Even Top U.S. Officials Aren’t Immune to Shadow IT
Shadow IT Risks and How CISOs Can Stop It
How is it that even the most secure, secretive environments fall for one of the most basic cyber Security mistakes – shadow IT?
On Mar 24th, 2025), it was reported that Jeffrey Goldberg of The Atlantic was added to a secret group chat on the Signal app, joined by none other than U.S. National Security Adviser Michael Waltz, Secretary of Defense Pete Hegseth, and Vice President JD Vance. The group discussed plans for U.S. military operations in Yemen.
Goldberg shared that he received a connection request from Michael Waltz to join the chat group, which he initially accepted, suspecting it was an attempt by threat actors to target him as part of a social engineering scheme. However, to his surprise, he found himself in a legitimate group chat with top U.S. national security officials.
While there was no “cyber attack” or breach involving threat actors, the real issue at hand appears to be an “insider threat”—specifically, the use of the Signal app as part of shadow IT practices.
As unfortunate as this incident is, it serves as a crucial reminder to cyber security professionals of the risks posed by shadow IT.
What Is Shadow IT and Why Does It Happen?
Shadow IT occurs when employees use private IT solutions – like personal cloud storage, messaging platforms (such as Signal in the case discussed above), or unapproved SaaS tools all without approval or oversight from their organization’s IT department or security teams.
It often emerges from frustration with official solutions or the desire for quicker, more convenient ways to collaborate and share information and while it may seem like harmless improvisation, shadow IT creates significant security and confidentiality risks for organizations of all sizes.
The Confidentiality Problem with Shadow IT
The most pressing concern surrounding shadow IT is the loss of control over sensitive data.
Information shared through unofficial tools often exists outside the security perimeter of the organization, and that data is no longer protected by corporate security measures as it may not be encrypted, properly stored, or monitored for unauthorized access.
Even a well-meaning employee sending sensitive client data over a personal messaging app is unknowingly exposing the company to potential breaches. What makes this particularly dangerous is that the confidentiality risk is subtle – it’s not caused by malicious insiders but by convenience and a lack of awareness.
The Compliance Problem with Shadow IT
Shadow IT also introduces compliance risks. With regulatory frameworks like GDPR, HIPAA, and PCI-DSS enforcing strict requirements for data handling and storage, the use of unauthorized tools can result in regulatory violations, financial penalties, and reputational damage.
Another problem is the operational risk as these unofficial services can suddenly shut down, experience security incidents themselves, or become unavailable, leaving business-critical data stranded and inaccessible.
Why CISOs Must Address the Root Causes of Shadow IT
CISOs must understand that shadow IT does not necessary originate from disobedience, but rather from operational gaps. Employees will choose unofficial tools when they feel existing solutions are inadequate or too restrictive.
Therefore, instead of relying solely on strict enforcement, security leaders should focus on understanding the business units’ needs by open dialogue with department leaders to helps reveal pain points and opportunities for IT to deliver secure, but also user-friendly alternatives that meet the same needs without compromising security.
How to Detect Shadow IT in Your Organization
Identifying shadow IT requires constant vigilance and the right tools. Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP) tools, network traffic analysis, and endpoint monitoring solutions can help detect unauthorized services being used within the network. Security teams should also routinely scan for unsanctioned cloud accounts or data transfers outside the organization’s approved environment. However, the biggest problem with shadow IT is that it “lives” outside of the organization which makes it almost undetectable.
Building a Strong Security Culture to Prevent Shadow IT
Once shadow IT usage is identified, it’s important to respond with both corrective actions and education rather than punishment.
Education plays a vital role in prevention and organizations should provide continuous security awareness training that not only explains policies but also illustrates the real-world risks associated with shadow IT.
Employees are more likely to comply when they understand how their choices can expose the company to breaches and regulatory consequences.
Furthermore, policies must be clear, accessible, and regularly updated to reflect changing technologies and business needs with the CISO championing a culture where security is part of day-to-day decision-making, not an afterthought.
Wrap Up: Turning Shadow IT from a Threat into an Opportunity
Shadow IT will never be completely eradicated, but it can be controlled and minimized through proactive governance, visibility, and a strong security culture. By understanding why it occurs, addressing business needs, and investing in detection and education, CISOs can transform shadow IT from a hidden threat into an opportunity for improved collaboration between business and security teams.
In doing so, organizations protect their most valuable assets, their data and reputation, and position themselves for more secure and agile growth.
