In the Shadows with Slack and Smartsheet

The Dangerous Slope of Shadow IT

Erik Bradley | Jake Fabrizio 

| May 20, 2021

In this ETR Insights’ interview, we sit down with the Security Exception Manager for a large financial services enterprise that handles governance, risk management, and compliance for his company. Amid the current threat landscape, our guest discussed vulnerability management with Rapid7 and shadow IT with Smartsheet, as well as ServiceNow, Netskope, Identity Access vendors and switching from Microsoft to Google. This week we take a deeper look at Smartsheet hiding in the shadows.

As a Security Exception Manager, our guest is no rookie when it comes to shadow IT tools creeping into large organizations without proper onboarding protocols and security practices. When asked about the shadow IT implications surrounding tools like Smartsheet and Slack, our guest says that he runs into these issues every day. Since they are dealing with sensitive financial information, he says that the solution is to “block just about everything.” He adds, “I tried to use Smartsheet but the problem is that you’re sending your data to someone that you may or may not have a relationship with. Slack was very similar to that. Although Slack is still used in our development teams, it’s on a request basis, and the CASB solution is deployed to block all of that.” (Much more on the Netskope CASB solution in the full ETR Insight's summary HERE.)

Meanwhile, while very impressed with its ease of use and functionality, our guest still has misgivings with Smartsheet’s ability to protect his organization’s data, especially if the tool is entering the organization through the side opened by individual employees: “It’s a dangerous slope once one of your team uses Smartsheet. It’s such a great tool for functionality that it’s almost like a marketing tool for spreadsheets. But again, you’re putting your data out there and in our line of business, the data is gold for us. That risk can’t be looked at lightly.”

As a financial services organization, our guest’s main concern comes down to protecting sought-after personal financial data. He admits that Smartsheet does have a solid governance policy overall and that they are able to integrate with Cisco’s Duo and other single sign on tools, but despite their efforts, ultimately the vendor does not satisfy his thresholds for adopting the application within the financial industry. As such, he preached the need to err on the side of caution: “The problem I ran into with Smartsheet was that there was no way to scan or find out if someone used it for social security numbers or credit card numbers when they weren’t supposed to. For us, finding that data or even just making sure it’s encrypted, we had to pay extra for that. Even though I am doing this security analysis for a billion-dollar organization, that’s not the way they wanted to spend the money.”

ETR Data: Although small organizations remain a weak spot for Smartsheet, and a flattening of spend is visible among Giant Public + Private customers in our survey universe, our APR21 report on Smartsheet shows positive strides in market share, which along with strong customer acquisition rates, creates room for optimism in 2021.

Additional in-depth evaluations on Vulnerability Management vendors like Rapid7, Identity Governance vendors like Sailpoint, Ping & Duo, and CASB strategy with Netskope can all be found in the full interview replay, transcript, and summary HERE. The full content suite from this article (and 250 others) is available to ETR Clients and our ITDM community members. If you want to inquire about access, just send a quick email HERE.