IT Asset Managers, Software Asset Managers and CIOs face a new challenge in the age of Software as a Service (SaaS).
Spending on SaaS and cloud services in 2019 reached $170 billion and is forecast to grow by 20% to $205 billion in 2020. SaaS isn’t going away any time soon. Not only are companies using more and more SaaS, but many license-based software products are migrating to SaaS.
The number of SaaS Apps used by companies is growing each and every year. This means Asset Management Professionals and procurement teams with established centralised Software Asset Management (SAM) tools and processes need to adjust.
Companies that find a way to manage SaaS in a way that balances the desire of employees to get access to tools they need quickly, with the need to manage IT risk, will have an advantage in attracting and retaining the best employees. This is particularly the case for companies that hire software engineers, who typically want to be able to use the latest tools and technologies to do their job well. Drip founder Rob Walling describes it best in his article ‘9 Things Developers Want More Than Money’:
“Every developer I know loves playing with flashy new technologies. It was Perl and HTML in the mid-90s, ASP, PHP and Java in the late-90s, ASP.NET and XML a few years ago, and today it’s AJAX and Ruby (and in some circles ASP.NET 2.0). Give someone a chance to use these toys and they’ll not only be able to impress their friends, but fulfil that piece inside of them that needs to learn.”
… because it’s going to exist no matter what you do. As long as there have been computers, there has been Shadow IT. SaaS companies like Slack have built multi-billion dollar companies by being really good at selling bottom-up and courting team members to set up their own Shadow IT. Shadow IT spend is estimated to be up to 50% of total IT spend by large companies. IT has moved out of the IT department and into the business.
SaaS has brought instant gratification into the age of enterprise software. Employees, especially millennials, are used to jumping on Google, finding a product that solves their product and testing it by using it.
The fact that software procurement has moved from managers and IT departments should be embraced. Highly motivated team members at the front line are most familiar with the problem they need a new software tool to solve and letting them get access to it quickly can help accelerate a company.
One of the big downsides of allowing people to sign up to whatever SaaS solution they want is that you risk losing a central place to see a list of all your SaaS applications and other software. SaaS exists in silos, gets duplicated by different teams across a company and there is no easy way for people to know what already exists before they spend time researching new tools.
This is a massive opportunity for IT and Software Asset Management Professionals to add value to the business as the natural owners of this information. Collating and maintaining a register of the SaaS subscriptions across the business, working with HR to smooth employee onboarding and offboarding to and from the SaaS tools used by teams, working the CISO and Data Protection Officer to take a risk-based approach to SaaS tools can help companies make the most of the SaaS.
With SaaS spend moving from IT budgets to teams, often hidden in expense reports, companies are losing visibility of the SaaS Spend. Unused, duplicate and forgotten SaaS is a growing problem in businesses, with up to 30% of software spend wasted according to Gartner.
Even if all the SaaS across the business is being used (highly unlikely), there are opportunities to add value:
Finally, ensuring there are processes to capture and store invoices for SaaS can reduce SaaS spend by 20%, by simply ensuring the finance team can use the invoices to claim back VAT on the SaaS Subscriptions.
For some businesses, like those that need to comply with SOC2 and ISO27001, SaaS management has been essential for a long time. For others, the advent of General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) means that managing SaaS has become a more recent requirement.
Whether or not it’s required by regulation, law or compliance, managing SaaS is good risk management in business. Every SaaS product, every login and every user is a potential attack vector that needs to be managed from an information security perspective. Reliance on third-party SaaS vendors for your core product needs to be considered from business continuity and disaster recovery standpoints, and need to be considered how they could affect your company’s adherence to contracted SLAs to your customers.
Today, companies use one of three strategies to manage SaaS in a responsible way. If you think we’ve missed one, let us know on twitter at @CledaraHQ.
If the horse hasn’t already bolted, some companies try to shut the door. This typically means implementing policies that centralise IT decision making and applying the same cumbersome procurement processes to software, whether it’s a £30 per month subscription or a £10 million contract over 5 years. Fortunately, companies doing this are fewer and fewer. Just like most companies have accepted the need for a ‘Bring Your Own Device’ framework, most are beginning to think about how to enable ‘Choose Your Own Software’ policies.
In recent years, there has been a wave of new products like Zylo and Torii that help companies detect SaaS in the company. They monitor network activity, watch browser usage and any number of other things to help IT professionals spot policy breaches.
The problem with this approach is that it only detects the breach after it has happened. Meanwhile, customer data has potentially been shared to a non-GDPR compliant provider, log in details have been shared with a third party and there are breaches to be recorded in registers and reported to governance structures where they will live forevermore.
This isn’t a great solution. One CIO recently told us that to be effective in his job, he had to “break the entrepreneurial spirit of the organisation” by having people follow procedures instead of showing initiative and moving fast.
SaaS is a new type of software that requires new methodologies to manage. If nearly half of SaaS spend is Shadow IT, despite all the policies that already exist, why not enable people and make it easy for them to comply, instead of punishing them for breaching a policy that doesn’t work?
Taking a risk-based approach to Software Asset Management for SaaS can result in lightweight processes that accelerate companies, manage risk and bring Shadow IT into the light. At Cledara, we believe in making SaaS in a company transparent. By shifting software decisions to the front line and building risk-based controls around what is used, companies can move faster, be safer and be more attractive to employees.