Doug Murray, Principal and Chief Information Security Officer (CISO) at Hyundai, explored shadow IT and the dangers it poses to today's organizations during his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Los Angeles on November 9. In his presentation, "Overcoming Shadow IT with Vendor Risk Management," Murray offered insights to help organizations identify shadow IT and resolve this problem.
Shadow IT is a major problem that frequently goes unaddressed. It involves the use of information systems and solutions without organizational approval, and, for many organizations, often exposes myriad cybersecurity risks.
According to Murray, Hyundai initially struggled with shadow IT. However, the organization has developed protocols and systems to ensure all vendor applications are evaluated and audited to minimize risk.
Hyundai now performs comprehensive vendor analysis to ensure effective risk management. The organization allocates time and resources to learn about vendors' security protocols, and by doing so, ensures its vendors prioritize cybersecurity.
Without a comprehensive approach to vendor risk management, an organization puts its sensitive data in danger and risks using applications that expose critical data to cyber threats – something that may increase the organization's susceptibility to cyber-attacks.
"We have to do our due diligence," Murray said. "We have to enable the business, but if the business is creating is risk upon itself, we have to hit the brakes and tell the business to follow specific [security] steps."
Ultimately, transparency plays a key role in eliminating shadow IT. If an organization encourages its staff members to provide insights into all applications that they use, it may be able to reduce cyber risk.
"We created visibility with the business and explained what we can and cannot do," Murray noted.
Hyundai requires vendor applications to undergo extensive testing before they can be deployed across the organization. It also offers recommendations to business leaders to ensure they understand the risks associated with various vendor applications.
"There are many factors that go into vendor risk management. But at the same time, you don't have to make it complicated."
An informed approach to vendor risk management makes a world of difference in any organization. This approach requires deep analysis of vendor applications to ensure an organization can identify cyber risks. CISOs can offer actionable insights into vendor applications to ensure business leaders can make informed decisions about whether to deploy these applications.
A CISO can empower business leaders with actionable insights into vendor applications. That way, a CISO can help business leaders determine whether these applications can simultaneously help an organization achieve its goals and limit cyber risk.
"We would give the business the option to decide between testing and risk acceptance," Murray indicated. "We would give [the business] lots of numbers and allow them to decide."
Vendor risk management may seem complex, so a CISO must do everything possible to ensure that business leaders understand it.
Failure to effectively teach business leaders about vendor risk management may lead to cyberattacks, resulting in long-lasting damage to an organization, its revenues and its brand reputation. Conversely, a CISO who teaches business leaders about vendor risk management can help these leaders secure an organization's sensitive data.
"There are many factors that go into vendor risk management. But at the same time, you don't have to make it complicated," Murray said.
In addition, Murray recommended auditing vendor contractors to ensure a vendor is committed to advanced risk management.
"Vendors are easy to get … and there are lots of benefits to getting them, but we have to put in the proper controls to choose vendors."
If an organization selects a vendor that ignores risk management, this organization faces substantial risk. Comparatively, an organization that finds out whether a vendor prioritizes risk management may be better equipped than others to manage risk both now and in the future.
Although an organization sometimes may face pressure to work with a specific vendor, it is important to remember that there is no shortage of vendor applications that are currently available. Thus, an organization should learn how a vendor secures its applications to make the best-possible decision regarding a vendor.
"Vendors are easy to get … and there are lots of benefits to getting them, but we have to put in the proper controls to choose vendors," Murray stated.
Lastly, when it comes to securing applications, it is better to err on the side of caution. An organization that understands the risks and benefits of vendor applications can select applications that drive increased productivity and efficiency. Meanwhile, this organization can use vendor applications that help reduce the risk of cyberattacks as well.
"We don't want to see any vulnerabilities in our applications," Murray pointed out. "So we're very strict [about security]."
With more than two decades of information security and technology experience, Doug Murray joined Hyundai Autoever America (HAEA) in February, 2015 to lead and mature the information security program. As the Chief Information Security Officer and Principal at HAEA, he is responsible for Hyundai and Kia Motor America, including twenty one other Hyundai and Kia affiliates in the America’s region.
Doug’s information technology career spans multiple industries including aerospace, automotive, financial/banking, insurance, health care, real estate and telecommunications/electric utilities. Besides his extensive experience in information security, his background also includes IT governance, risk and compliance; information systems audit; systems development, network administration/engineering, IT operations and IT infrastructure.
Doug has a Bachelor’s of Science degree in Business/Management Information Systems from Pepperdine University and holds the following designations: CISSP, CISA, CISM, CRISC and PCIP.