’t care about categories.

You’re just as likely to be breached through a:

Cloud function with too much privilege
SaaS tool misconfigured by marketing
HVAC system with default creds on the network

All assets — managed or not, sanctioned or not — are part of your risk posture.

If your tools can’t see them, you’re not secure.

What Forward-Thinking CISOs Are Actually Doing

They’re not:

Blocking everything
Shaming employees
Building stricter gates

They are:

Building trust with department heads
Offering secure alternatives that don’t kill productivity
Using AI and automation to track changes and trends
Shifting from “no” to “how can we help?”

It’s working — not because they have bigger budgets, but because they’re solving the real problem: lack of visibility, not bad intent.

FAQ

What is shadow IT?

Shadow IT refers to hardware or software used inside an organization without the knowledge or approval of the central IT department. It often includes SaaS apps, cloud services, or personal devices.

Why is shadow IT dangerous?

It introduces blind spots into your security posture. These assets may handle sensitive data without proper safeguards, making them prime targets for attackers.

Can shadow IT be eliminated?

Not realistically. But it can be managed effectively with proactive governance and full visibility.

How do you get visibility into shadow IT?

Use AI and automation tools that continuously scan your network, assess context, and flag unauthorized tools or assets.

Should employees be punished for using shadow IT?

No. Most use it to be more productive. Punishment backfires — education, visibility, and secure alternatives work better.

Conclusion

Shadow IT is what happens when your processes move slower than your people. The fix isn’t fear or force — it’s trust, tools, and transparency.

The best CISOs know this isn’t about control. It’s about collaboration. It’s about seeing what’s happening and helping teams do it safely. With AI-powered visibility and a willingness to engage, you don’t have to choose between security and innovation.