Shadow IT and Security Theatre: What Every CISO Needs to Admit

2025-04-15

There’s no shortage of public sector agencies boasting robust IT controls—at least if you believe the official reports. Prospective CISOs are told to champion security culture, enforce policies, and roll out monitoring, but a quiet epidemic keeps undermining all that effort: shadow IT. You know, the unsanctioned cloud accounts, rogue project management apps, and “just-testing” scripts running under the radar because official systems are too slow or restrictive.

Let’s be honest—every major organization in Singapore has shadow IT, especially those with sprawling legacy infrastructure and bureaucratic approval cycles. Nobody likes to admit it, but these unofficial tools can sometimes solve real problems faster than official solutions ever will. Senior leaders frown on them in meetings but quietly rely on shadow solutions to “get things done.” It’s human nature, amplified by the demands of rapid digital transformation.

That’s where the second, arguably stickier issue comes in: security theatre. Far too much energy is spent on the appearance of security rather than genuine risk management. Policies get written, dashboards fill up with “alerts,” and compliance trainings are completed on autopilot. All the while, the reality on the ground shifts—sensitive information moves outside controlled boundaries, and attackers care little for how tidy your audit trails look.

So what’s a pragmatic CISO candidate to do? First, lose the illusion that security is about perfect visibility or rigid control. Instead, start with a sober assessment of where shadow IT emerges, why, and how it can be managed without alienating your agency’s best problem-solvers. Engage the teams who operate at the edges of “official” systems—listen, don’t police, and work toward understanding what drives them to go off-script. Then, use those insights to adapt governance and security architecture so they protect value without crushing innovation under red tape.

Security theatre only disappears when leaders tell difficult truths. Own the gaps. Make it safe for staff to report shadow activity—and turn those reports into opportunities for co-designed solutions. Swap checklist-driven audits for outcome-based reviews that actually measure reduction in risk, not just compliance. Build an environment where security is an enabler, not a sledgehammer, and where the appearance of control never outruns the reality.

No leadership role is complete without candor. Aspiring CISOs will be measured not just by how well they enforce policies, but how artfully they navigate the real world—of shadow systems, shortcut culture, and the persistent gap between “should” and “is.” Admitting what so many continue to ignore is the first step to building the kind of security program Singapore’s public sector badly needs.