Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Two Silent Infrastructure

Happy Sunday Friends!

Here is 1 quote I’m musing, 2 Ideas, 3 of my favorite things from the week, and 1 question. If you find it useful or interesting, please feel free to forward this along to some friends or others!

One Quote I’m Musing

“Nature does not hurry, yet everything is accomplished.”

-Lao Tzu

I was conversing with some friends about infrastructure this week, and this maxim came to mind. A reminder that addressing small issues and unseen risks doesn’t require rush but steady, mindful progress. By consistently managing what we may otherwise overlook, we build resilience and accomplish our goals

One major point kept coming up: “What does your baseline look like?” It’s an important question because, without a clear understanding of your baseline, you have no idea what’s on your network, where your data is going to and coming from. Knowing your baseline is essential for identifying and controlling the assets that make up your digital environment.

Two of the major items that stood out to me during our discussion were Shadow IT and Zombie IT. These “IT ghosts” can wreak havoc on an organization’s efficiency, undermine red team results, and interfere with compliance requirements. More critically, they can cut deeply into an organization’s bottom line. Failures in managing these invisible threats can lead to fines, losses from cyber attacks, and stunted business growth due to noncompliance. By understanding these issues and communicating their importance across all levels of the organization, we can position ourselves for improved growth and operational efficiency.

What is Shadow IT?

Shadow IT refers to any system, software, or technology used within an organization without the knowledge or approval of the IT department. It’s often born out of necessity—employees want a faster solution, or they need a tool to accomplish a specific task. So, instead of jumping through the hoops of formal requests or waiting on IT approvals, they download that app, sign up for that service, or connect that device themselves.

It’s easy to see why Shadow IT has proliferated in today’s fast-paced workplace. We’re all looking for ways to improve productivity, and sometimes, people feel they don’t have time to wait for formal approvals. However, this “quick fix” mentality introduces significant risks, particularly in a world where data privacy and security are paramount.

What Are the Risks?

The primary risk of Shadow IT is that it opens up unknown vulnerabilities within an organization. When employees install or use unapproved software or devices, IT has no visibility into these assets. This lack of oversight can lead to data breaches, compliance issues, and even internal conflicts over resources.

Imagine a scenario where an employee downloads a cloud-based file-sharing app to collaborate with an external partner, bypassing the company’s approved tools. This could lead to sensitive information being stored on a platform with inadequate security measures, creating a potential breach point. Additionally, since the IT department isn’t aware of this app, it can’t be monitored, updated, or removed, leaving it exposed to exploitation.

Shadow IT can also skew the results of red team exercises. When unauthorized tools or devices exist in the network, it’s like trying to solve a jigsaw puzzle with missing pieces. Red teams can only test and secure what they know about, leaving shadow assets as blind spots in an organization’s defenses.

What is Zombie IT?

Zombie IT is a different beast but just as insidious. It refers to outdated, unused, or unnecessary systems and software that are still connected to the network long after they’ve served their purpose. These could be legacy applications that haven’t been properly shut down, servers that no one remembers exist, or old user accounts that remain active.

Zombie IT often goes unnoticed because, well, it’s out of sight and out of mind. In large organizations, especially, it’s easy for assets to fall through the cracks. However, these forgotten systems can silently consume resources, create security vulnerabilities, and complicate compliance efforts.

What Are the Risks?

The risks of Zombie IT are twofold. First, outdated systems are less likely to receive security updates, making them prime targets for cyber attackers. Imagine if one of these “forgotten” servers was breached—it provides hackers with a backdoor into your network, bypassing modern defenses and compromising sensitive data.

Second, Zombie IT drains resources and impacts efficiency. These systems consume storage, processing power, and network bandwidth, all while providing no real value. For an organization striving to maximize its budget and resources, Zombie IT represents a continuous, invisible financial drain.

Zombie IT also interferes with compliance. Many industries have strict regulations requiring that systems be up-to-date and secure. An old, unmonitored asset may not meet these standards, leading to potential fines and reputational damage.

Comparing the Two: Shadow IT vs. Zombie IT

While Shadow IT and Zombie IT are distinct issues, they share common threads. Both create visibility gaps, making it harder for IT to protect and optimize the organization’s digital environment. Shadow IT introduces unknown elements, while Zombie IT clings to the past, anchoring resources to outdated infrastructure. Together, they can lead to inefficiencies, unnecessary expenses, and increased security risks.

For cybersecurity teams, identifying and managing these hidden threats requires a proactive approach. Both Shadow IT and Zombie IT need to be addressed to ensure a streamlined, secure, and compliant infrastructure.

Mitigating with Appropriate Lifecycle Management

The most effective way to mitigate Shadow and Zombie IT is by implementing strong lifecycle management practices. This involves regularly tracking and documenting all digital assets, as well as conducting thorough network monitoring and routine audits. By consistently evaluating the assets within your organization, you can identify and address Shadow IT, and ensure that old, unused systems (Zombie IT) are promptly retired or replaced.

For Shadow IT, fostering a process where employees feel empowered to request the tools they need (and IT can vet and approve these requests) can minimize the inclination to go rogue. Lifecycle management also ensures that assets are properly managed, updated, and phased out as needed, reducing the chances of assets becoming outdated or forgotten.

Establishing a Communicative Culture

Ultimately, the key to tackling Shadow IT and Zombie IT lies in creating a culture of communication within the organization. Employees should feel comfortable approaching IT when they encounter issues or need a new tool. When people understand that their voices are heard and that their needs can be met without sidestepping policies, they’re less likely to resort to Shadow IT.

This culture of communication doesn’t just involve IT—it requires cross-departmental engagement. Educating non-technical teams about cybersecurity policies, compliance requirements, and the impact of unauthorized assets can foster a collaborative environment where everyone contributes to a secure infrastructure.

Shadow IT and Zombie IT might sound like characters from a horror movie, but in reality, they’re the hidden specters haunting modern organizations. Understanding and addressing these challenges maximize our resources, reduce inefficiencies, and create a more secure environment.

The Stoics taught that every challenge should be met with a calm, rational mind. Marcus Aurelius advised, “The impediment to action advances action. What stands in the way becomes the way.” In other words, obstacles are opportunities for growth.

In cybersecurity, Shadow IT and Zombie IT can feel like constant obstacles. New unauthorized tools keep appearing, and old systems refuse to go away. Instead of reacting emotionally or with frustration, a Stoic approach would encourage leaders to see these as recurring opportunities to refine processes, improve asset management, and engage employees.

For example, each instance of Shadow IT could be seen as a signal that employees need something they’re not currently getting through approved channels. This feedback loop, when approached with a Stoic mindset, provides valuable insight into areas where communication and resource allocation can improve.

Two Ideas From Me

  1. See obstacles as learning and improvement opportunities create an environment that evolves and adapts rather than stagnates.

  2. We cannot control everything; instead, channel the energy into building strong, controllable structures that foster security and resilience

Three Favorite Things From Others

  1. "If you can't measure it, you can't improve it." | Peter Drucker

  1. "The biggest risk is not taking any risk. In a world that’s changing really quickly, the only strategy that is guaranteed to fail is not taking risks."| Mark Zuckerberg

  2. "Automation applied to an inefficient operation will magnify the inefficiency."| Bill Gates

One Question

What invisible risks am I tolerating today that, if left unchecked, could grow into tomorrow's visible problems?

Have a wonderful week,

I’ll see you Sunday.
​-e

End of transmission.