By Jennifer Kuvlesky, Senior Product Marketing Manager at Snow Software
You would think that this is an easy enough question for any organisation’s CIO or IT department but surprisingly, this has always been an issue, and during the rapid change to work-at-home/hybrid working in 2020 at the beginning of ‘lockdown’, the number of applications that have come into use, without official vetting has increased considerably. In the Snow 2022 IT Priorities Report which is an in-depth study in the UK and US of the changing role and expectations of IT leaders, 69% stated that in the last 12 months alone, their organisation’s investment in SaaS applications had seen a marked increase.
We are already starting to see a relaxing of Covid restrictions in 2022, but it is certain that the hybrid working model will remain in most organisations for the foreseeable future. However, companies need to get control over their SaaS application use, which, understandably, got slightly out of control during the height of the pandemic. The first step to get things on the right track is to know how many SaaS applications that you really have, and how many are actually being used. This information is vital to ensuring that your organisation can reduce risk, minimise contract complexity and reduce costs from unused or over-licensed applications.
From a security and risk point of view, it is essential that you find out how many employees are using SaaS apps that didn’t go through any formal procurement procedure and your company’s identity and access management solutions (e.g. single sign-on – SSO). When apps don’t go through your SSO platform, it can provide a major security weakness with poor quality passwords pretty much giving hackers an open door. And then there’s compliance issues with employees processing and storing company and customer data: fines can be huge!
Another major problem is that employees can be using individual subscriptions when they should be owned by the company as a business plan, and you could also have lots of different individual subscriptions meaning that the company is overpaying and being non-compliant at the same time. These apps may have become ‘standard’ as far as users are concerned, but the IT department may not even know about them until they there is a problem and the user needs IT to sort it out.
Corporate IP can also be at risk with this SaaS app free-for-all: corporate data stored in applications that can be accessed without audit and compliance process can be a huge risk, and one that is really not worth taking. All in all, the risks you are taking without knowing what is going on in your organisation vary between undesirable to full-on-crisis level bad.
On the commercial side, things can get equally complex (and expensive!). It is particularly problematic for companies with ‘organisational silos’, multiple offices and prone to M&As. It is very likely that these sorts of organisations could unknowingly have multiple agreements with the same vendor which means that the company is missing out on volume discounts, and they might have users that have too little or too much functionality as part of their license. It may be better to have one enterprise agreement so that licenses can be shared across various business units and geographies.
Of course, all of this work looking to reduce risk and costs will also show up what licenses are unused or underused (although this is often the hardest element to detect). On average, 30% of license spend is wasted which is often caused by license for premium tiers being allocated to users who don’t require that much functionality, which is not cost-effective. This can be quite complex as vendors have grouped feature sets into product bundles. With usage based pricing, application costs can bring a bigger than anticipated bill if adoption is more successful than originally anticipated. It’s difficult to budget for at the best of times, but impossible if you don’t even know that the agreement exists!
It’s not hard to agree that getting control of your SaaS applications is absolutely essential. By knowing what is really going on, CIOs are able to protect their organization from the risk of potentially serious security breaches as well as a lot of unnecessary expense. The good news is, there are multiple methods available to discover SaaS applications and usage and by putting robust methodologies in place, IT leaders can make the most of their SaaS usage and secure their company.