R16 — Shadow IT
Detection finds it; identity governance prevents it; awareness reduces creation.
What is Shadow IT?
Detection finds it; identity governance prevents it; awareness reduces creation. CISO Game tracks this as R16 in the live risk register, severity 5 (Moderate), category Data.
How does CISO Game model Shadow IT?
Exposure for R16 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →
Real-world parallel
Shadow IT — employees subscribing to SaaS tools with corporate cards and no security review — is now structural. The control isn't to ban it (you'll lose) but to discover it (CASB, SaaS discovery, SSO mandate for any tool above a data-sensitivity threshold). Modern SaaS sprawl creates downstream risks (R39 SaaS misconfiguration, R12 third-party access) that don't show up in the asset inventory until you're looking for them.
How do security teams mitigate Shadow IT?
The dominant subscore levers for this risk are:
- Detection subscore — weight 40%
- Identity subscore — weight 30%
- Awareness subscore — weight 30%
Which investments mitigate Shadow IT?
Products in CISO Game that reduce exposure to R16:
Which related risks should you also watch?
Risks with similar dominant subscores or shared category — addressing one often helps the others:
- R39 SaaS Security Posture / Tenant MisconfigurationData · severity 7
- R18 Audit FailureGovernance · severity 6
- R06 Supply Chain CompromiseExternal · severity 9
- R07 Zero-Day ExploitationExternal · severity 9
Why does Shadow IT matter to a CISO?
Data risk is what shows up in the news and the regulator's letter. Shadow IT compounds with disclosure timing, customer-trust impact, and downstream litigation.
How can you test your mitigation strategy?
Click Play CISO Game free to see R16 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.