What Is SaaS Governance & How Do I Implement It?

Ben Pippenger: All right, everyone. Ben Pippenger here. Welcome to another episode of SaaSMe Anything! In today's episode, we're going to be digging into the question of what is SaaS governance and how do I implement it? Today, we'll cover off on three key topics. Number one, we'll define SaaS governance and why it's important. Number two, we'll walk through a few different approaches to SaaS governance and how to determine what's right for your company. And then number three, we will talk about some of the results companies are experiencing by implementing governance policies. So let's go.

Ben Pippenger: Let's define SaaS governance. In simple terms, SaaS governance is the process and practices a business establishes to identify, control, manage, and mitigate the use of subscription- based software within your organization. You may be familiar with governance as it pertains to other areas of your business. For SaaS, it's a more recent form of corporate governance, specifically over IT assets. It focuses on providing a framework and structure to maintain the effectiveness and compliance of the SaaS stack while producing measurable and actionable results.

Ben Pippenger: So why is it so important? There are four key reasons. Reason number one is that it reduces your security risks. More apps in your business is a greater attack surface for those looking to attack you. Gartner is even saying that companies that fail to essentially manage their SaaS life cycles are five times more susceptible to cyber incident or data loss due to misconfiguration.

Ben Pippenger: Reason number two, strengthen your fiscal responsibility. Software costs are only going to continue to rise. The need for smart business growth is imperative. Governance ensures the right controls are in place to maintain physically responsible business practices, plus ensure alignment of tools with your business needs. Now, SaaS challenges this, there's redundancy, there's duplicate purchasing happening, and there's also shadow IT across many of the organizations that we work with. Let's look at redundancy. At Zylo, we find that online training classes are the most redundant with an average of 18 apps in a portfolio, and the number two spot is team collaboration tools with an average of 13 apps. That's a ton of money you're wasting on tools that essentially all do the same thing, whereas you could probably be okay with just five to six of those training tools versus 18 of them.

Ben Pippenger: Reason number three is to ensure application connectivity. One of the biggest benefits of SaaS is that there are best in class tools for really everything you're trying to accomplish within your business. Now, one of the challenges is that there's just so many different tools. They all need to be able to connect. You think about the different data that needs to be passed between those tools, the workflows that need to be initiated with them. Without a policy in place, it becomes really challenging to be able to think about how all those tools connect to each other and how they work together to share data back and forth.

Ben Pippenger: Number four is empowering employees. Your employees need to be as effective and as productive in their jobs as possible. Part of governance is ensuring employees know where to go to find the tools and to request access to those tools and get approval for net new tools. A governance policy allows you to set standards for those tools. It removes a lot of the noise from employees not knowing where to go to get access and to request buying of those new pieces of software.

Ben Pippenger: All right, now that we've set the stage on what SaaS governance is and why it's important, let's look at the different approaches companies are taking to governance. Approach number one, a decentralized governance approach. In this approach, employees have 100% freedom to choose their own tools. Can be pretty scary sometimes. Some of the pros to this approach though are greater autonomy for employees to be able to really find the tools they want to use and go get them. Really free reign over innovation. Employees are enabled to use the most innovative tools, cutting edge, not really worry about a lot of the other things that you may worry about when you're adding new tools. And the buying process is just easier because a lot of that red tape is removed with no policies or controls in place. Now, the cons of this approach is that it opens up your business to compliance risks and potentially security threats. Because these applications aren't going through security reviews, no one's checking to make sure that they're in compliance with your policies. It's very difficult to track spend in this model to know what people are buying. Are there issues with redundant applications, duplicative applications being bought multiple times and they can also hinder employee productivity. You have employees out buying the same tools, they're not connected like we talked about earlier and can really hamper work getting done.

Ben Pippenger: On the other end of the spectrum is our second approach, which is centralized governance. In centralized governance, CIO and IT teams oversee every piece of tech that's being added to an organization. We see this commonly in highly regulated industries or larger enterprises. The pros to this method are you have full visibility to what's going on, you know what tools are being purchased, who's buying them. You're also able to prevent security risks and maintain compliance for the business and really put pretty tight controls in place around cost. The cons to this is that these are typically followed by a really strict approval process, which can hinder innovation and create a problem solving and potentially slow down the speed at which new tech can enter into the organization.

Ben Pippenger: The third approach we'll talk about here is a hybrid approach. I really see this approach as the best of both worlds. Here at Zylo, we like to call this the freedom within a framework. And what this is is it's governance not for the sake of creating more red tape, but for the sake of making smart intelligence business decisions around the governance of your applications. It's decentralized on one hand because it enables departments and heads of business units to manage the buying process and select the tools that they want to use, but has support from IT and procurement teams during the process to do the actual purchasing, to go through InfoSec reviews and potentially even support those applications after they're purchased. It's centralized from the standpoint of IT teams really being responsible for and going out and buying and owning and supporting the core applications, or what sometimes businesses call the birthright applications, which are those apps that really every employee gets at a company to get their job done.

Ben Pippenger: Now, the pros to this approach is that it establishes trust with your employees. They understand the tools that are available to them, where to go to get access to them. Your CIO and your IT teams have complete oversight into what's going on. They know both the centralized stuff that they're responsible for, but they're also involved in the decentralized purchasing and review process. It's the right balance between getting the right tech in place while still securing your environment and reducing risk. And also, IT in this case, no longer owns the complete software budget for the business. So that means that line of business owners own those budgets. IT doesn't have to worry about doing chargeback reports or charge backing, which could help with overall operational efficiency of your company. Now, a con here would be that employees may not have full flexibility or don't have full ability to go out and get the specific tool that they want to get their job done, which can potentially cause some frustrations. But as long as you have good coverage over capabilities and have an alternative tool, shouldn't be that big of a deal.

Ben Pippenger: All right, so now how do you determine the right approach for your business? Well, number one, you need to make sure and understand how your company operates, obviously. If there are external factors or external things that are forcing you down one of those three paths, you definitely need to consider those. Second thing you need to do is understand your company culture. This is a big one to really understand how your company operates, how you function today, how you function in other parts and other governance policies within your company, and align your software governance policy to those as well.

Ben Pippenger: To close out today, I want to share an example of SaaS governance in action. We're going to be talking about AbbVie. AbbVie's a pharmaceutical company, a customer of ours. They have about 30, 000 employees. They came to us when they were starting to put a SaaS management program in place with a challenge of that they knew they were spending a lot on SaaS and a lot of that was going through employee expense. They didn't have controls in place, they didn't have visibility or policy in place to stop this. So what did they do? First and foremost, they wrote a policy. You can't buy software through employee expense or it has to go through the right approval processes. And this was a big part of what they then put in place at AbbVie. The results that they saw was that they were able to cancel over 60 subscriptions that were being purchased against this new policy, many of which were part of click- through agreements that typically favor the vendors, so also removing some security risks and things along those lines by canceling those subscriptions. On top of that, they were able to reduce their overall employee expense spend for software by 47%. So a significant amount of cost savings here that AbbVie was able to achieve, as well as removing risk from their organization by putting this policy in place and then getting the ongoing visibility they needed to make sure that policy is being followed.

Ben Pippenger: All right, so the big takeaway here is that SaaS governance is important to implement to help you fend off potential security and compliance risks, improve your financial stability, and get employees the tools they need to do their jobs. The type of approach you take is based on your organization's needs and culture. Take a few minutes to consider what I've shared today as we figure out the best course for your organization.

Ben Pippenger: To take a deeper dive, download our ebook, Evolving your SaaS Governance Framework for the Digital Workplace at zylo. com/ governance- ebook. That's it for me today, and we will see you next time.