Gürkan Berkan: Protecting the Business from SaaS Risks at Coupa
Gurkan Berkan: If we don't have visibility into our technology, we expose ourselves. For that reason, having that visibility, but not just visibility. But having a very easily digestible manner that you can access very quickly is very critical. If you don't have that then you're really missing the picture. And if you're missing the picture, you don't know what you don't know when you're exposed.
Cory Wheeler: Hello, hello, and welcome to SaaSMe Unfiltered, the SaaS management podcast. The show with give- it- to- you- strait, real- life advice with pros knee deep in SaaS every single day. Sass management superheros just like you. We are back for another episode of SaaSMe Unfiltered. Really excited to have you join us. I'm Cory Wheeler, co- founder and chief customer officer here at Zylo.
Ashley Hickman: And I'm Ashley Hickman, manager of customer success at Zylo.
Cory Wheeler: And we have a wonderful guest joining us today. Very excited about this, as I always am with the caliber of guests that we've been able to bring on the show. This guest has been in his role for a little over a year. His experience prior to coming into IT was in public accounting. He was in a public accounting firm as an auditor and a consultant around IT- specific initiatives. Really attaching and attacking IT- professional- services- type projects. Things like process improvements within financial institutions. He's worked in tech organizations delivering IT strategies around compliance, process, audits. And he works for, absolutely, without a doubt, one of our favorite companies, that is Coupa. Welcome to the show, Gurkan Berkan. How are you, Gurkan?
Gurkan Berkan: Well, I'm doing fantastic. Thank you, Cory, for the warm intro and all the kind words. Very excited to be here for the dialog with you guys.
Cory Wheeler: That's great. It's a fun conversation. What we want to know is more about you and your experience and your journey. So I'm super excited to jump into that a little bit. I'd love to start off the conversation just asking you, what does that career progression look like for you? And what has that led you to at Coupa? What are you owning today internally, those large strategies. And maybe a little bit about that journey that got you in the door at Coupa.
Gurkan Berkan: It's definitely been a very interesting journey, having spent many years in the professional service industry, doing all those advisory, consulting, and audit- related IT services. I see myself a problem solver in the technology space. Over the years, I had the pleasure of working with lots of different companies, interacting with so many people. And through that, I learned quite a bit. I've seen lots of broken processes. I also saw lots of areas to improve and many lessons learned from all of that. After joining Coupa, we formed a quick, small tactical team. And we started working on internal problems to solve. Either broken processes or maybe areas where there's some room for improvement. I guess maybe that's a good segue into what I'm doing today and what my team is doing, which is another kind of a loaded question. Because we wear many hats. We do everything that's in the other category. So that includes operations and compliance. And nowadays, even some data- related activities. But one of the key things that we perform is helping our IT organization achieve operational excellence. What that really means is we help facilitate all kinds of day- to- day operational activities, such as measuring metrics, or managing vendors, or managing spend, monitoring SaaS, compliance, audits, and the list goes on. While doing all of that, there's obviously lots of areas to improve. And we just form small, tactical projects, partnering up with some amazing people. And always looking for ways to improve the status quo.
Cory Wheeler: Love it. It's been a great experience working with the Coupa team through your journey and evolution through the last several years. And over the last several years, one thing has been consistent, which is growth. So it's no doubt that there's never a lot of things that are waiting on you to get to complete. But as you've grown, maybe take a quick step back. Can you provide us a quick overview of Coupa? Why I say it's one of my favorite companies. But really, what is Coupa's core use case and what are you doing as a company overall from a strategic level?
Gurkan Berkan: Yeah, no, my pleasure. Coupa's platform is very comprehensive. For that reason, we can really spend a lot of time talking about it. If I were to summarize it, I would think of Coupa as a cloud- based platform that is here to help organizations achieve goals about getting smarter about how they spend their money. It's all about getting spend under control and being smart about it. Our platform brings all aspects of spend management to our customers by connecting them with millions of suppliers. And also, while doing that, it's also bringing lots of of valuable insights by making use of the billions of dollars of transactional spend data.
Cory Wheeler: Yep, you nailed it. That's why I say it's one of my favorite companies. You're doing it at scale. At Zylo, we're focused on one of those core use cases under the spend management umbrella around SaaS. But to be able to work with an organization that has really built the premier end solution for business spend management has been a joy. And using Coupa my entire career, it's kind of come full circle to be able to work with your team. Great overview. How about personally? What do you like to do in your free time? You're out there in the Bay Area. Just perfect weather all the time. So what are you out there doing?
Gurkan Berkan: Yeah, no, I'm definitely enjoying the perfect weather and the perfect outdoors of the Bay Area. Overall, I really am an outdoors person. I really like spending time outdoors. Anything from hiking, to going for a run, cycling. Wintertime, I like to go to Tahoe to do some winter sports. Anything that can get me out of the house and enjoy the weather, you can count me on.
Cory Wheeler: I love it. I love it. I think that would be my answer as well if I lived directly in the Bay Area. So, good one.
Ashley Hickman: So now, we'd love to get your take on something. We're. Our colleague, Thom McCorkle, is going to share a Zylo point of view. And you tell us what you think. Whether you agree, disagree, and why. So are you ready?
Gurkan Berkan: All right. Let's do it.
Thom McCorkle: Hey, everyone. Welcome to Hot Takes with Thom. A give- it- to- you- straight point of view on SaaS management and optimization. Today's Hot Take is, not helping a picture of your SaaS landscape leaves your organization open to risks. Let me paint a picture for you. You're asked by leadership, " What tools are out there and what controls do we have in place?" So you share what you know about it. But there's a doubt in the back of your mind that there's probably more out there. At Zylo, we often see these gaps show up in a few ways. Hidden costs and purchases made outside the purview of IT and procurement. Potential for security breach and data leaks. Not just your business, but your customers' data too. And finally, non- compliance. Within any industry or accreditation, you always have a component of data governance and stewardship to be mindful of. Sure, a lack of visibility means plausible deniability. But can you live with yourself if something happens and you knew that there were gaps? Bottom line, it's your responsibility to protect your business. The only way to do that is to proactively seek out a whole picture of your landscape. 100% visibility ensures you can answer those questions and leave doubt in the dust.
Gurkan Berkan: I agree with everything Thom is saying. Obviously, that's one of the things I was living and breathing every day here at Coupa as well. If we don't have visibility into our technology, we expose ourselves. And for that reason, having that visibility, but not just visibility. But having a very easily digestible manner that you can access very quickly is very critical. If you don't have that then you're really missing the picture. And if you're missing the picture, you don't know what you don't know when you're exposed. So yeah, I agree.
Ashley Hickman: And I'm sure you also, just in your consulting experience, probably ran into that from time to time, right? Some of your customers or projects you were working on probably ended up in positions where they didn't have that visibility. And where open- job systems pretty big risks as a result.
Gurkan Berkan: Yeah, no, it's definitely one of the common pitfalls. We have all seen many examples of that.
Ashley Hickman: Absolutely. Well, thank you. Thank you for participating in Hot Takes with Thom. So now, we're going to get into some additional questions really to just dig into your background, your experience, your expertise, lessons learned, all that good stuff. So first, I want to start off with what your SaaS management journey looks like. And that could be initially at Coupa. It could be in your previous lives, working on projects at other organizations. So, curious where that started for you. If it was first at Coupa, previously, and what that progression has been since.
Gurkan Berkan: Yeah, prior to Coupa, I've seen examples of lacking of SaaS management. Among the many companies that I closely work with, there was always been a missing piece. And some of them, the piece was not missing. But more often than not, we saw this as a gap. There was not enough insight into the overall IT landscape, especially on the space of SaaS. Because in the past couple of year, there has been an increasing demand from end users to onboard new systems, new tools. And with these tools being as easily accessible to a browser, it just opened the opportunities to onboard lots of tools in a very fast manner. Very soon, things started to get out of control. That's usually what I observe in the industry. With Coupa, ever since I joined Zylo, was already in place. Zylo really gave us a good baseline of, at least for the technology side of it, being able to see and predict all the SaaS. Again, being able to understand, what is being used where? How much money is being? And what has been approved? What has not been approved? And how many users are there? All of that. From there, once you have that as a tool to support you, then from there you can build very effective monitoring programs and make more informed decisions about your technology inquisitions.
Ashley Hickman: Yeah, absolutely. You mentioned when you came to Coupa, you already had Zylo in place. So, essentially, you already had that baseline. Was there anything that was surprising when you started?
Gurkan Berkan: Yeah, not just one thing. When you're monitoring this, you're always seeing some trends and new things that are coming up. Some of these are the application landscape, especially on the SaaS side, always growing. So that's always a big pain point for many companies. That also includes us. Another interesting one is, we're seeing lots of applications that are purchased via a demo or a quick demonstration with the vendors that come in with zero dollars. So through that, a lot of people are able to not go through the whole procurement process. Because when there's zero dollars, then there's not much to approve. But being able to see all of that was really eye- opening. Then, last but not least, there's also some systems that we maybe are not using anymore. And we want to decommission. Again, having visibility into all of this is what was an eye- opening experience for myself and for my teams. Because then, with all of that data, we've been able to facilitate dialog around this stuff and make some informed decisions.
Cory Wheeler: Real quick follow- up there, Gurkan. What you're talking about a little bit is the concept of governance. A lot of companies wrestle with this. Coupa would probably have a really good perspective here because you're a business spend management solution. Spend management top down, so governance can be fairly black in white in that type of an environment. But it's not that easy. If it is this type of a solution, you can't do it. You can't buy a new one. You can't get a duplicate. If you're solely looking at objective data, like business data or spend data, that might be a straightforward answer. But you know the reality of that, that governance is a little bit more than that. Can you talk about how you balance the efforts of pulling back SaaS within your business versus allowing the business to use what's efficient for them?
Gurkan Berkan: Yeah, no, that's a great question. By design, we like to enable our end users to have the freedom of choice when it comes to the applications they want to use on a day-to- day basis for them to do their jobs, right?
Cory Wheeler: Yeah.
Gurkan Berkan: But there's always a thin line in between giving the freedom versus reaching that uncontrolled chaos. Finding the right balance is where that governance comes into the picture. More often than not, we still lots of applications that the end users are trying to bring in. And yes, there are duplicates. They already exist. Or maybe it's not a solution that we don't want to support because it doesn't meet our security standards. But when we have the governance, at least we're able to have dialog about these things. And with dialogs, we're able to make those informed decisions. That's really what it all comes down to, being able to have that dialog and figure out what's best for the organization. And while doing that, if we can also increase the efficiency and effectiveness of the way that our end users are working, then that's a win for all of us. That's what we're always trying to solve.
Cory Wheeler: Yeah, totally love that. It's all about having a balance.
Ashley Hickman: That, it is. Another question that I have for you is around your business outcomes. Especially, around this time of year, we're having a lot of conversations ourselves with our customers, including Coupa, around what their business outcomes look like for 2023. What are those big goals? And then, of course, we want to support them with the platform with the data. We always want to make sure that we're very much in tandem and step with what the organization's business objectives are. You may have those already for 2023, you may not. So you can always talk about 2022. But curious for what those current business objectives are for Coupa and how SaaS management blends in with those or pairs well. Or even future state, what you're thinking about for next year.
Gurkan Berkan: Yeah, no, that's a great question. It might be better to look at this from the lens of our technology services group, which is the IT team at Coupa. Because our end customers are basically the end users of... the employees of Coupa. And our objectives year over year don't change a ton. But we make some adjustments to them as we get closer to the year end. Number- one objective is always enabling those end users. Making sure that they have access to the technology they need. And they're getting that access fast and things are not painful for them. To be able to do that effectively, we really need to, again, take a look at our technology stack and figure out what's working, what's not working, what needs to go, and what needs to stay, all the time. Another important objective is to keep innovating. Wherever people find things to innovate, usually it's just not having enough time to do all of those great things. But having powerful tools in our arsenal does give us an edge. And being able to leverage all those tools have to offer usually brings innovations with it. So that's something where we'll continue to do and there's more in. Lastly, we are moving towards getting more and more serious about metrics and measurement. Being able to measure how you're doing and how you're delivering really is eye- opening. And it helps in so many ways. It just doesn't always drive efficiency. But also, it helps us to do our own marketing a little bit. If we're good at our jobs, we like to be able to call that out. Or if there's some areas that we need to improve, at least we want to be able to use that data. And even go solve more problems and be better.
Cory Wheeler: Those are great. Focusing on the employee is really where IT is rooted in today's environment. Driving innovation and measuring and tracking, I think those are awesome core components to a program. Does Coupa, at a very high level, being in spend management, have optimization goals given the current economic climate and uncertainty surrounding a lot of organizations? Are there any new goals that they've got out there to be fiscally responsible and to ensure G& A targets are kept in check? And does IT have a role in that? Or is it really focused on the employee innovation and KPIs, and that's the organization marching order?
Gurkan Berkan: Yeah, no, absolutely. I mean, Coupa is a spend management company. Of course, spend is one of the most important things for us and we take pride in what we do. We also look at our own spend. That is something that's baked into our culture for that reason. That's not necessarily a goal, but that's something that we try to thrive in all the time. But you're right, we're also seeing the current economic slowdown. We're also feeling it a little bit, similar to many of our peers in the industry. For that reason, we don't necessarily have new goals or new objectives around us. But we are encouraged to be more detail- oriented. We're encouraged to be taking a look at our spend a little bit more carefully. And we're encouraged to also look at our technology stack better. Because maybe there are some outdated systems there or maybe there are some systems that we don't really need. We're definitely looking at these things and trying to slim down. We're slimming down as necessary.
Cory Wheeler: Yeah, that makes sense. From there, we have the good fortune of having you on our customer advisory board. We just had our customer advisory board meeting earlier this week. A big outcome from that, from a lot of the IT leadership on the call, was an ongoing and a heightened increase on SaaS risk and compliance. How do you think about and manage and measure risk and compliance around SaaS internally at Coupa today?
Gurkan Berkan: Yeah, that's a loaded question. I have to say, it takes a village. It really does, because it's not one person sitting at desk and looking at a risk and compliance, no. We've moved away from that many, many years ago. These task solutions have gotten so complex. And they all have their own unique delivery models where risks are always changing. And really being able to understand what the risks are for any given SaaS. And being able to come up with ways to address those risks is a full- time effort. In Coupa, we do that by teaming up with professionals from other departments. Because we have engineers. We have GRC. We have privacy, for example. We have information security. And we have legal. Usually, it's a combination of some representatives from all these groups coming together and figuring out, " Okay. Well, here are the risks related to this SaaS solution. And what do we have to address these risks? Do we need to do something different or can we leverage what we already have for us?" Usually, more often than not, existing controls, existing methods that we've deployed, it turns out that they're sufficient. But every now and then, we're going to run into some new risks. We'll prioritize them. We'll figure out whether it's something that needs to be addressed immediately or whether that's something that needs to be addressed in a... or part of maybe a longer- term project. And take action accordingly.
Cory Wheeler: With your renewed focus on KPIs and measurement, have you put any thought around risk and compliance? And how to measure that internally at Coupa whether it's... The GRC process that a lot of these applications go through, SOC 2, Type 2, GDPR, CCPA. Do you quantify that internally or provide coverage of apps that have those met? Any KPIs around compliance and risk?
Gurkan Berkan: Yeah. Well, truth is, all the applications that we onboard, they have to go through a compliance review. And our GRC team is one of the parties that are in the approval workflow for all the SaaS that we're onboarding. For that reason, there's a detailed level of vetting that goes into all SaaS. And because we've implemented that at the beginning of the process, usually the monitoring of that or ethics behind it is always showing 100% compliance. Because we have that preventative measure in place.
Ashley Hickman: When we think about measuring things at a little bit of a more granular level, and we think about SaaS management, what does that look like for Coupa today? And again, if you have any future- state ideas or plans.
Gurkan Berkan: Yeah, I think the biggest key metric over there is measuring the shadow IT. Shadow IT is something that we monitor closely. We don't really care about the number of shadow IT applications found or new internal IT applications that's coming. But we care more about what's being managed, and what is being closed, what is being tracked down and what actions are being taken. That's something that we're monitoring and that's something that we're measuring as a metric.
Ashley Hickman: Nice. So for those things that you are monitoring, measuring, where does that happen? Because I'm sure a lot of those things are happening. You want to know that they're happening depending on what, again, regulatory need. Cory mentioned a bunch of those. I know there's a lot of documentation usually that goes into risk and compliance avoidance. So, curious how that process is happening today.
Gurkan Berkan: Yeah. First of all, discovery happens... A lot of it starts in Zylo, because Zylo gives us that very easy discovery capability. And sets us up for success when it comes to monitoring and identifying shadow IT. But then later on, obviously, depending on what has been discovered. In some cases these are tools that we maybe already had in place. And they were made false positive. Then maybe some commentary's going to be added to that inventory that's being discovered in the Zylo itself. Or in some cases, maybe it is something that's fairly new. And maybe we're going to have to get some additional documentation or controls around it. In those cases, obviously, internal documentation portals such as confluence comes into the picture where maybe some new procedures needs to be documented. Or maybe we need to go back and visit some of the policies. But it's usually achieved through a combination of different tools and different documentation repositories.
Cory Wheeler: I couldn't agree more with all of that. I'd love to spin that and do a quick conversation around... I think this happened right before you came on board at Coupa. But you guys acquired Llamasoft and there was a big M& A rightsizing discovery, a strategic view of what applications you should be leveraging. Maybe learning from Llamasoft as well. What are they leveraging that you might want to use? Maybe talk a little bit about M&A and how that affects specifically your SaaS management and your strategies around tooling going forward.
Gurkan Berkan: Yeah, no, M& A is a very, very tricky thing to navigate. And very similarly to benefiting from visibility, having visibility to our own environment. Being able to quickly discover the SaaS portfolio of that M& A prospect is also extremely crucial. Typically, everything is very accelerated in an M&A process. And the M& A teams, they don't always have the time to do the full, complete due diligence to get complete picture of what the technology SACs look like. Again, having a powerful tool such as Zylo to be able to give the M& A team that complete picture comes in the very end. And it will definitely help the team to save time and be ahead of the game. Because when you have the full picture, then you can strategize. And you can go and take a look at, " Okay, what fits in my organization?" or, " What doesn't fit in my organization?" or, " What can maybe, in the future, fit in my organization?" But through reviewing all of that and coming up with decisions to keep, or some things maybe you don't want to keep, is extremely valuable.
Cory Wheeler: Yeah, that's great. We often talk about, as I've mentioned, the operationalization of renewals across a customer profile. And in those M& A environments, getting in front of that very, very quickly with the acquired entity. And driving those decisions in a pragmatic way all year long, as those renewals come through, that's the point of value. That's the point of action. That's the point of change for any organization, is mapping those renewals. So that you can deprecation decision, that onboarding decision, bringing contracts together. So a lot all around that. So it was a fun project around Llamasoft for Coupa. And one that hopefully is valuable ongoing as well, as you guys continue to grow and make your next acquisition. Okay, we're going to close this out with our rapid- fire segment. Gurkan, we're going to ask you just a few questions. We'll pose them. What we're looking for is a one- word response, a sentence response, your off- the- cuff reaction to the rapid- fire sections, which will be a little bit professional, a little bit personal. It's a fun way to round out the show. So talking about SaaS management. What three words would you use to describe SaaS management?
Gurkan Berkan: Monitoring, control your spend, and make decisions.
Cory Wheeler: Yes, those are big things.
Ashley Hickman: Nice. So next one. Professionally, what is your biggest passion?
Gurkan Berkan: Solving problems.
Ashley Hickman: Awesome.
Cory Wheeler: That's why you are where you are. I love it. Personally, what show have you been listening to lately or binging lately?
Gurkan Berkan: Well, as a show, I recently watched... What was its name? I'm trying to remember. This one is a little bit difficult for me. Oh, The Sinner is the name. It's on Netflix.
Ashley Hickman: Oh, yeah. It's intense.
Cory Wheeler: Good one.
Ashley Hickman: Did you watch all the seasons?
Gurkan Berkan: I did. It's hard to stop.
Ashley Hickman: Yeah, definitely a good one, for sure. Last one here that we'll wrap up with. We heard you're an outdoorsman at the top. So what's your favorite place to camp, hike, do any of your winter sports?
Gurkan Berkan: Lake Tahoe.
Ashley Hickman: Okay. Perfect for the Bay.
Cory Wheeler: That is the perfect Bay Area response. I'm so jealous of all the folks just trekking to Tahoe on a regular basis. Gurkan, this has been a thrill to have you on the podcast. Your perspectives on IT leadership, how they operate within a very fast- growing organization. But still, an organization at scale, I think there's a lot of great learnings for folks dialing in today. We are very fortunate to have you in a leadership position on our advisory board, even more lucky to have you as a customer as well and a great relationship with Coupa. Thank you so much for joining us today and sharing your wisdom. And we look forward to the next conversation with you. Thanks, Gurkan.
Ashley Hickman: Yeah, thank you.
Gurkan Berkan: Thanks for having me.
Cory Wheeler: Did you enjoy the episode? Pass it along to your friends. Subscribe to get notifications for the latest episode. Share your favorite takeaways and join the conversation on social media using# SaaSMeUnfiltered.
A lack of visibility into your SaaS stack can mean plausible deniability. But, if you want to protect your business from risk, you must have a complete picture. In this episode, Coupa’s Director of IT Compliance, Gürkan Berkan, shares how using a SaaS management tool has helped them shed light on risks like shadow IT, security, compliance, and spend – and how they’re staying on top of it today.
- [01:02 - 04:27] Meet Gürkan and learn about his career progression
- [04:31 - 05:46] Coupa's core use cases and overview
- [05:48 - 06:17] Gürkan's love of nature and the outdoors
- [06:42 - 08:38] Hot Takes with Thom
- [08:54 - 10:41] Experience prior to Coupa, and a lack of SaaS management
- [10:43 - 11:55] Using Zylo to make informed decisions in the procurement process
- [11:58 - 13:54] Freedom of choice in daily application preferences, and uncontrolled chaos
- [13:57 - 16:22] Coupa's business objectives and how SaaS factors in
- [16:37 - 18:02] Taking pride in spend management and reacting to an economic slowdown
- [18:10 - 20:01] Thinking about how to manage and measure risk compliance internally
- [20:02 - 21:01] Compliance reviews
- [21:02 - 23:04] Measurement of shadow IT
- [23:10 - 25:26] Mergers & Acquisitions
- [25:27 - 27:19] Closing out with rapid fire questions