Pillar: Third-party risk
Outcome: Every top shadow app has an owner and a status.
Discovery alone doesn't reduce risk—action does. Onboarding leaves you with a long list of apps you can see but haven't triaged. This campaign gets every top shadow app reviewed, given a disposition, and inventoried:
Work-use → approved and owned
Personal-use → kept separate
No longer used → deprovisioned
Is this the right campaign for you?
|
|
Where you are today | You're ready to send your first user-facing campaign, with copy you've reviewed in advance. |
Best for teams that | Are cautious about user communication, or operate under HR or Legal review constraints. |
Time commitment | 4 weeks, with roughly 50–150 users in scope for a first run. |
Prerequisites | Your top-25 unsanctioned app list from Nudge Security, plus a named app reviewer on the IT side. |
The nudges you'll use
Template | What it does |
Request clarification of use | Asks how the app is used—fully adopted, under evaluation, an experiment, or personal. Sets the triage path. |
Identify technical contact for app | Once an app is confirmed for work-use, finds an internal owner who's accountable for it. |
Provide alternative app option | Steers users away from risky shadow tools toward your approved alternative. |
Unapproved app usage | A polite in-browser nudge for users accessing apps whose approval status isn't permitted. |
Your four-week sequence
When | Nudge | What to do |
Week 1 | Identify technical contact | For each top app, find the internal owner or technical contact accountable for it. |
Week 2 | Request clarification of use | Pull your top 25 unsanctioned apps by user count. Send the clarification nudge to the people using each. |
Week 3 | Provide alternative app | For non-work or risky apps, point users to your approved alternative. |
Week 4 & beyond | Unapproved app usage | Turn on automatic in-browser nudges—any time someone opens a not-permitted app, steer them back to your approved tools. |
Every step can run as an automatic notification rule—governance without manual intervention.
What your users see
The clarification of use nudge asks one question with four one-tap answers—no typing required, and most people reply in seconds:
Fully adopted and Under evaluation flag the app for review; Just an experiment and Personal use only steer it toward cleanup. The optional custom text field is yours to fill—add a deadline, a reason, or a link before it sends.
How you'll measure success
Target | Metric |
≥60% | Response rate within 14 days of first send |
≥80% | Top-25 apps with a named owner |
≥30% | Apps moved off "unknown" to approved or deprovisioned |
<7 days | Time to first remediation from campaign start |
Reporting your results up
Talking points to adapt for your next leadership update or QBR (example numbers shown):
"We discovered 47 shadow apps and now have an owner or disposition for 86% of the top tier."
"31 unsanctioned apps were either added to the approved list (with an owner) or deprovisioned."
"The 'unknown app' line on our risk dashboard is trending down for the first time."
What's next
Once your top apps have owners and statuses, you're ready for Campaign 02: Critical app hardening—closing the security gaps on the apps your business depends on.