In this episode of On Location with Sean and Marco, Ryan Bowman, VP of Solutions Engineering at ThreatLocker, breaks down the growing risks of Shadow IT—unauthorized applications and tools that create security gaps, operational inefficiencies, and compliance challenges. With real-world insights and practical strategies, Bowman explains how organizations can adopt a Zero Trust mindset to mitigate these risks while balancing security and productivity.
Zero Trust World 2025, hosted by ThreatLocker, is fast approaching (February 19-21), bringing together security professionals, IT leaders, and business executives to discuss the principles and implementation of Zero Trust. Hosted by ThreatLocker, this event offers a unique opportunity to explore real-world security challenges and solutions.
In a special On Location with Sean and Marco episode recorded ahead of the event, Ryan Bowman, VP of Solutions Engineering at ThreatLocker, shares insights into his upcoming session, The Dangers of Shadow IT. Shadow IT—the use of unauthorized applications and systems within an organization—poses a significant risk to security, operations, and compliance. Bowman’s session aims to shed light on this issue and equip attendees with strategies to address it effectively.
Understanding Shadow IT and Its Risks
Bowman explains that Shadow IT is more than just an inconvenience—it’s a growing challenge for businesses of all sizes. Employees often turn to unauthorized tools and services because they perceive them as more efficient, cost-effective, or user-friendly than the official solutions provided by IT teams. While this may seem harmless, the reality is that these unsanctioned applications create serious security vulnerabilities, increase operational risk, and complicate compliance efforts.
One of the most pressing concerns is data security. Employees using unauthorized platforms for communication, file sharing, or project management may unknowingly expose sensitive company data to external risks. When employees leave the organization or access is revoked, data stored in these unofficial systems can remain accessible, increasing the risk of breaches or data loss.
Procurement issues also play a role in the Shadow IT problem. Bowman highlights cases where organizations unknowingly pay for redundant software services, such as using both Teams and Slack for communication, leading to unnecessary expenses. A lack of centralized oversight results in wasted resources and fragmented security controls.
Zero Trust as a Mindset
A recurring theme throughout the discussion is that Zero Trust is not just a technology or a product—it’s a mindset. Bowman emphasizes that implementing Zero Trust requires organizations to reassess their approach to security at every level. Instead of inherently trusting employees or systems, organizations must critically evaluate every access request, application, and data exchange.
This mindset shift extends beyond security teams. IT leaders must work closely with employees to understand why Shadow IT is being used and find secure, approved alternatives that still support productivity. By fostering open communication and making security a shared responsibility, organizations can reduce the temptation for employees to bypass official IT policies.
Practical Strategies to Combat Shadow IT
Bowman’s session will not only highlight the risks associated with Shadow IT but also provide actionable strategies to mitigate them. Attendees can expect insights into:
• Identifying and monitoring unauthorized applications within their organization
• Implementing policies and security controls that balance security with user needs
• Enhancing employee engagement and education to prevent unauthorized technology use
• Leveraging solutions like ThreatLocker to enforce security policies while maintaining operational efficiency
Bowman also stresses the importance of rethinking traditional IT stereotypes. While security teams often impose strict policies to minimize risk, they must also ensure that these policies do not create unnecessary obstacles for employees. The key is to strike a balance between control and usability.
Why This Session Matters
With organizations constantly facing new security threats, understanding the implications of Shadow IT is critical. Bowman’s session at Zero Trust World 2025 will provide a practical, real-world perspective on how organizations can protect themselves without stifling innovation and efficiency.
Beyond the technical discussions, the conference itself offers a unique chance to engage with industry leaders, network with peers, and gain firsthand experience with security tools in hands-on labs. With high-energy sessions, interactive learning opportunities, and keynotes from industry leaders like ThreatLocker CEO Danny Jenkins and Dr. Zero Trust, Chase Cunningham, Zero Trust World 2025 is shaping up to be an essential event for anyone serious about cybersecurity.
For those interested in staying ahead of security challenges, attending Bowman’s session on The Dangers of Shadow IT is a must.
Guest: Ryan Bowman, VP of Solutions Engineering, ThreatLocker [@ThreatLocker | On LinkedIn: https://www.linkedin.com/in/ryan-bowman-3358a71b/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
____________________________
Resources
Learn more and catch more stories from ZTW 2025 coverage: https://www.itspmagazine.com/zero-trust-world-2025-cybersecurity-and-zero-trust-event-coverage-orlando-florida
Register for Zero Trust World 2025: https://itspm.ag/threat5mu1
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco, Sean,
Marco Ciappelli: here we go.
Sean Martin: I'm, I'm full.
Marco Ciappelli: You're full
Sean Martin: of energy and trust today. I think our first episode, you said I had zero trust
Marco Ciappelli: just for me. I still don't trust you. So I'm happy to hear about the energy though.
Sean Martin: I do have good energy. Uh, we're, we're getting closer to a zero trust world 2025 in Orlando.
Marco Ciappelli: I know.
And I know in the halftime, you're kind of already moving in that direction from the West Coast to the East Coast. So you can be closer. I'm going to fly straight all the way from LA to Orlando. And that's, that's going to be exciting. It's going to be Zero Trust World 2025, February 19 to February 21 in Orlando, Florida.
So I'm hoping for good weather and, uh, and for a good time.
Sean Martin: Yes, it should be both, both good things going on there. Hopefully, hopefully we get to meet some new folks. One of [00:01:00] whom will be, uh, Ryan Bowman. We'll get to meet in person Ryan here on the show today. Thanks for joining us.
Ryan Bowman: Absolutely. Thanks for having me guys.
Sean Martin: Good. Good to see you. Good to meet you. And, and, uh, we'll, uh, we'll get to spend some time together in person on location there in Orlando. You have been involved with Zero Trust World for a while now, and you have a session this year, which we're going to talk about, which is all about, uh, shadow it and, and, uh, the impact it has on business and how.
Security leaders and practitioners can can approach the challenges related to that. And that's gonna be part of your session. So we'll dig into that. But first, a few words from you on on your role. Um, probably get the signal there. Thumbs down. But your role at threat locker. Um, my opinion, you have probably the coolest role because you get to manage and manage a team that And you also, I'm sure, get to connect to a lot of customers, which means you get to see a lot of stuff, real world [00:02:00] that's happening.
So talk to me a little about your role at ThreatLocker.
Ryan Bowman: Yeah. So, uh, I'm the VP of solutions engineering at ThreatLocker, which means, um, I manage a team of engineers who start working with our prospects, really, when somebody expresses ThreatLocker is, showing them how the product works, how we make them more secure.
Uh, and then when they come on board, we get to make sure that they know how to properly implement, uh, and maintain the system. So, uh, it's really nice, uh, the way that we're set up is where we can kind of work with that customer, kind of start to finish. A lot of organizations will do a handoff when the sale is made.
Uh, we try not to do that. We, we build a lot of, uh, synergy and learn to know each other as we go through that kind of proof of concept, uh, phase. And so we continue on, uh, and, and teach our, our customers then how to effectively. Uh, implement zero trust in the organization. So, yeah, it's really fun. We do get to see the not so fun stuff [00:03:00] sometimes that our customers have to deal with and help them clean up bad things that have happened and things like that.
But at the same time, we get to see a lot of successes to, uh, where they could cover customers come back to us and say, Hey, I saw Threat locker block this this attempt to attack. And so those are the really fun ones and rewarding to know that we had a hand in in keeping an organization safe and secure.
Marco Ciappelli: Yeah, I mean, the point is, we know from prior conversation that threat lockers is growing incredibly fast. And so is this event talking about doubling and doubling and doubling and something exciting and you've been with ThreadLocker for a while. So tell me a little bit about your, I don't know, expectation going to this year event compared with maybe what it was a few years ago.
Ryan Bowman: Yeah, it's [00:04:00] changed a lot for sure. Um, I I'm really bad at remembering specifics, but I'm going to say the first year there was a hundred or so people, uh, I believe at the event, something of that nature, uh, to a few hundred the next year to, uh, well over a thousand. Uh, this year, uh, we're anticipating, um, and so, yeah, it gets bigger and better every year, more speakers, more sessions, uh, more information, uh, being presented, more opportunities to learn, um, we every year we've, we've increased our capacity and, uh, some of the very technical sessions are very, very popular.
Um, and every year we, we think we're going to add more capacity than we could possibly use and every year they fill up again. Um, and so that's really exciting. It's, it's, it's a really fun time. The energy level is super high. Um, you know, it's, it's a cybersecurity event, unlike any other that I'm aware of, where people really get that hands on.
Experience and people really enjoy that there's there's not a lot [00:05:00] of opportunities to really get hands on with some of these attack vectors to really learn about what the attackers are really doing and what that actually looks like and get to kind of play around with a little bit and see firsthand what some of those things look like, obviously, so that we can then.
No, what it is that we're defending against and how we can put protections in place to stop, uh, those types of attacks when they come at us. So yeah, it's a lot of fun. There's a lot of, a lot of energy, um, at the event and it's always a great time.
Sean Martin: A hundred percent energy. I want, I want to, uh, I want to ask you your perspective on, cause for me, zero trust is a.
Concept that you try to figure out how to apply to an organization's infrastructure and business processes, and I believe is with, uh, with Karen human human. We talked about zero trust being a mindset, um, that you have to apply. It's not just a set of technologies, not just a [00:06:00] set of processes, not just a team that knows how to connect that back to the business.
Um, it's all of that together. So I'm wondering. Your definition of zero trust, connecting with customers. Do they understand what it is? Do they understand that it's a mindset and it's a way of, a way of managing security connected to the business and how, and if so, what that looks like, how does that connect to what's being presented during the conference?
Ryan Bowman: Yeah, that's a great question. And like most things, some get it and some don't, right? Uh, there are people out there shopping, uh, for the silver bullet. Um, and if we just get this in place, uh, then we'll be good. Um, and while we would like to believe that we can help an organization take a lot of steps. In that direction, just by implementing, um, our technology.
There is no one end all be all, um, solution. You're absolutely right. It's a mindset. It's not just one product. Um, it's [00:07:00] really the way that you, you manage your entire organization. Um, Not just from a standalone security product, but everything else that you do, you want to look at that the same way. Is this trust inherently needed?
Why am I giving access or trust or availability here? Do I even know that somebody needs this? Like, really critically looking at all of the things that are going on and saying, is this even necessary? Um, And yes, we can help you with that with our product. Um, but you're right. It's a mindset. It's a philosophy.
It's a concept. Um, really approach to security than just a product. Yes, product like threat locker is certainly a part of that. But it's not the only part of it.
Marco Ciappelli: Well, if we had a silver bullet, we wouldn't have this conversation, right? Correct. Number one. All the events. Um, it's a moving target, right? And I think that's why it's yeah.
It's a way of [00:08:00] thinking, it's an approach, it's a methodology and not, not just one solution. Um, one of those things that you need to look, because you may have been able to trust something years ago, and then with technology advancement and the attackers getting smarter or having more access, then something become something that you You don't have trust in it anymore.
I think shadow I. T. It's probably a good example of that. Something that lingers in the back. So tell me, tell me a little bit why you choose to talk about that.
Ryan Bowman: Yeah, well, it's it's something that actually comes off a lot. Uh, from our customers. One of the reasons, one of the problems that they're looking to solve, um, you know, through their security stack and, you know, seeing what ThreatLocker can do to help them with that is this problem of shadow I.
T. And it's it takes a lot of different forms that we're gonna dive into, um, in the session. Um, and, you know, as I talked to people and did some research on [00:09:00] this as well, um, I think I even learned some new things, some new angles to, to ways that Shadow IT has an impact, um, and maybe what we really mean by, uh, by Shadow IT.
Um, it's, it's people doing stuff on their own that nobody knows. Um, it's, it's people circumventing systems and processes because It's easier. It's cheaper. They perceive it to be better. Um, all of these things. And perhaps the one of the key things that I really came away with in preparing for this too, is a lot of the objectives, a lot of the reasons that that will surface for people kind of turning to shadow it.
Is, is to become more productive, like from an IT perspective, we, we look at it very negative as the, why are you doing this? Like, what is wrong with you? Why are you circumventing these systems and processes we have? Like there's a way that we should do this [00:10:00]
Sean Martin: until we need to subvert it ourselves in IT.
Ryan Bowman: And yeah, and the reason is that you're, yeah, you're not giving us the stuff we need. Uh, and so, you know, I had to kind of take a fresh look at that and, and not just, you know, cast all negative light on maybe those individuals who we, who we see circumventing things, uh, and maybe taking a look at ourselves and saying, why did I make it so hard for you to do your job that you had to go find?
Um, and so, you know, I'm going to try to look at that, uh, dynamic a little bit too in that session and have us, you know, look at some of the way that we operate, um, it and security and things of that nature and, and make sure that we're not, uh, kind of pushing people into that direction. Um, because we make it so hard for them to function.
Sean Martin: And it's not just, um, at least based on my conversations with, with CISOs on this topic, it's not just. The fact that it's a small, [00:11:00] unknown technology, sometimes can be something big. For example, organizations have a Microsoft license, and therefore they ask their employees to use Teams to communicate.
Engineers like Slack. So they go off and use Slack. And if it's not procured through The business Slack then becomes a shadow it thing. And it not necessarily that there's risk in Slack as a technology. It's more about how it manages it, how security does look at the risk involved and where the data is going and things like that.
So can you talk about kind of the view of the organization in terms of. What shadow it is and how it impacts it, how it impacts security, how it impacts risk, how it impacts operations and the lot.
Ryan Bowman: Well, yeah, I mean, you hit, you hit the nail on the head there with data, right? So [00:12:00] nothing wrong with. Slack versus Teams versus messaging, whatever, you know, messaging of choice, like, you know, pick one.
It doesn't matter to me. But if it's, if IT is not involved, if we don't know what's going on, if it's not procured properly and people are popping data out there, employees leave, things change, where's the data? Well, it's still out there, still accessible, perhaps, to people who should not have access to it.
You just, you lose control. Of your data company data, somebody could be dropping, you know, intellectual property, um, into there and then there's no way to get it back because it's not a company channel, um, you know, to manage. So I think that's that's one aspect, uh, that people, you know, kind of forget about.
I think sometimes you don't. You know, see, see that part of it so much. Um, you brought up a good point in procurement as well. We actually work with a customer, um, [00:13:00] who implemented threat locker to control what applications people could use, um, and, you know, controlling that the usage of software. Um, and as they were auditing all the different software that they had by, uh, By eliminating the duplicates that they had inside the organization, in other words, maybe we're paying for teams and we're paying for slack, right?
By by reducing those those duplicates and paying multiple licensing fees for essentially the same task, they more than paid for the cost of implementing ThreatLocker, right? And so. A lot of times those, those costs go un unidentified, unknown unquantified, I guess I would say. And people don't always understand what they're actually paying, uh, what the cost is, you know, for some of those things that just slide by.
Sean Martin: It's an excellent point to Mark. I know you're gonna jump in here, but No, no, go. I had a, I was on a call earlier that, um, was talking [00:14:00] about a plugin to messaging system. I won't mention names of. I'll be there. But it was basically an AI sentiment system or census tool, if you will, that was monitoring the messaging to identify who in the team is not getting along with each other so that they could report that to the manager, perhaps to HR, if there, if it gets a little too escalated, imagine, so that's a little creepy just in itself, but imagine that data living in another organization that then could be used.
If if compromised, uh, to do to do certain things to that team to that organization, and I presume in that case that was discussed this morning, it's a shadow. I. T. Somebody installed it thinking it was cool, right?
Marco Ciappelli: So it's it's more of a creepy. I. T. Yeah.
Sean Martin: So I guess my point is. There's stuff installed, not just in the main applications, but in plugins and other extended services through [00:15:00] APIs that do stuff that you may or may not want to do and have access to stuff you may or may not want to, to, uh, name it.
Ryan Bowman: Yeah, I mean, browser plugins, you know, are, are a big thing and everybody's got their, their favorite Chrome, you know, browser extensions. Um, and it seems like every month or so we read about how, Uh, Google and others have removed hundreds of extensions from the store because they found them to be Not ideal in some way or other, you know, collecting data or not doing what they whatever whatever the reason, you know, not maybe not outright malware, but um, you know just collecting data that is not relevant to it and things like that, so um, the the one we often have talked about, um, a number of months ago the the most popular dark mode um plug in to make your browser a dark mode Um, [00:16:00] was a China was developed in China.
That doesn't mean that it's bad, but it was the most popular one. Everybody was using it. We don't know what it's collecting or isn't collecting. Um, maybe if we know what that is, maybe there's another one that's just as good that we feel better about. Um, that's just one, one example, but those kinds of things.
You know, come up over and over again, just because people just don't know it just, Hey, it makes my browser dark. I like it. I'm going to use it with any no thought to what else you might have gotten along with that, that you didn't even think about.
Marco Ciappelli: And I think that's key. It's kind of like, you know, you're talking about the I.
T. You're also talking about the culture and how you can learn the feeling of the employees and say, well, maybe I'm not provided what they need. Therefore. I'm going to go for something on my own, but then you can look and say, well, you know, maybe I do need to provide that. But also is that mindset that.
Yeah, maybe a little thing, [00:17:00] but it's not necessarily just a switch in the wall to turn off the light and make it dark in your room. It's still connected, right? It's still on your computer and your browser in your system. So it's an entire again. I go back to the mindset. I always look at the human, the human element that the psychology of this more than the I.
T. Um, like you guys probably do. But, um, talking about this to your session. I mean, what did you what do you expect? To deliver in term of what, what the audience is going to, you think you hope is going to live with, and who do you think is mostly for? Cause I know that they're going to be customers, partners.
There's going to be people that are not part of the company. They're just there for the labs to learn. So I'm sure you want everybody, but if you had to pick who is it for?
Ryan Bowman: Um, I think the guy, the CTO, the IT director, I think [00:18:00] hopefully we'll find a lot of value here. Um, and you know, we'll get a little bit practical to not too deep into the weeds.
So even the the I. T. Administrator, uh, type of person, I think we'll find some value. Um, but we're gonna talk a lot about the exposures, like the data being one of them that you talk about in some other areas where shadow I. T. Does create risk within the organization. That's where You know, the I. T.
Director hopefully is concerned about risk. The C. T. O. The, you know, upper management, um, understanding. It's not just about a user choosing their favorite tool. Um, and being okay with that. It's maybe it's okay, but maybe it creates risk if it's not done correctly. So that risk side, I think, is something that we'll talk about.
Um, but then again, we'll get very practical to with Um, how to deal with some of those things, how to protect [00:19:00] against, uh, some of those things that we want to prevent, uh, and like I mentioned earlier, um, uh, maybe, maybe give the I. T. people a little bit of a hard time about some of the stereotypes that we might have, um, as I.
T. people of not being very flexible, um, and, uh, and there's a time and a place for that. There's reasons for that at places, but, uh, uh, maybe not everywhere. Um, and, and we can maybe work with people a little bit better, um, and, and eliminate the need for some of those things to become a, become an issue.
Sean Martin: I presume, and you can confirm and maybe elaborate as much as you want, but a lot of times presentations I see are theoretical.
Like this could happen, this could happen, but how much of it, what you'll be discussing and presenting and is rooted in your team's exposure to what's happening in the real world. Banks are different than retail or different than manufacturing, so on. Um, different stories bring different [00:20:00] scenarios and use cases together, different environments, different cultures, different technologies.
It all, it's all a mix, but once it comes down to reality. Um, it really hits home for a lot of people. So tell me about what you hope to share there.
Ryan Bowman: Yeah, I mean, you know, one of the reasons I volunteered, got drafted, whichever it was, to, uh, uh, to do this presentation is, is I'm drawing on some of my own personal experience, too, as an IT provider, uh, before joining ThreatLocker.
Uh, and I, I saw a lot of these things. I saw people doing things in ways that shouldn't, that shouldn't have been done. And I saw, Some of the bad things, you know, that can come out of that. Um, and of course now being on the threat locker side, I can see and provide a lot of answers and solutions of how we can.
We can protect against the mitigating mitigate against some of those things. So, uh, there's certainly, there's certainly some of both, uh, there's, Hey, this kind of thing has happened. So if this can happen, this certainly could too, even though I may not have a personal story for that, but it's [00:21:00] a, it's a pretty easy line to draw where you might see, uh, one thing turning into another.
Um, so certainly a mixture, but definitely some practical. Um, you know, real world situations that have, that have occurred.
Sean Martin: I love it. Well, your session is dangers of shadow it. So, uh, certainly one that I'll be attending because I want to hear some of those stories and the lines drawn to what else might be possible.
Uh, the. Conference Zero Trust World is February 19th through the 21st. Marco and I are excited to, uh, to be there on location in Orlando with the ThreatLocker team and customers and partners and other attendees. Dr. Zero Trust, Chase Cunningham is going to be there. I'll be excited to see him in person as well.
And of course, your CEO, Danny Jenkins, looking forward to him and both of their meeting, seeing him in both their keynotes. And, uh, Ryan, looking forward to seeing you there as well.
Ryan Bowman: Absolutely looking forward to meeting you [00:22:00] guys in person as well.
Marco Ciappelli: Absolutely. It's about learning, but it's about networking. I know there is some parties going on and networking, and that's why we go to conference to meet new people, um, and eventually meet old friends, and we're looking forward to be there.
I'm looking at it now. The countdown is 14 days, 04 hours, 19 minutes, and 7 seconds, 6, 5, 7. Pack your bags, Sean.
Sean Martin: We recorded this.
Marco Ciappelli: Well, you know, whatever. Minus, you have to run the calculation. Minus the time when we recorded. Yeah, and what time zone you're in, too. It's an equation right here.
Sean Martin: But, uh, no, you mentioned networking, Marco, and I'm going to close with this, because it is around the people.
Going back to the beginning, it is about the mindset as well, and if you're sitting behind technology all day, um, you're gonna have the mindset that the, that the tech provides. When you have a chance to connect [00:23:00] with, with folks like Ryan and the ThreatLocker team and the other attendees, You get a different perspective and perhaps a, I'll say better mindset that you can apply and bring back to the organization.
So I'm looking forward to the conversations, uh, that, that do just that, make us think that's what we're all about Marco here on ITSV magazine. So Ryan, thanks for joining us. Uh, we'll see everybody at Zero Trust World and, uh, please stay tuned for more coverage coming to you from Orlando here on ITSV magazine.
Ryan Bowman: Bye bye.