What is it?
Security measures that staff creates to manage security to the best of their knowledge and ability, avoiding official security policies and mechanisms that get in the way of their tasks and reduce productivity.
Why is it important?
Shadow security practices reflect the best compromise staff can find between getting their job done and managing the risks to the assets they use. It presents an opportunity for the organization to learn how to maintain both security and productivity.
Why does a business professional need to know this?
Shadow security emerges in organizations where: (1) employees have reasons to comply with security and are motivated to do so, but (2) security mechanisms are not fit to support their work goals. As a result: (3) a significant amount of security mediation takes place at the team level, and (4) employees become isolated from the security division.
Although not compliant with official policy and sometimes not as secure as employees think, shadow security practices reflect a working compromise between security and getting the job done. Its occurrence signals the presence of unusable security mechanisms. These can lead to errors and workarounds that create vulnerabilities, people ignoring security advice, and systemic non-compliance, all of which can act as noise that makes genuine cybersecurity attacks hard to detect in systems.
Security management should not ignore shadow security. Organizations must be able to recognize when, where, and how shadow security practices are created. Once identified they should not be treated as a problem, but rather as an opportunity to identify shortfalls in current security implementations that can be leveraged to provide more effective security solutions.
This can be done by taking the following steps:
- Simplifying compliance with security
- Measuring the effectiveness of security mechanisms after deployment
- Engaging users when designing security solutions
- Leveraging the position of team managers as both a mediator for security and a conduit, providing feedback as to the appropriateness of security solutions in supporting productive tasks
- Giving team managers the responsibility of acting as mediators for security and as a conduit for feedback from users on the impact of security processes on productivity