Securing Executive Buy-In for SaaS Management in the Enterprise with Siroui Mushegian (Barracuda Networks)

Siroui Mushegian: I would come back every quarter or so and show them the first set of nine boxes, the new set of nine boxes, and kind of where we stood because we would get healthier by the quarter. I was able to show the value of this initiative almost immediately.

Cory Wheeler: Hello, hello and welcome to SaaSMe Unfiltered: The SaaS Management Podcast. The show with give it to you straight, real- life advice from pros knee- deep in SaaS every single day, SaaS management superheroes just like you.

Meredith Albertson: I am thrilled to have a progressive forward- thinking CIO joining us today. Our guest has nearly 30 years of experience in IT. She was most recently the VP of IT at BlackLine and has had previous IT leadership roles at incredible brands like Ralph Lauren, the NBA, and Time Warner Today, she is the CIO at Barracuda Networks. She's a lover of cultural experiences from jazz, art and wine tasting to exploring new types of food and enjoying the outdoors. Family is everything to her and she spends a lot of time with her husband and nieces and nephews out on the West Coast today. We'd like to welcome to the show, Siroui Mushegian.

Siroui Mushegian: Hello. Thank you so much for that very nice welcome. Thank you, Meredith.

Meredith Albertson: Well, Siroui, you have such an incredible story around getting SaaS management off the ground in your past role, so today we'd love to talk a little bit about how you were able to make SaaS Management a strategic priority with the C- suite. We are often seeing enterprises be most successful with SaaS management when they have executive buy- in and support from the get- go. Now, you have led the SaaS management program at your last stop and you shared with us that getting buy- in was somewhat challenging. How did you elevate the visibility of the problem to executives and get them to really prioritize SaaS management as an executive- level initiative?

Siroui Mushegian: It's interesting the way this all played out. Initially, the reason that we brought in Zylo was not because we were looking for a SaaS management tool that was going to elevate application rationalization and kind of bring this into the forefront. We had an audit finding that we were looking to solve and we needed to conglomerate and get a place that we were going to inventory all of our applications in one spot instead of having it being surfaced through downloading lists of things and then conglomerating it through Excel documents and spreadsheets. Something that I was looking into when I joined and then places that I've been before is this application rationalization objective. When you are in a company that grows quickly through acquisition, when you bring in people from different places who have their favorite tools of choice and there's no monitoring going on and they're just sort of allowed to bring in what they like, you're going to wind up having a lot of different tools on the shelf that are often duplicates of things, and so that's not going to lead you to being as efficient as you possibly could. So I answer the call of the audit finding and then the happy circumstance that we found ourselves in is that we had a tool that was going to be able to elevate our desire for application rationalization. So the next move was how do we get this in front of our executives and make this a really important corporate objective that we need everybody's eyes on and we want all of the attention. What I did was I developed a great rapport with the executive team and they knew that when I joined the executive leadership team meetings, I was going to be bringing something interesting to them, a problem that I needed them to be aware of or some support that I needed them for and like always brought to them an interesting challenge. And I developed this single kind of crunchy slide that has nine boxes on it and it's something that I keep in my tool chest. It's a slide that's got these nine boxes on it and I put in every box some interesting metric that's going to be an attention- grabbing metric. So one metric will be the number of SaaS applications in the enterprise. I'll be able to tell them the exact to the dollar amount that we're spending across all tools in the enterprise. I'm able to tell them how much in cloud spend, how much we spend in expensed applications and a whole bunch of other things that I'm able to surface that grabs their attention. If they see that we have hundreds of SaaS applications, they're wondering, how is that even a thing? If we're spending tens of millions of dollars on SaaS applications, that's confounding, they don't get it. So this leads them to wonder, why are we talking about this? You must have some reason why we're talking about this. And of course the reason is I want us to be more efficient, I want us to save some money and I want us to be able to scale as a result of that. And then there are also some security gains. So yes, that's the way that I got everybody's attention.

Meredith Albertson: Did jaws hit the floor the first time you showed the nine boxes?

Siroui Mushegian: They absolutely did. They were fascinated by that and I would come back every quarter or so and show them the first set of nine boxes, the new set of nine boxes and kind of where stood because we would get healthier by the quarter. I was able to show the value of this initiative almost immediately.

Cory Wheeler: This is really awesome Siroui, how did you do this? This isn't a brand new problem. So working with your peers, being able to get advocacy and buy- in on the projects that are most strategic to IT. Why was this hard to do prior to Zylo? Did you try to pull this information together? What made this difficult to solve for without some sort of automation behind it?

Siroui Mushegian: The difficult part is that people roll their own, so to speak. They're going to be expensing applications, they're going to be doing things themselves, and it's not just going to be a matter of what they're using in the tool chest that you provide them through the enterprise agreements that you've got through Google and Microsoft and Salesforce and so on and so forth. They've decided that they want to create their own suite of tools that is what is their productivity set. You don't know what that is. And so it's hard to mine the systems for that information. I have access to our ERP, so I can pull information from that and then maybe I have access to Concur or other tools that are going to give me access to what people are expensing, but it might be difficult to kind of slice and dice that information and I'm not going to get it very easily and I'm going to get it in terms of the spreadsheet and then I might have to sort it and it won't be clean at all, and I'm certain that I'll be double- dipping in certain spaces. It will just not present accurate information that I'll be able to trust, that I'll be able to take back to the business with real accuracy. So that is why it's difficult to do without a tool that is automating the process for you.

Cory Wheeler: When you're putting that type of a manual analysis together, there's always a gotcha. There's always some sort of exclusion and this isn't telling the whole story. I definitely understand that. So you were able to take that purpose- driven approach, the nine- box overview, which just simplifies such a complex topic and you've got your executives bought in and that nine box really allowed you to build a dashboard that speaks to the narrative of what's happening across your business. So why is that narrative building and that storytelling such an important skill for IT leaders and maybe share your secrets to success when it comes to keeping those executives engaged beyond just the first insight?

Siroui Mushegian: It's always the 'what's in it for me' scenario. Every story is different for every leader. In the go- to- market space with the go- to- market leaders, they always have the most tools in their toolbox. They've got people from all walks of life coming together, bringing with them their favorite tools of choice and they've got the most that we've got to kind of chip away at. And so the story that we're working on with them is about how we can streamline things so that they have more that they can reinvest into. Maybe they need more headcount in a certain area that they don't have. So that's sort of the what's in it for me story for that group of people. So moving over to the information security team and cloud operations, those people like to work hand in hand with each other. So if I take the same what's in it for me kind of storytelling to that crowd, I say, " Hey team, I've got this full portfolio of tools that you guys are using, and by the way, you probably didn't realize that half of them have not gone through security review because I didn't know about them, I wasn't able to secure them. And so when some of your team off boards, since I don't know about them, I can't shut down their accounts and that's a scary place to be." And immediately, light bulbs go off. And that's the what's in it for me storytelling for that crowd. It's really, you just have to find the end. You have to find the currency that's important for each leader that's going to grab them and make them interested. The dollar signs are really pervasive across all of them. So even if the security is more important to the CloudOps, InfoSec team versus a different area, the dollar savings across the board is still something that's very compelling regardless.

Cory Wheeler: And that is so on point. IT is there in any enterprise to be able to drive a strategy around large applications and also be the consultant, the advisor, the facilitator for the business, but distributed ownership of software is in every organization. Building the narrative and making that relevant to everyone around you is pretty organic in this type of an initiative around software, around the proliferation of it because it affects everyone across the company and a strategic CIO that paints that picture and narrative and then facilitates the solution with their stakeholders is a pretty strategic one.

Siroui Mushegian: There is one other point I wanted to make. Another area that's important to people in terms of a what's in it for me scenario and story. Sometimes people don't realize, especially when you get the executives together, so a what's in it for me story when you get them all together, whereas like I mentioned the individual, what's in it for me stories. But if you explain that having different sets of tools for different groups keeps a siloed approach. And if you're looking to grow and scale, having silos of tools is not the type of thing that helps people collaborate across teams and helping to drive down on duplicates and triplicates of applications that don't help you collaborate is very important and they will see that pretty quickly and they're interested in reducing the bloat that you get when you've got duplicates and triplicates of the same type of tool across many different teams.

Meredith Albertson: Now that you're the CIO at Barracuda Networks, you are just starting your SaaS management journey, and I'm sure you're bringing a lot of these lessons, a lot of these approaches along the journey. What are some of those first IT initiatives? Let's start with the SaaS management journey. I'd love to know what you're kind of thinking about there as you're getting started.

Siroui Mushegian: This one's a little bit different than what I've experienced in the past, and I'll tell you why. Our company has grown in a very interesting way. 20 acquisitions in 20 years. That makes us incredibly unique. And so when we're talking about software proliferation, I think I'm going to see it in ways that I've never seen it before here. And so as somebody who truly enjoys this exercise, I cannot wait to see, when we light this thing up, I cannot wait to see what's revealed. I think there is going to be some fascinating data that is revealed. When we get the pipelines into our ERP and into our T& A system, we're going to learn some very interesting habits that people have. And in the process of doing that, that just leads me to believe that the value that we'll be able to show and exact from this will be even more immediate than what I'm usually able to get out of this type of exercise. So that's how I'm seeing this here at Barracuda.

Cory Wheeler: It's awesome. And just to follow up very quickly on that, I think it's awesome because the value that you define is better collaboration, better productivity, breaking down silos. The value of this data now becomes Siroui's playground that the results of your program are driving the right overall employee experience. Super cool.

Siroui Mushegian: Yes indeed.

Meredith Albertson: As you start to look at that view at Barracuda and start to see different patterns, maybe onesie- twosie tool usage, are there things that you're expecting to see and learn as you start on this journey that are going to give you more information signals about the business and how the employees are actually using and thinking about SaaS and software?

Siroui Mushegian: Definitely. Part of the journey of application rationalization is the stakeholder interview portion of the program. It is really a very personal pursuit that people go into when they come with their favorite tool of choice. And you can't just go in and say, " Okay, I've got... " I always pick on project management applications. I don't know why, but I always pick on those and those are the ones that I always find that I have the most of wherever I go. But let's say I have 10, I don't know, I might have more, but let's say I have 10 of them and I will pick on the marketing department for no particular reason, but I'll just choose them. And that team is going to have PM tool de jour, and they're going to love it and it's going to serve very particular use cases for that team, and I'm going to have to learn why. What does it do? How important is it to this group? And it will tug at all my heartstrings, and I'll have to figure out what is it about this tool that makes it so important for this group? And then I'll have to do the exact same thing for every other group that has their own project management tool and also with my team, have to figure out how I'm going to rationalize all of the PM tools down to from where we are to a smaller set of them taking into consideration the things that people need in order to do the jobs that they're doing. Because stopping business is not what this is about. Helping us scale and grow and simplify is what this is about. And so it is a fine line that you kind of walk as you're going through this process. You can't leave that part out.

Meredith Albertson: If you are not unlocking the full value of your SaaS, what are you doing? There is no denying it. SaaS is mission- critical to your company's growth and success. And as the number two operating expense for most organizations, it's your biggest opportunity to save money and drive efficiency. The time is now to do something about it. Join me and your fellow IT, SAM, finance and procurement leaders at SaaSMe. SaaSMe is the industry's only dedicated SaaS management event where you can sharpen your skills, hear from your peers, and learn how to unlock value and responsible business growth through smarter SaaS management. Register today at SaaSMe. com. That's S-A- A- S- M- E. com. Really love the interview process. For me, if I was on the receiving end of that feeling, you and your team were really caring about my opinion and again, what I loved about it, why this was important to me, when you have to come back to the marketing team and tell them that their project management tool, we need to move away from this, the reactions different because you did bring them along the journey and had the interviews. What is that like sort of in the next phase of that interview process?

Siroui Mushegian: Usually if you bring people along in the process, they are more apt to understand the why of what is happening. They feel like they're invested in helping get through all of it because they understand the point of it. In some cases though, it is a difficult decision to make. Generally speaking though, the more you communicate, the more they understand. Going in and just ripping things away from people is not the idea that would not go well.

Cory Wheeler: No, it never does. It would be the easiest path and the fastest path, but certainly not one that drives collaboration and an employee focused result.

Siroui Mushegian: That's right.

Cory Wheeler: Let me ask a little bit, turning the page to security. Barracuda Networks is the worldwide leader in email protection, application protection, network security, data protection, those solutions, because you are a security company, does that impact the importance around security for your apps? Do you have a tighter process around your applications and the tech that you're using internally? Do you somewhat drink your own champagne? Do you have a lot tighter constraints around what you allow into the business and what you don't? Weighing that against 20 acquisitions and M& A events that can create a heck of a lot of chaos, maybe inform us what security means to you and how you execute that around applications.

Siroui Mushegian: It is incredibly important. It's the substrate on which we operate. This is our brand and protecting it with everything we are is absolutely the most important thing. It's the reason that we've been around for 20 years and making sure that we are around for 20 more years is the whole reason and purpose that all of us come to work every day. I was telling somebody the other day that I've worked at a lot of companies that have fans, like internal employee fan of their company, and with the exception of the NBA, I would say Barracuda is a very, very close second to having super fandom for their company, for this company. The employees are super fans and we love it here, we want to protect it. So going to your question about what we're doing and how we look at security, we definitely drink our own champagne. We use the applications and tools that we build because we believe in them and the way that we look at applications is that we have to make sure that they are safe and sound and secure and as low risk and that we can tolerate any risk that might be introduced so that we stay safe and sound and we protect our brand and that we know what we're getting into. So if there are applications that we don't know about that somebody decided that they just want to use because it's convenient, that's not good. We need to know about them and that's part of this exercise. That will help elevate some of the things that we don't know about.

Cory Wheeler: Do you have a kind of playbook that you run when you come into an organization thinking about Barracuda and security being number one inside the organization? What does that look like, the security playbook as it pertains to application security?

Siroui Mushegian: Well, I have a very strong partner in our CISO, Riaz Lakhani. So he is the holder of the playbook and I get to read it with him. We have processes and procedures that we follow very tightly. When we are reviewing applications, would we want to work with outside vendors? We do. Very stringent rules, regulation, processes that we follow, absolutely.

Cory Wheeler: That's got to contain ongoing periodic reviews of existing apps that you have inside your portfolio today and maybe the scale of that. So how do you balance application rationalization with the need to then execute security and controls and freedom for your employees internally?

Siroui Mushegian: That's where kind of understanding what the needs are of the employees is very important and also spending a lot of years working in technology and for enterprises and understanding what a good toolkit is for an enterprise. So those two things, the Venn diagram of those two things kind of leads to a good toolkit. And yes, there is a prescription that you can offer to people, this is what I believe you should be using and that kind of helps contain things. Then of course, you're going to have people that will be requesting things on top of that. So what I'm hearing from you and what I'm thinking to myself is the proliferation is what you want to kind of contain. If you just let things kind of go on and on and it's an endless stream of people doing whatever they want with whatever they want, it'll be very difficult to keep up with very strict processes for application review because we're not going to give up on that. We're not going to stop being very strict with the way that we review applications. Yes, there will still be a lot of applications in the portfolio, but we're going to now rationalize things down to a limited amount where we can maintain them in a way that we can then review them on a regular basis, not have so many of them that it will be difficult to do that. So that's what you get when you rationalize your portfolio down to a manageable amount.

Meredith Albertson: Siroui, we talked to a number of people from a cost lens, from a spend lens, they're really only looking at maybe the top 25 apps in their portfolio, but hearing you talk about risk and security and the approach that you're taking, I feel like there are so many people that are just missing out on these smaller apps. They're not worried about it from the spend perspective, but just hearing you talk about risk and security and how that$ 20 app could really damage your brand, what would you say to people listening today that are, " Hey, I'm only focused on these top apps, its spend." And they're not really focused on the risk. How would you get them to start really opening up their eyes to the risk that could be in their business with some of these less expensive tools that maybe are not damaging the bottom line, but are just opening up the organizations to that damage?

Siroui Mushegian: Well, I think you sort of said it in your question in a way, which is that a small inexpensive application could mean that you are opening yourself up to an incredible amount of risk, and it doesn't matter that it's inexpensive, but it matters that it could be putting your whole enterprise at risk. $ 20 just in order to give somebody a little bit of convenience and then putting your entire enterprise at risk. You think about an attack surface, every little molecule that you add adds to your attack surface. So putting another way of ingress into your enterprise where you don't understand or know the way that a security posture is being baked into the engineering of a particular tool that somebody is using, you haven't done just the requisite amount of due diligence to be comfortable with the way that this tool is constructed or you understand the business model of this particular company, you're putting yourself at risk. There are certain things you can do in order to just put some check marks so that you can feel comfortable saying, yes, I feel comfortable with you using this inexpensive tool. I have done enough due diligence to know that it'll be fine. But if you don't do that, you're really leaving the door open. You do need to look at everything.

Meredith Albertson: I couldn't agree more. It just blows my mind of just that risk that could be out there, and I appreciate getting your perspective on it as well. Clearly, you and your partners loved hearing more about that story, are doing so much to protect the business. I also know that innovation, moving on to a little bit of a different topic is top of mind for a lot of CIOs right now. What are they thinking about innovation on? How are they thinking about innovation? How are they thinking about funding some of these new programs when budgets are tight? How are you defining it? How are you thinking about it in the year ahead?

Siroui Mushegian: It just spans so many things when you think about innovation. I think about innovation as anything that's going to drive our business to speed and scale, and that could be simplification. It could be conglomerating data in our enterprise data warehouse so that we can make data- driven business decisions. It could mean swapping out a whole tool set so that we can collaborate better with each other. It could mean so many different things from small, medium to large. How do you fund stuff? One way could be going through a massive application rationalization initiative where you set big hairy audacious goals, BHAGs so that you keep yourself accountable to these goals. We have set some already and our fiscal year actually starts tomorrow, on March 1st, and we've already set some BHAG goals for our application rationalization initiatives that are going to help us fund some of the things that we want to do in our next fiscal year. So innovation comes in many different shapes and sizes. The way that you fund that can come from things like application rationalization. How can you save money? How can you do more with less? This is how you do more with less. You become a good steward of spending the money in your envelope. My envelope size is not going to change in size, but what I can do in it will.

Cory Wheeler: What a great way to think about that. Siroui, this has been a fantastic conversation. I'd love to close it out with a fun question. Talking directly with the CIO, I think a lot of folks wonder what works, what applications are they thinking about? Can you share with our listeners your favorite personal and professional related application?

Siroui Mushegian: My personal favorite application... First of all, when I was little, there were a few things that I wanted to be when I grew up. One of them was that I wanted to be a cartographer.

Cory Wheeler: That's so specific. I love it.

Siroui Mushegian: Very specific. I love geography. I love map applications. I think they're so fascinating. And for me personally, because I do in some pandemic, before the pandemic, I did a fair amount of travel and during the pandemic, I did a lot of car travel and in- country travel, it's a catalog of the places that I've been and the places that I want to go, and I look at it like a diary of my life, especially since I started using it. I use it extensively. I put pins in places that I want to go. I put them in places that I've been. I make notes of the way that I felt and what I did when I was there. So that kind of speaks to the inner cartographer in me, and I also use it as a diary, so that's my favorite personal application.

Cory Wheeler: Super cool.

Meredith Albertson: That might be the all time best favorite app story we've ever had on the show. That was great.

Siroui Mushegian: Thank you. In terms of my favorite business application, I mean, here we are on the Zylo podcast and you know how I feel about this application. Until I discovered it, I had others that I loved. I do feel strongly about business applications that serve value. I would spend so much time rooting around in those dashboards. I just find an endless amount of joy slicing and dicing the data that I see there. I just go on and on. I love it. I think it's great. I think everyone should have it.

Cory Wheeler: Well, that's wonderful, and clearly you're not pandering to the hosts here today.

Siroui Mushegian: Certainly I'm not.

Cory Wheeler: But I'm definitely blushing. That's wonderful for you to say. Siroui, thank you so much for coming on the show today. We talked about you being an innovative leader, and I think that term can be thrown around far too often. I think your approach both at BlackLine, Barracuda and prior to that are really leading edge and solving business problems that haven't been solved before inside your organizations. You're passionate about where you work, how you work, and the employees that surround you. You simplify things, you simplify the complex, which builds that overall narrative, and I think that's such a wonderful way to think about very complex strategies. And my takeaway is it's all around employee effectiveness, employee productivity. It doesn't have to necessarily be about the cost and the bottom line. It needs to be about creating a better work experience. What a motivational way to think about your role. I'm inspired, Meredith. I think she's inspired as well, and thank you so much for joining us today, Siroui.

Siroui Mushegian: Thank you for having me. It's been a real pleasure.

Cory Wheeler: Did you enjoy the episode? Pass it along to your friends, subscribe to get notifications for the latest episode, share your favorite takeaways, and join the conversation on social media using# SaaSMeUnfiltered.