90% of CIOs expect their organisation’s overall IT budget to either increase or remain the same over the next 12 months, according to the 2022 State of the CIO Executive Summary.
The biggest contributor to the tech budget increase according to this report? Need for security improvements.
There is always a greater need when it comes to security, even with the most effective governance in place, because business operations and priorities are constantly evolving. With the emergence of appealing technologies, increased employee demands, and customer expectations, comes the need for adaptable and flexible governance.
Software-as-a-service (SaaS) has quietly accommodated itself into the organisation’s technology portfolio. IT departments unknowingly let hundreds of SaaS applications that may pose security threats invade the organisation without adequate vetting. And, for governance to stay relevant through the years, it must be granular and should extend to every corner of the organisation.
Layers of Governance
Enterprise Governance: Set of policies and practices that provides the strategic direction to align an organisation’s strategic objectives, evaluate and manage risks, and ensure responsible resource efficiency.
IT Governance: An integral part of enterprise governance, it is a formal framework that provides a structure for the company to align their IT strategy with the corporate objectives.
SaaS Governance: A compliance framework set forth by the IT department that includes processes and methodologies to identify, manage and secure the adoption and usage of SaaS solutions across the organisation.
Why the need for SaaS Governance?
Originally IT governance teams may have focused on the on-prem giants, prioritised because of the associated financial risk – Microsoft, Oracle, SAP, IBM, VMWare, and Salesforce, referred to as the “Big-6” by the ITAM Review.
The governance radar covers the management of these tier-1 software publishers by default because the financial risk resulting from their non-compliance is fairly large.
But the challenge has changed and, now, the IT departments are forced to wrap their head around how they can possibly govern the underlying growth of the organisation’s SaaS portfolios with a framework as robust as that of the on-prem software.
SaaS vendors are selling directly to the end-users who don’t find it necessary to run their purchase decisions by the IT department. Therefore, the need for SaaS governance doesn’t become apparent until IT learns that the business departments’ buying spree has resulted in persisting shadow IT or several unvetted SaaS applications presenting new data storage and privacy threats.
Lack of SaaS governance doesn’t stop at resulting in the wastage of financial resources; rather also exposes the organisation to cybersecurity, operational, regulatory, reputational and organisational risks.
SaaS governance is how companies can be sure about the integrity of their security measures and predict potential casualties. It not only protects the financial interests of the organisation but also ensures reduced downtime to overcome any casualty without hindering the productivity of the employees.
3 steps of SaaS Governance:
Step 1. Gain complete visibility of your SaaS ecosystem:
The best possible way to start is deep-diving into the SaaS environment of the enterprise. The discoveries resulting from this campaign will set the baseline for SaaS governance. Larger the organisation, the trickier the hunt.
The biggest challenge is excavating the myriad of shadow SaaS that would’ve piled over time when employees purchase subscription-based SaaS tools for personal or departmental use without notifying the IT department.
The best approach is the initiation of an audit across the organisation to discover and flag the managed or unmanaged applications. This formal audit should aim for a pan-organisation check for the SaaS purchases, employees’ navigations logs, SSO data, checking personal devices, browser extensions, etc.
Data from all levels of the organisation - SaaS for personal use by employees, departmental SaaS, and business unit portfolio; should be combined and monitored in real-time to understand trends in SaaS adoption.
The real-time data extracted from the company’s ecosystem will indicate faulty trends and malpractices like unchecked auto-renewal of SaaS subscriptions, functionally redundant tools, no stakeholder responsible for the SaaS’ lifecycle and more such anomalies.
Step 2. Establishing a SaaS governance “Framework”:
The trends observed after the visibility campaign allow us to set forth guidelines and policies, and list best practices to guard every step - from procurement to offboarding of the SaaS app throughout its lifecycle in an organisation. Flexibility, predictability and security are the three main pillars that should be kept in mind during the design of this model.
The challenge is to ensure the right amount of flexibility in the framework. The ease of procuring these SaaS tools has encouraged the end-users to be autonomous and choose the technology that they think fits. And, the last thing the IT teams can do is to put an end to this innovation from the bottom up due to the strict policies.
While there is no standard framework and every structure will be different according to the industry and other factors in question, the one thing that can be in common is its flexibility.
Designing a SaaS governance framework will take rigorous efforts, wherein IT will need to involve external stakeholders specialising in different aspects like security, procurement, finance and even end-users. Already existing procedures like the ones for vetting the SaaS vendor can be optimised in accordance with corporate objectives, communication between the business units can be revised, and data-backed (or ROI-backed) decisions can be given priority in the newly developed model to minimise security vulnerabilities and optimise costs.
Step 3. Create ordered and guided freedom within the teams:
Encouraging the company’s departments to operate within the guardrails of this governance model is a challenge that can be mitigated with the right approach from IT. The governance will only be effective if every SaaS decision remains aligned with the company’s business objectives. SaaS enablement is IT's responsibility.
IT and the departments have been long-advised to collaborate over technology decisions. One approach by which IT can come closer to them is by being sensitive to their technology needs. Introducing a SaaS Directory and an App Store can be that stepping stone toward a collaborative future.
Beamy's App Store provides access to over 50K SaaS solutions, including those already in use within the company as well as those on the market that can help meet the employee’s specific needs.
Beamy's employee portal is an all-in-one platform where teams can request apps through workflow, find key guidelines or best practices relative to the governance policy, engage with other teams to ask for advice about a solution or a need and use the market directory. Essential features of the app store are security criticality scoring, application owner info, approval status and more.
An effective SaaS governance project will reflect in two ways - financially and as an overall changed mindset; where teams are aware of what possible turns can their purchase decision take and how distant their step is from the organisation’s corporate objectives.