Charlie Livingston talks shadow IT: 'We need to change to a collaborative model.'

Many organizations have rules prohibiting the use of shadow IT. But employees are still finding ways to use tools that help them complete their work more efficiently, if occasionally less securely. So what’s the secret sauce to getting users to be more mindful about security?

According to Charlie Livingston, head of infrastructure and security at financial wellbeing platform Wagestream, it’s important to position IT as the go-to partner who works to make employees’ jobs easier – and more secure.

Livingston recently shared with 1Password’s Michael “Roo” Fey on the Random but Memorable podcast his insights into how IT and employees can be more collaborative to manage the challenges surrounding shadow IT.

Read the interview highlights below or listen to the full episode wherever you like to listen to podcasts.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey Can you give us an overview of Wagestream?

Charlie Livingston: Wagestream is a company founded in the UK. All the funding came from five really great charities. Our goal is to provide fair financial services to every frontline worker.

What that means is we have the unique position of being tied to employees’ pay. So we’re able to offer very good financial services to people who typically aren’t eligible for these things.

There’s this thing we look at, which is the poverty premium, and there is a cost to not making a lot of money. You pay more for credit products, you don’t get good rates on your mortgages, on your car payments, on your credit cards. Wagestream is built from the ground up to battle that and to make finance fair for everyone.

MF: Shadow IT is a relatively recent focus for a lot of companies. What’s your definition of shadow IT?

CL: Shadow IT is really just anything that’s being done outside of the core IT team. It’s the temptation to just go: “Oh, I’m going to go and use this SaaS product, or I need to build my own little database for a little side project and I don’t want to involve IT.”

The concern in bigger companies and in companies that I’ve worked at in the past is: “I don’t want to talk to IT because they’re a monolith and it’s going to quadruple the budget for this project. It’s going to take six months and they’re probably going to screw it up.”

“Shadow IT is really just anything that’s being done outside of the core IT team."

Whereas in a company like Wagestream, it’s a lot more innocent. Someone might think: “Oh, IT is so busy, I don’t want to bother them. It’s just a small project. I’ll just do it.”

MF: How do you approach that “I won’t bother them” mindset and explain the risks of shadow IT to your company?

CL: I don’t know if you’ve heard the term Hanlon’s razor before but it basically means: Don’t attribute to malice what you can attribute to stupidity – or rather, misplaced good intention.

In an organization like Wagestream, shadow IT is never somebody being malicious and saying: “Oh, I want to sneak this under the radar from IT.” It’s misplaced good intention. “Oh, IT’s too busy. I’m not important enough. What I’m doing isn’t important enough to bother IT.”

There are two points about shadow IT and Wagestream from a security standpoint. The first is the SaaS spend and a lot of people saying: “Oh, I just need a little tool in my browser to do text-to-speech.” It costs $10 a month. That’s not a big deal but across 200 employees and 20 different platforms, it gets really expensive, really quick.

The second point is dealing with: “What is that browser tool actually reading? Have you read the terms of service? Is it really cheap? Oh, it’s a free tool. Okay, well why is it free? What data are they selling?”

MF: Do you have any shadow IT horror stories to share with us?

CL: At one of the large companies I worked at, I remember finding out that one of the main employee training databases – which recorded all of the scores for every employee who’d gone through training on any course – was stored on a computer under somebody’s desk at home.

We didn’t know it until the power went out at that guy’s house and we couldn’t run our compliance reports for two days.

MF: Whoa, that’s a good one!

CL: It was a small project. Somebody just said: “Oh, I’m going to test this out.” And it just kept growing and growing and growing into this big production thing that everybody used over many years.

Shadow IT is often unchecked over time. A lot of it is good-natured, it’s not bad intention. But it just grows into this time bomb that’s waiting to go off. There are so many dark corners of large corporations that are run on an Excel spreadsheet that nobody, except for one person from 1994, knows how it works.

“A lot of it is good-natured, it’s not bad intention. But it just grows into this time bomb that’s waiting to go off."

MF: You mentioned that shadow IT within Wagestream is usually good-natured. Still, what’s your approach to managing and mitigating it?

CL: It’s the carrot versus the stick. I am continually horrified by the security industry at large, and how adversarial a lot of blog and social media posts are about user.

They’ll say things like: “Oh, your users are stupid. How dare you trust your users with this or that. They’re just going to go out and break it.” And I’m like, “If you can’t trust the people you’re working with, who can you trust?”

We need to change to a collaborative model. When I talk to everybody in the company as Mr. Security Guy, I’m like: “I’m here to work with you. I’m here to make your job easier. I’m here to give you the tools you need to do your job securely,” and they get the hell out of my way. If I’m stopping you from doing something, I’m not an asset to the company. I’m a detriment to the company and I may as well just leave and go somewhere else.

“If I’m stopping you from doing something, I’m not an asset to the company."

When people have problems or do something and realize, “Oh wait, maybe I should talk to IT about it,” they’re way happier to go: “Hey, we’re doing this. What do you think?” Versus, “I have to trudge to the IT department. I have to talk to them. I don’t want to do it. It’s going to be such a problem. They’re going to make me fill out 10 forms.”

I’m just like: “Hey, how can I help?”

MF: Have you seen a transition from, “Hey, we’re trying to do this. How would we do this well?” to, “Hey, we’re trying to do this and we think this is the right approach. Are we thinking about this the right way?"

If people are showing up with solutions and thinking about security, that can be a huge lift for the IT department.

CL: That’s the dream, isn’t it?

It happens every day at Wagestream. We have this fantastic internal RFC (Request For Comments) process. When we’re talking about platform changes and designing new features, we’ll build a Wiki article and write an RFC. Everybody then gets to comment on it.

We get comments from our engineering team and our product design teams and even people in customer service saying: “Hey, have you thought about this angle? Or, “How does this affect security?” Or, my favorite question every time is: “What type of encryption are we using for this?”

I’m like: “Yes, my job here is complete.”

MF: At work, there needs to be a balance between flexibility and staying secure. How do you think that that balance is being executed, both in the industry and at Wagestream?

CL: I’ll start with the industry. There are so many good, alternative voices in the security industry that aren’t saying: “All your users are idiots. You can’t trust anybody.” I’m really seeing a sea change in the industry and it’s heartening.

Mindful IT, mindful security, security that involves the human factor.

If you respect your users and the people you’re working with and if you’re hiring the right people, everybody should have the best intentions in mind. Instead of designing adversarial systems, you’re building guardrails so people can do things safely and confidently. It’s so much easier.

“Instead of designing adversarial systems, you’re building guardrails."

That’s the way we’ve been doing things in Wagestream, building guardrails, policies, and a collaborative framework that allows people to do their jobs and understand that they can do them safely and the right way.

MF: Is that guardrails concept your recommendation for any company that’s concerned about shadow IT?

CL: It depends on your threat model. But from almost every example of shadow IT I’ve seen, it isn’t a failure of your controls. It’s a failure of your relationship with your users.

If your users are resorting to shadow IT, it means there’s a breakdown somewhere in the process. They didn’t want to deal with IT, or weren’t able to, or didn’t know how to.

MF: Where can people go to find out more about you or check out Wagestream?

CL: Definitely check out wagestream.com and find us on LinkedIn. If you have interest in our community mission and want to see some of the research on how Wagestream really benefits employees, I suggest you look up the research on financial inclusion and the impact we’ve had.

Personally, I’m a business social media recluse. You can find me on X (formerly Twitter) and LinkedIn.

Jenn Marshall

Contributing Writer