What’s shadow IT and why is it a menace to mortgage lender safety?

The thought of shadow IT raises goosebumps for some executives overseeing lender IT departments. 

“Shadow IT is an absolute nightmare,” said Arnel Manalo, CISO at Seattle-based Evergreen Home Loans. “The thought of it keeps me up at night because you don’t know who’s sending data where or who’s doing what.”

Shadow IT, a term which rose to prominence in the past decade, is defined as a tool or process brought in-house without the blessings of an IT department.

Tech executives say that improperly incorporating shadow tools can result in breaches and leaked personal identifiable information. These tools also run the risk of being non-compliant with regulations and mirroring solutions that are already approved by a lender, creating financial waste.

But this sentiment of fear is not shared by all. Other CIOs and stakeholders in the mortgage industry see shadow IT as a way to propel innovation at origination shops, and that such tools should be quickly integrated into lenders’ mainframes instead of stifled. 

A persistent nuisance

Shadow IT came to prominence with the rise of software as a service (SAAS), or cloud-based services. Although it varies by organization, sales and marketing departments are frequently dinged for downloading shadow tools, IT professionals say.

“It’s not new, it’s been something we’ve all been dealing with for years,” said Michele Buschman, chief information officer at California-based American Pacific Mortgage. “It’s not that we want to stop the business from being able to be agile and move fast, but there are challenges with that.” 

The main worry for most IT departments is the increased likelihood of a data breach. Shadow tools can create “unintentional backdoors” for perpetrators, said Paul Guthrie, information security officer at cloud-based banking platform Blend.

“Just purchasing a database or a service on the internet is easy,” said Guthrie. “The hard part is integrating and managing it in a secure way over a period of time, and if you’re missing security controls, the likelihood is far greater that a breach can occur.” 

During his time as a consultant, which spanned almost two decades, Guthrie observed many breaches that resulted from departments purchasing externally facing databases without the IT department’s knowledge. “No security department would ever be OK with that, and it’s the lack of maintaining security controls that makes shadow IT dangerous,” said Guthrie.

Improperly integrating solutions with a lender’s mainframe can also be a problem, especially when security procedures are bypassed. 

“There are situations where departments say ‘hey we have a server here and a vendor sent us this thing and we just plugged it into our network,'” said Manalo. “This could create a pivot point for hackers.”

And while a data breach occurring is bad for a lender internally, the reputational impact is even worse, said Manalo.

“Shadow IT is definitely something that could lead to borrower information getting out, which could lead to financial penalties for a lender,” Manalo said. “You get a red mark on your audit for that state or location, so it definitely is a risky thing and the entire market needs to take a pause and really look at how they’re handling data.”

To address the problem, IT departments are implementing “robust vendor management practices,” said Buschman.

“Before signing a contract, we have to make sure we’re first evaluating that the application meets all of our security requirements,” she said. “During negotiations we’re able to negotiate who’s responsible for patching, and who’s responsible in the event of a breach.”

The other side of the coin: agility and innovation
Despite the many risks, there’s a reason why some lending shops continue to use this ad hoc approach to the internal use of new softwares. 

“I see a lot of value in shadow IT, and that’s crazy for an IT person to say,” said one CIO who asked to speak anonymously because of company guidelines. “With partnership’s there’s true value, and frankly, I’ll complain and say that we don’t have enough shadow IT at my company.”

Some departments leverage shadow tools to solve underlying problems that IT departments are too slow to address, said Souren Sakar, CEO of Nexval, a company that specializes in mortgage process automation and IT infrastructure upgrades.

“If a group of conscientious employees downstream have built a system to improve something or have made something to increase the quality of an operation, that should be looked at as an asset rather than a liability,” said Sakar.

Sakar also noted that the fears of shadow tools is “a misplaced worry” and that if a shadow tool has value to the core business, it should be incorporated right away into the centralized IT system.

“For CIO folks that argue about shadow IT, I would ask them, why do you have such a backlog?” questioned Sakar. “If you have a department saying that a particular system or an improvement is the priority for them, (it makes sense that they will go out and find a solution, since their needs aren’t being addressed.)”

Some lenders are embracing the existence of shadow tools by allowing it to exist in a controlled environment. One of the ways of doing so is by bringing on board a business relationship manager who acts as a liaison between the IT department and other departments within an organization.

A handful of lenders interviewed say that they already have this position filled or are in the process of hiring for it.

“Bringing a person like that on board has been on our roadmap for some time and when the market shifts and gets a little more stable we’ll look at filling that position,” said Buschman. “We are looking for the right folks internally that can ask the right questions and aren’t afraid of technology.”

Related Articles