Discover the Alliancy's latest editorial 👉 Shadow IT and digital resilience: SaaS Management on the ExCom agenda

Customer Story

Macif reinvents its IT-business relationship by tackling Shadow IT

In the last few years, the rise of SaaS in companies has been perceived as a double-edged sword. A major source of freedom and acceleration for businesses, it has also been synonymous with headaches for IT departments, particularly from a security and compliance standpoint. Didier Fleury, CIO of the French mutual insurance group Macif, and Andréa Jacquemin, CEO of the start-up Beamy, which specialises in supporting this phenomenon, give their recipes for finding the right balance in organisations.

  • BusinessLedIT
  • ShadowIT
  • SaasManagement

Alliancy. Why did you commission a company like Beamy to detect the SaaS tools used at Macif?

Didier Fleury. The starting point was really detecting shadow IT (the use of IT resources in the company that are not controlled by the IT department, editor’s note) in a concrete way. The teams often talked about it and we're already trying to have a more comprehensive picture, but the phenomenon had to be objectified.

With Beamy we started with a process of identifying all the SaaS tools used. This highlighted what I already suspected:  the ones we were aware of were just the tip of the iceberg. This starting point opened up the discussion: what does SaaS really do for our organisation?

In fact, the ubiquity of SaaS is understandable. Start-ups are attracting businesses by offering highly relevant solutions in specific verticals, so the interest is obvious. What’s more, the initial costs are low, it’s easy to get started, and there’s no complex integration... And, most of the time, you can get started with such a solution without having to go through the Purchasing Department indeed, given the needs and amounts involved at the outset, a simple business bank card can bypass conventional purchasing processes. This makes sense because businesses need to move fast. The problem is that when the subject is detected too late, the place it has taken in the IT environment is very important, but without taking on board GDPR compliance, regulatory compliance and compliance with the ACPR (‘Autorité de contrôle prudentiel et de résolution’ - the French supervisory authority that supervises banks and insurance companies), even though these are essential points in our activities.

The growth of SaaS is not something new. How aware are CIOs of the problem today?

Didier Fleury.  There was an extra surge during the health crisis, especially in marketing and HR activities. Everything went very fast in companies. In the best of cases, businesses have taken a declarative approach, such as MARIE, but this is seldom verified in detail. This explains the current gap between what CIOs think they know about shadow IT and the reality. In our case, for example, we had about 50 identified solutions, but the discovery showed us that there were actually more than 150 in use.

Andréa Jacquemin. This is in line with the average numbers we see in the 1000+ companies we work with. On average, out of 190 SaaS in an organization, only 27 are fully managed by the IT department, and another 46 are partially approved... That leaves nearly 120 that are completely unknown. The phenomenon is systemic and can no longer be dismissed as residual shadow IT. It affects all types of companies, but SaaS is a more difficult subject for traditional organisations, compared to those founded in the digital age, for whom this technological approach is often the basis of the business. Above all, few CIOs are still humble enough to say they are not sure. We still often hear arguments like, ‘in my company it’s different’... The phenomenon is considerably underestimated.

"IT must define set rules, infrastructure and cybersecurity; and from there, the business solutions are the direct responsibility of the business departments, with the associated IT skills, enabling them to manage their entire responsibility within the framework of the rules set out."

Didier Fleury, CIO @MACIF

What should be the new role for CIOs in this context?

Didier Fleury.  In our case, we were able to sort it out thanks to Beamy’s application dictionary, which presents the typical attributes of the various SaaS, their referencing, and their hosting. This gives CIOs a basis for checking and creating a catalogue of validated and consistent applications... We don’t want to prevent businesses from having ideas, but we want to be able to guarantee that they won’t reinvent the wheel and that they will integrate security and compliance dimensions into their quick selections. The role of the CIO is, therefore, to enable anticipation, in order to avoid breakdowns later on, after the projects have progressed.

Andréa Jacquemin. The debate is potentially explosive, because it pushes us to break out of our old habits, and it questions the traditional IT-business relationship. But this debate must take place. In a recent study, KPMG estimates that the volume of SaaS in companies will increase ninefold in ten years. This means that there will be an average of more than 1,000 applications of this type in 2030, with the proportion managed directly by the IT department in a centralised manner remaining very low compared to that managed by the business departments, which is soaring... The issue is, therefore, one of ensuring the proper decentralisation of IT, because, in any case, digital technology is everywhere nowadays. In this context, the role of the CIO is to detect and build a catalogue in conjunction with the business departments. This is to make them responsible for their solutions, by creating an ad-hoc governance of this new decentralised environment.

It is, therefore, a long-term approach that we recommend, based upon specific data models for each sector and type of company. The role of CIOs is changing significantly to allow them to give this autonomy to business departments through a matrix of responsibilities.

Didier Fleury.  Indeed, discovery is not enough. There must be ongoing monitoring of the applications used, but also, and more importantly, the implementation of a governance framework that is truly adapted. It’s not just a question of wanting to police. That would be pointless.

"With Beamy we started with a process of identifying all the SaaS tools used. This highlighted what I already suspected:  the ones we were aware of were just the tip of the iceberg."

Didier Fleury, CIO @MACIF

What should be the characteristics of this governance framework?

Didier Fleury.  It starts with a common rule, in order to be a point of reference for all the business and IT parties, with business representatives who will be able to check what solutions already exist in relation to their needs and match them to projects already underway. In this way, we move away from very sequential processes and better integrate the IT-business relationship, with the CISO engaging constructively on the issue of security.

Andréa Jacquemin. When we speak of governance, we must also speak of accountability: the spirit is to define a framework of freedom for the business departments according to the specific characteristics of each company, but in which responsibilities are clearly established. Transparency and the communication that goes with it are, therefore, also essential features.

Didier Fleury.  That was one of the things I hired for when I arrived: having someone whose job it really is to do IT marketing and communication is very valuable. When a CIO doesn’t make it known that he or she understands the business, it’s very difficult to be credible and to be listened to... There’s no point in having nice consultant speeches about agility, without real life experience and the difficult questioning required by these changes.

In terms of the IT-Business relationship, the problem of the traditional project management and project control approach has, I think, been known for a long time. Depending on the period, project management assistance, which was the link between the two, tended to lean more to one side or the other, and this was more or less well received by the stakeholders...

But in fact, that’s not the issue. IT must define set rules, infrastructure and cybersecurity; and from there, the business solutions are the direct responsibility of the business departments, with the associated IT skills, enabling them to manage their entire responsibility within the framework of the rules set out.  This has already been tried in the past, but now we are trying to take a comprehensive approach. By gradually moving away from V-cycles, we are asking for a change in the mindset of the teams, which is clearly moving in this direction. And the effects can be seen at the highest level: for the past two years, the general management has been paying close attention to the challenges of the information system as a whole.

Beamy icon colour