90% of CIOs expect their organisation’s overall IT budget to either increase or remain the same over the next 12 months, according to the 2022 State of the CIO Executive Summary.
The biggest contributor to the tech budget increase according to this report? Need for security improvements.
There is always a greater need when it comes to security, even with the most effective governance in place, because business operations and priorities are constantly evolving. With the emergence of appealing technologies, increased employee demands, and customer expectations, comes the need for adaptable and flexible governance.
Software-as-a-service (SaaS) has quietly accommodated itself into the organisation’s technology portfolio. IT departments unknowingly let hundreds of SaaS applications that may pose security threats invade the organisation without adequate vetting. And, for governance to stay relevant through the years, it must be granular and should extend to every corner of the organisation.
Layers of Governance
- Enterprise Governance: Set of policies and practices that provides the strategic direction to align an organisation’s strategic objectives, evaluate and manage risks, and ensure responsible resource efficiency.
- IT Governance: An integral part of enterprise governance, it is a formal framework that provides a structure for the company to align their IT strategy with the corporate objectives.
- SaaS Governance: A compliance framework set forth by the IT department that includes processes and methodologies to identify, manage and secure the adoption and usage of SaaS solutions across the organisation.
Why the need for SaaS Governance?
Originally IT governance teams may have focused on the on-prem giants, prioritised because of the associated financial risk – Microsoft, Oracle, SAP, IBM, VMWare, and Salesforce, referred to as the “Big-6” by the ITAM Review.
The governance radar covers the management of these tier-1 software publishers by default because the financial risk resulting from their non-compliance is fairly large.
But the challenge has changed and, now, the IT departments are forced to wrap their head around how they can possibly govern the underlying growth of the organisation’s SaaS portfolios with a framework as robust as that of the on-prem software.
SaaS vendors are selling directly to the end-users who don’t find it necessary to run their purchase decisions by the IT department. Therefore, the need for SaaS governance doesn’t become apparent until IT learns that the business departments’ buying spree has resulted in persisting shadow IT or several unvetted SaaS applications presenting new data storage and privacy threats.
Lack of SaaS governance doesn’t stop at resulting in the wastage of financial resources; rather also exposes the organisation to cybersecurity, operational, regulatory, reputational and organisational risks.
SaaS governance is how companies can be sure about the integrity of their security measures and predict potential casualties. It not only protects the financial interests of the organisation but also ensures reduced downtime to overcome any casualty without hindering the productivity of the employees.
3 steps of SaaS Governance:
Step 1. Gain complete visibility of your SaaS ecosystem:
The best possible way to start is deep-diving into the SaaS environment of the enterprise. The discoveries resulting from this campaign will set the baseline for SaaS governance. Larger the organisation, the trickier the hunt.
The biggest challenge is excavating the myriad of shadow SaaS that would’ve piled over time when employees purchase subscription-based SaaS tools for personal or departmental use without notifying the IT department.
The best approach is the initiation of an audit across the organisation to discover and flag the managed or unmanaged applications. This formal audit should aim for a pan-organisation check for the SaaS purchases, employees’ navigations logs, SSO data, checking personal devices, browser extensions, etc.
Data from all levels of the organisation - SaaS for personal use by employees, departmental SaaS, and business unit portfolio; should be combined and monitored in real-time to understand trends in SaaS adoption.
The real-time data extracted from the company’s ecosystem will indicate faulty trends and malpractices like unchecked auto-renewal of SaaS subscriptions, functionally redundant tools, no stakeholder responsible for the SaaS’ lifecycle and more such anomalies.