Opinion Article

Europe's top companies are pursuing digitalisation through intensive use of the Cloud, largely unchecked by management teams

With a forecast of an average annual growth of 25% through 2030, the rapid rise to power of cloud computing raises major issues in terms of security and governance. The French government's initiatives to establish "cloud sovereignty" fail to adequately address the impact of SaaS, despite the fact that it is creating underground (or shadow) IT systems in companies, thereby dramatically increasing their exposure to cyberattacks.

The use of SaaS among employees is booming, creating an underground digital world

According to a KPMG study carried out last May, as part of the French government's initiative on data sovereignty and the Cloud, the European cloud computing market is set to expand, reaching €560 billion by 2030. It distributes €230 billion equally between infrastructure needs - IaaS/PaaS -, and software/application requirements: SaaS. But, while data infrastructure has dominated the sovereignty debate over the past few months, with the European Gaia-X initiative and the defence of French providers OVH, Orange and Scaleway against US tech giants such as Amazon, Google and Microsoft, little or nothing has been said about its software equivalent: SaaS.

And yet, often unbeknownst to IT Departments and upper management teams, the use of SaaS among employees is booming, creating a kind of underground digital world with little regard for security (GDPR) or digital sovereignty issues.

As a result, in the top firms listed in France's CAC 40 index, and across large companies as a whole, SaaS is now a key vector in digitalising their business. Often referred to as Shadow IT, the SaaS ecosystem generally relies on the widespread use of tools made available online, which are usually extremely specific and operate on a subscription basis. These tools are deployed without the oversight of onerous corporate governance procedures, and mostly pass under the company's radar since “the group doesn't bother looking at anything under €100k”, even if they represent millions of euros in cumulative annual costs. This outsourcing of IT regularly manifests as unrestricted use of personal data (more than 40% of SaaS used is American), potentially generating a multitude of future security issues and compliance vulnerability.

Only 14% of SaaS providers in CAC 40 companies are properly managed

Therefore, these are without a doubt "underground" digital systems, with an average of over 190 different Cloud providers for a company with more than 1000 employees. Out of these 190 providers, only 60 are managed by an IS Department, 44 by the DPO, and 36 by security teams. And if, as predicted by KPMG, the Cloud continues to grow, then more than a thousand different SaaS providers could be used by a single company in 2030. Establishing a clear governance framework for cloud-based SaaS will therefore be vital for the future, since it brings to the fore issues of data sovereignty, cyber defence and the digital performance of our companies.

Allowing business lines to manage their own digital transformation

Since digital transformation is everyone's business, and especially that of the teams themselves, it's only natural for them to want to tackle it hands-on. Particularly those from the latest generation: the generation of smartphones and apps that can be installed and uninstalled in a click. This "one-click" generation expects companies to provide the very best that technology has to offer, whether in terms of processing speed, user-friendly interfaces, or the use of tools to simplify and enhance their work performance. And what’s more, it would be something of an understatement to suggest that this is not yet part of the solutions offered by major companies.

Despite the fact that the technology required is available on the global market - almost 100,000 SaaS - with venture capital investments in the hundreds of billions of euros. These solutions rank among the fastest, the most powerful and the best-suited to ensuring the digitisation of processes, but are also those that store and use the most personal data abroad. What is needed, therefore, is the creation of a kind of App Store for each company, to give businesses the ability to choose the best software for themselves, while carefully guiding them to select, use and de-risk these tools in the long term.

Coordinating business units and IS teams for effective digital governance

The CIO holds a strategic position in this regard: that of providing the company with a framework for decentralising digitalisation. Of making sure, despite the technological progress pursued by operational teams, that a regulatory framework is respected, that personal data processed by these tools are properly protected, and that external security breaches are brought down to a minimum. In this context, the CIO acts as the orchestrator of the digital ecosystem, giving freedom to business units while making sure that the application landscape is optimised and safe.

The focus on a "sovereign cloud" will remain a futile endeavour if SaaS, which counts for half of Cloud Computing, is still placed in the background. Within companies, it is up to general management to initiate the construction of decentralised approach to digital governance, the only thing capable of successfully bringing structure to this volatile part of the Cloud. It's a strategy that requires the involvement, not only of the CIO, but of the entire executive committee, and all departments affected by the challenges of digital transformation.

But for now, the most pressing priority is to take stock of the existing Shadow IT being used in this way!

Beamy icon colour