Since 2020 we’ve seen considerable growth in SaaS usage. Enterprises previously taking a cautious approach to implementing SaaS solutions accelerated programmes in order to support remote work and deliver rapid digital transformation. For many organisations this was a success – making them more agile, more able to respond to customer needs, and also more able to provide employees with the tools they need to do their jobs in the world of hybrid work.
However, are we doing all we can to govern this new paradigm? Are we in control of our SaaS expenditure? And what about the increased risk of relying on these solutions to enable critical business processes and value creation?
This article, co-written with Edouard Dossot from SaaS Management provider Beamy, explores these questions and presents a hybrid solution to software governance at enterprise scale, enabling CIOs to accelerate digital adoption and transform the way they work with business departments.
We also would like to give our appreciation to Didier Fleury, CIO of French mutual Insurance company MACIF and Messaoud Machrhoul, Chief IT Operations & Security of Engie France B2C, the multinational energy company, for sharing their expertise in this article.
SaaS is transforming how organisations select, implement, use, and manage software applications. This transformation means that IT needs to adopt new ways of governing applications – reducing costs, minimising risks, and being agile in the face of growing end-user demands. In this article we explore just how SaaS is transforming technology and provide a framework for governing it. We start with three key shifts being led by the switch to the SaaS model of software consumption. These are SaaS growth, the democratisation of technology choice, and growing regulatory demands.
Beamy’s research found that the average number of Enterprise SaaS apps used per company in 2021 was 190. Of those, 60% (120) could be seen as critical risks. Beamy define criticality in this case to be those apps which are in use but have not been onboarded by IT or passed through approval processes by stakeholders such as the CIO, CISO, or DPO.
So, that’s the “as-is” state of SaaS in our organisations. Rapid SaaS implementations to support remote work mean that many organisations have built up risk exposure in this area, simply in order to get things done. But what about long-term prospects for SaaS growth?
KPMG research estimates that SaaS spending will grow 9-fold over the next decade. By 2031 80% of business applications will be delivered via the SaaS model, compared with just 17% in 2021.
Alongside this, Gartner estimated worldwide enterprise software spend at $600bn in 2021, with SaaS spending making up around 20% of that figure. That’s $120bn spent on SaaS now, building to over $1tn by 2030 as more publishers shift to licensing their products as SaaS. We’re just getting started with a SaaS-led transformation of our technology estates. But what’s driving this transformation? Democratisation of technology choice is playing a significant role.
KPMG & Beamy expect 85% of apps will be managed by business units and individuals by 2031, up from 60% today. This presents IT teams, and governance teams in general, with a significant increase in risk. Financial risk from unplanned spending and waste. Compliance risk from unauthorised use of applications in controlled environments. Reputational and privacy risk from data leaks. Operational risks from deploying vital technology we no longer directly control.
Didier Fleury, CIO of French mutual Insurance company MACIF sums up this problem as follows:
“Departments need to move fast. The problem arises when the technology they select becomes very important to the business, but regulatory compliance has not been considered”.
Finally, lawmakers across the world are making increasing legal and regulatory demands on IT departments. Europe has already been through the GDPR wave, and a similar wave will hit the US in the coming years with many states implementing their own privacy and IT security laws. Additionally, we must also consider industry-specific regulatory requirements and the operational governance demands of this new software paradigm. Also to be considered is a growing movement driven by lawmakers in the US & EU seeking to take on what they perceive as the excesses of “Big Tech”. In the UK, we see continuing demands from the government to address concerns around encryption and digital safety. This governance demand, approached using traditional methods of command and control, is incompatible with the agility demanded by democratised technology choice in enterprises transitioning to SaaS.
Taken together these three factors present serious challenges for IT Governance & leadership teams. They have more spend and applications to manage to a higher regulatory standard in an environment where they lack centralised control. This perfect storm presents three challenges: Increased risk, low visibility, and a lack of agility.
Traditionally, IT Governance teams such as IT Asset Management and Procurement have focused on a small number of so-called Tier 1 software publishers. For most enterprises these will be three or more of the “Big 6” – Microsoft, Oracle, SAP, IBM, VMWare, and Salesforce. These industry giants are a known entity in terms of risk and management. Whilst the financial risks through non-compliance with license agreements are very large, mature processes, policies, and tools are available to manage those risks.
This is not the case with democratised IT where there may be almost 200 software publishers/providers in an enterprise. Each of those 200 present new risks around data storage, privacy, and availability. That’s an explosion in scale that current IT Governance processes have to adapt to.
According to Messaoud Machrhoul, Chief IT Operations & Security of Engie France B2C
“Enterprises often overlook the proliferation of small and medium SaaS within business departments, those that are not visible on the radar”.
He further comments:
“Many risks can be traced to these SaaS apps: they store personal and corporate data and constitute an ideal entry point for potential hackers, since IT departments are yet to find a way of detecting vulnerabilities in these apps.”
Tools designed to manage the Big 6 have evolved a high level of functionality over the last 15 years. These tools were built first and foremost in order to manage the millions of pounds of financial risk arising from over-consumption of entitlements or poor understanding of complex software licensing rules. They’re very capable at managing these risks. But what about the “long tail” – the 190 publishers now providing software for your organisation’s estate?
Each of those applications exposes organisations to a number of risks, with particular focus on availability, data privacy and cyber security concerns. This fundamentally differs from managing risk in on-premises software which is primarily financial. Governance may have focused on the top publishers ranked by financial risk, but it’s a dangerous strategy to apply to the uncontrolled explosion of SaaS usage in organisations. SaaS applications place heavy reliance on APIs in integrations with other applications, providing a large attack surface which must be understood and managed. That’s only possible with full visibility.
A significant driver for departmental and individual IT acquisition and deployment is the perception that IT departments are unable to respond to rapidly changing business requirements. SaaS is so easy to acquire that it’s not surprising that an individual will solve a pressing business need by expensing an application or signing up for a free trial. This is the agility IT’s customers expect but many IT organisations are stuck in a governance and operational model built around managing centralised, monolithic, “company standard” IT estates. These operational models struggle to scale up to cope with huge demands from SaaS applications.
On this subject Messaoud Machrhoul mentions:
“Freedom follows transformation, when it falls into the hands of the IT department to establish a governance framework and transform itself from a controlling to an enabling role. With this new, empowered role, digitalisation will be accelerated while risks will be controlled.”
Enterprises now have a diverse technology estate to manage, ranging from long-term strategic investments in mature tools (such as ERP systems) to niche SaaS apps used by a handful of employees. This diverse estate must be governed, but how, and by whom?
We already have mature tools and processes to govern the software and publishers we’ve always governed. Traditional ITAM tools are incredibly capable at doing this. But how do we scale that rigour to govern 200+ SaaS applications? How do we govern those applications that aren’t centrally controlled by IT?
The answer is to augment your existing governance toolset with a comprehensive SaaS Governance platform such as Beamy. The SaaS Governance platform manages the long tail of those on average 200 applications which carry a greater proportion of the risk versus the established, centrally managed software publishers. Modern SaaS Governance platforms should provide 3 main capabilities: automate the client discovery of shadow IT, manage it and enable Business-Led IT.
SaaS is difficult to discover, particularly when anyone and everyone is a potential buyer of SaaS apps. However, not all SaaS is equally risky. Consider the following case study.
In this client case study for a large retailer, we have an enterprise with 395 SaaS publishers (Category B, C, & D) and £29m spend alongside on-premises software (Category A) dominated by 10 publishers & £34m in spend. That’s £63m in annual spend, across 400 publishers. As we note above, risks from on-premises software are well understood – we have excellent discovery and tools designed specifically to manage those risks. We have a team dedicated to managing that software risk too. Equally, the expenditure involved means even a small change to usage or deployment can result in a significant budget saving. In summary – Category A presents low risk with great potential for optimisation and ROI.
But what about those 390 other apps constituting £28m in spend? The key here is that the very largest SaaS application providers (Salesforce, Office 365, Adobe – Category B) are not shadow IT. IT is aware of them and centrally manages them, they’re strategic long-term investments. They’re also provided by publishers likely to have the very highest security and governance standards. As a result, they are low risk and governance is relatively straightforward.
Moving on from the SaaS heavyweights there are further categories of SaaS consumption. The first (Category C) is those apps acquired, managed, and paid for by business units outside of IT. The governance demands are similar to IT-managed publishers. In this category IT is aware of the application and it’s likely to be onboarded into IT Management tools such as Enterprise Single Sign On. Primarily, we’re interested in managing costs by optimising usage for these applications.
The challenge arises when we come to Shadow IT. In this category we have over 200 applications to govern. These are apps perhaps used by a handful of employees and then abandoned or used by a small team in a niche area. How do we find out about them?
It starts with comprehensive discovery. We need to integrate with systems to detect them. Most commonly SaaS Management tools approach this by “following the money” and integrating with expense and accounting applications such as Coupa, NetSuite, and Expensify. But that’s not enough. We also need to find the highest risk SaaS apps – namely those that are free and so will never be expensed. Free apps can have additional privacy concerns and may lack premium security features such as two-factor authentication & enterprise single sign on, placing sensitive data at risk.
Without a solution to discover this category of SaaS many organisations would resort to a strict “No unapproved SaaS” policy. However, this is at odds with how modern businesses consume technology.
And so they need a different approach – the approach enabled by a SaaS Governance platform which continuously discovers shadow SaaS usage.
Continuous discovery of shadow SaaS is key to governance of democratised technology. It’s not enough to know that a particular application is in use. You need to know who is using it, when it’s being used, what it’s being used for, and what the usage trend is. It’s also beneficial to understand the category of the application – is it file-sharing, or team collaboration, or project management, and so on. Finally, you should categorise the application according to its importance to critical business processes.
Messaoud Machrhoul, sees this as follows:
“IT organisation accountability is to enhance business initiatives through a Tech Operating Model which enables innovation, and by helping business to take the best guided decisions through an all-in-one platform – a kind of personalised company “App-store” where businesses can visualise all technologies, experiment and choose new ones without reinventing the wheel or putting the company at risk”
Understanding and categorising applications unlocks considerable value-add from your SaaS Governance platform. Firstly, it enables users to discover which applications are in use in the enterprise, and as such which may be suitable for their needs. This improves productivity and efficiency by streamlining the solution discovery process for all users, not just your application managers and architects.
Furthermore, continuous monitoring enables you to spot usage trends. Is usage increasing or decreasing? Do we need to plan to add more seats at the next renewal? Is there an opportunity to standardise on a solution?
Throughout this article we’ve highlighted the scale of SaaS. On average, 190 SaaS applications. In the case study featured in this article, over 400 publishers. That’s simply too many for an internal team to track, analyse, and control internally. IT Asset Managers will pay close attention to perhaps less than 10 key publishers, something they can afford to do because they’re primarily concerned with managing costs and software audit risk.
For the long tail of SaaS, a better approach may be to engage with a managed service provider. Such Managed Services will assume responsibility for transactional and operational management of SaaS applications, utilising their experience in tasks such as renewals management, procurement, and optimisation of subscription allocations. Modern SaaS Governance platforms help by providing extensive automations and workflows to drive optimisations – for example by automatically reclaiming unused subscriptions for allocation elsewhere.
This article has highlighted how technology selection and decisions are moving outside of IT and into business units. It is not in anyone’s interest to try and reverse this trend, because traditional methods of application selection and management don’t scale to a world with hundreds of SaaS applications.
However, someone needs to govern this new technology paradigm, and IT, equipped with the right tools and processes, is best placed to enable that. IT becomes an enabler of innovation and a trusted partner for business units selecting and using their own technology solutions.
SaaS is accelerating business-led IT and democratising access to technology. CIOs are the orchestrators of the company’s digitalisation.
Didier Fleury sees the new CIO’s role as follows:
“The CIO holds a strategic position in this regard: that of providing the company with a framework for decentralising digitalisation and letting Businesses innovate on their own”.
A SaaS Governance platform, such as Beamy, enables this freedom of technology choice within a framework which provides the necessary guardrails and standards to protect the business from risk. Comprehensive insights from SaaS Governance platforms enable collaboration and co-operation between the CIO, CFO, CISO, and business function heads, driving forward innovation and meeting business goals. Complete visibility, strong governance, and agility – all this is possible with this approach to SaaS governance.
Critically, the aim is never for IT to govern everything, but instead to provide the framework for governance. That way, business functions are given the autonomy they desire over technology decisions, but with reference to common governance standards and full visibility of solutions already deployed in the organisation. For CIOs, this enables their teams to get “out of the weeds”, away from operational management of technology and towards true strategic engagement with business goals. Adopting SaaS Governance tools and processes turns a problem and a source of risk into a positive opportunity for CIOs to get closer to the business.