By Andréa Jacquemin, founder and CEO of Beamy
SaaS is creating underground (or shadow) IT in companies, dramatically increasing their exposure to cyberattacks.
Seemingly unknown to many IT departments and senior management teams, the use of SaaS applications among employees is booming. It is creating an underground digital world with little regard for security, data protection, or digital sovereignty issues.
As a result, in the top firms traded on the world’s major exchanges – the LSE, NYSE, and the NASDAQ, for example – and across large companies as a whole, SaaS is now a key factor in digitalising their business.
The SaaS ecosystem generally relies on the widespread use of tools made available online, which are usually designed for extremely specific tasks and operate on a subscription basis. However, these tools are deployed without the oversight of corporate governance procedures, and mostly pass under companies’ radars, even if they represent millions in cumulative annual costs. This phenomenon is known as ‘shadow IT’. Using cloud software from external vendors regularly results in customer data being stored in non-compliant ways or being hosted outside its originating geography (more than 40% of SaaS used is American) This has the potential to generate a multitude of future security vulnerabilities and compliance issues
Only 14% of SaaS tools being used in large enterprises are properly managed
These are without a doubt “underground” digital systems, with an average of 200+ different cloud providers being used in companies with more than 1000 employees. Out of these 190 providers, only 60 are managed by an IT department, 44 by the data protection officer, and 36 by information security teams.
If the cloud continues to grow at the rate predicted by KPMG, then more than a thousand different SaaS providers could be used by a single company in 2030. Establishing a clear governance framework for cloud-based SaaS will therefore be vital for the future, since it brings the topics of data sovereignty, cyber defence, and digital performance of our companies to the forefront of issues.
Allowing business teams to manage their own digital transformation
Since digital transformation involves all departments of a company, and especially business teams themselves, it’s only natural for them to want to tackle it hands-on. The latest generation are more accustomed to quick actions via quicker clicks. This generation is also more likely to expect companies to provide the very best that technology has to offer, whether in terms of processing speed, user-friendly interfaces, or the use of tools to make the working day more productive. It raises alarm bells that this is not yet part of the tech procurement approach in place at major companies.
The technology required is available on the global market, which consists of almost 100,000 SaaS. with venture capital investments in the hundreds of billions of pounds. These solutions rank among the fastest, most powerful, and best suited to ensuring the digitisation of processes. But there are also those that store and use the most personal data abroad, which could pose a huge and invisible compliance risk to businesses.
What is needed is the creation of an app store for each company, to give business teams the ability to choose the best software for themselves, while carefully guiding them to select, use and de-risk these tools in the long term.
Coordinating business teams and IT teams for effective digital governance
The CIO holds a strategic position when it comes to providing the company with a framework for decentralising the digitalisation process. The key is to ensure that, despite the technological progress pursued by operational teams, a regulatory framework is respected, personal data processed by these tools is properly protected, and that the risk of external security breaches is minimised. In this context, the CIO acts as the orchestrator of the digital ecosystem, giving freedom to business units while making sure that the application landscape is optimised and safe.
The focus on a “sovereign cloud” will remain an unproductive endeavour if SaaS, which accounts for half of cloud computing, is still placed in the background. Within companies, it is up to senior management teams to initiate the construction of a decentralised approach to digital governance. This is the only thing capable of successfully bringing structure to this fast-evolving part of the cloud. It is a strategy that requires the involvement not only of the CIO, but of the entire executive committee, and all departments affected by the challenges of digital transformation.
