Why CISOs & CIOs Need to Rethink Their Approach to SaaS

The future of work depends on SaaS and today’s approach needs a remix. How your identity security strategy needs to reconsider what you consider “visibility” and the dangerous gaps that exist with your current approach.

If you are like the other CISOs I regularly speak with, you are probably facing a lot of pressing issues related to the rapid adoption of cloud-based services. The growth of cloud and SaaS has accelerated with the consumerization of information technology. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work but often without explicit IT departmental approval. The business model of SaaS itself depends on end-user adoption. There are teams of engineers and marketers building out these platforms to drive “product-led growth” through free trials, driving in-product stickiness, encouraging user invites, etc.

Accelerated digital transformation and the widespread shift to remote work has even further fueled a massive growth in SaaS adoption. And many CISOs actually compound this problem that they think is just another cost of doing business – Shadow IT. More on Shadow IT in our blog here. I’ve read reports where some experts estimate that 80% of workers admit to using SaaS applications at work without getting approval from IT.

Shadow IT takes up a whopping 30 to 40% of overall IT spending for large enterprises, according to Gartner. This means that nearly half your IT budget is being spent on tools that teams and business units are purchasing (and using) without the IT department’s knowledge. A lot of unapproved software and services may duplicate the functionality of approved ones, meaning your company spends money inefficiently. How does this impact overall revenue? While it depends on the industry, on average companies spend 3.28% of their revenue on IT, according to a recent study by Deloitte Insights. Banking and securities firms spend the most (7.16%) and construction companies spend the least (1.51%).       

Additionally, Shadow IT comes with a higher risk of security and compliance complications because the tools are not properly vetted. These risks include lack of security, which can lead to data breaches. Your IT team is unable to ensure the security of the software or services and can’t manage them effectively and run updates. Gartner predicts that by 2022, one-third of successful attacks experienced by enterprises will be on their shadow IT resources. If we use Ponemon’s average breach cost of $3.86M and average probably of a breach at 27.2% annually, Shadow IT may be costing you as much as $350,000 per year in breach related risk costs.

How are you tracking your SaaS footprint? I’m not talking about the core enterprise apps. I’m talking about everything. And if you say a spreadsheet, you’re not alone. But the reality is this isn’t complete visibility. It’s a fraction of what’s out there, and the moment that spreadsheet is updated it’s now out of date. This approach is a waste of time and filled with inaccuracies.

Let me paint the picture of how this approach affects you…

You’ve heard the stories. A Finance Director, through a cloud file storage app, was sharing a root-level folder with outside parties. That inadvertently provided access to detailed financial statements that would never be released publicly or shared. Salaries, P&L, and more were unintentionally exposed. In addition, the Finance Director’s team files, folders, and discussions were made completely public rather than internal and read-only – this made financial files and other sensitive information indexable by search engines. Who is at fault in this scenario? Not the Finance Director… it’s the CISO and CIO.

Or what about the situation where a company is unknowingly running not one, but five (or more) duplicate project management apps outside of IT’s purview, spread throughout the company. This created massive cost overlap and security vulnerabilities — how much sensitive data may have been stored in the other apps? I can tell you from personal experience that this is all too common, and probably is even true at your own company.

By shining a light on Shadow IT and SaaS access risk, and having deeper visibility of the full scope of ungoverned SaaS applications, companies can save hundreds of thousands of dollars each year. This allows them to drive a seamless process from discovery to governance across the entirety of their SaaS app landscape and wrap the right security controls around every newly-discovered SaaS app (and the data within) – helping to shut down shadow IT problems across the business.

It’s estimated that by 2022, nearly 90% of organizations will rely almost entirely on SaaS apps to run their business. In this new era of IT, the only way to fully protect today’s cloud enterprise is by first discovering all of these hidden SaaS applications and then applying the very same governance controls that are already in place for the rest of the critical business applications. Only SailPoint can help you accomplish this. As the leader in Identity Security, SailPoint is helping organizations shine a light on their ungoverned SaaS apps and then extend the right security controls to ensure only the right people have access to those apps. As a result, we help IT teams quickly find and bring these SaaS apps under governance, with the visibility and intelligence needed to understand who has access, how that access is being used, and removing or altering access that is either excessive or no longer needed. With SailPoint, you are not only able to mitigate SaaS risk and improve compliance, but also optimize licensing costs and eliminate wasted IT spend.