At larger companies, just a few years ago, if someone needed to use a new kind of software to get his or her job done, there was a drawn-out process involved. The IT department usually oversaw a series of evaluations and approvals before walking around the office and manually installing whatever product was deemed the best fit on approved users’ workstations.
Today, it’s all self-service web apps which don’t need to be downloaded and installed. This is great news for employees, because it makes them more efficient and flexible, but from an IT and cybersecurity perspective, it’s a recipe for disaster.
IT teams don’t know which software-as-a-service (SaaS) programs have just been given permission to what data or systems, and employees have no idea what kind of security or compliance problems they just created for their company. This is what’s known as “shadow IT.”
When you multiply the shadow IT risk across thousands of workers, you end up in a Russian roulette type of situation, which is hardly a viable cybersecurity strategy.
It might be tempting to try to put the genie back in the bottle by re-centralising control over employees’ SaaS choices, but that isn’t practical.
It’s also not desirable, in my opinion, since giving team members the ability to make their own software choices unlocks more benefits than it does costs. The real challenge, from my perspective, is finding solutions that allow your organisation to operate freely while also minimising risks and lag times on IT’s app sanctioning efforts.
I think Uri Nativ, a co-founder at SaaS management platform Torii, put it best when he wrote, “If you don’t own the SaaS lifecycle, then you don’t manage it. If you don’t manage it, then it will quickly get to the point where you feel you are out of control.”
Without a system in place for discovering and vetting the SaaS products in use, you’re simply playing with fire. “The broad offering of SaaS, as well as the rapid adoption of them in the organisation, can quickly outrun your IT if not handled properly,” noted Nativ.
As much as IT stakeholders may lament these realities, it’s no longer practical to prescribe a set toolkit to be used by each employee. Management staff encourages productivity and comfort in the workplace by enabling team members to use the tools that fit their workflows.
With the rise of remote workers, it’s also often necessary to allow employees to use apps available in their native languages. Plus, more remote workers means a greater need for collaboration tools, which are among the most popular SaaS categories.
A recent study by Dell revealed that 42% of millennials would leave a company due to “substandard technology.” They know which apps are good for them, feel comfortable trying different tools if one isn’t working for them, and assume that it is their right to choose the best tool for their purposes.
But to avoid full-on chaos, you need to maintain oversight into the SaaS apps being used. IT teams need to stay on top of which apps have been granted access to which data, whether the app publishers are trustworthy, and which employees are using which tools.
You need to know things like which permissions have been granted, how many subscriptions you have for the same app, and if it’s just a facade hiding a malicious actor or attempt at hacking into your system. With the right workflows and solutions in place, you can veto apps wherever necessary, adjust permissions to remain compliant, retain control, and improve efficiency – without cramping your millennial employees’ options to choose the best business app.
Treading the fine line between empowering employees to use the SaaS apps they prefer, and retaining control over a business app landscape that is diversifying exponentially, is one of the key challenges of the day.
When you take an approach of vigilant but reactive governance and oversight, you can manage your company’s SaaS apps and retain control over IT and enable productivity and efficiency among your employees, without presiding over a murky, impenetrable swirl of business app chaos.