Is Shadow SaaS a Security Risk?

By on
Read more about author Becky Trevino.

After years spent purchasing and expanding SaaS usage to meet the challenges created by the pandemic, IT teams are now tightening SaaS spend and see growing security risks from shadow SaaS. SaaS is particularly painful for IT to manage. Ownership of these applications is decentralized across the organization and official procurement processes are often skipped, leading to non-compliant software being used in the estate without IT knowledge. These sentiments are reflected in our recent survey, delving into the issues IT leaders face when managing their SaaS portfolio.

With cost optimization now a board priority, IT leaders are being forced by CFOs to reassess how much they are spending on software and cloud services. While the current macro-environment is driving the push, the timing is right for IT to optimize technology spend across the organization. The pandemic caused unprecedented investment into digital tools to keep businesses afloat as employees went all-remote.

In the process, IT teams were frequently left in the dark as departments and end-users purchased SaaS applications without their knowledge. According to the survey results, IT leaders view “employees adding new SaaS applications without notifying IT” as their top challenge. The increased number of SaaS applications available and startups creating new business models – such as product-led growth – to make it easier for end-users to purchase without procurement or IT knowledge has increased the severity of the sprawl. In addition to this, 42% of survey respondents stated managing the security of SaaS applications is a critical challenge. As companies face budgetary pressure and increasing security risks from SaaS, the need for IT to improve visibility and governance of SaaS applications throughout the estate has grown critical.

Thirty-two percent of IT leaders stated they struggled to “understand why a team or individual needs a new SaaS application.” As SaaS applications penetrate across organizations, the ownership of SaaS applications will be an ongoing concern as business units acquire SaaS independently of IT and procurement teams. To govern SaaS usage effectively, IT must know what SaaS applications internal teams are running and why they need them. This is critical to maintaining visibility and reducing the risks from shadow SaaS.

According to the 2022 Gartner® Market Guide for SaaS Management Platforms, organizations that don’t have centralized visibility and governance will overspend on SaaS by at least 25%. This is often due to underutilized or duplicate applications and missed contract optimizations. Without this visibility and a system to drive SaaS governance to reduce risk, teams will also see higher security risk due to compliance violations from unapproved applications. 

Budgets: A Balancing Act

The costs associated with SaaS applications and managing licenses are only the tip of the iceberg, where managing budgets are concerned. SaaS costs can only be managed when they’re known, and shadow SaaS continues to be a serious problem – survey respondents listed “identifying usage of all SaaS applications within our organization” as their second largest concern. 

While controlling the total cost of SaaS application investments was ranked fifth most important overall by IT leaders, other high-importance issues such as identifying usage, understanding why teams or individuals need new SaaS applications and a lack of SaaS-specific purchasing training are all issues which have an impact on spending. This is top of mind when over half of survey respondents expected IT budgets to decrease this year.

Twenty percent of survey respondents stated that “IT staffing” would be the most impacted by IT budget cuts, and 19% stated that “strategic IT initiatives or programs” as the areas that would be most impacted by budgetary pressure and cuts to spending. We are now seeing these situations playing out in real time with the onslaught of recent layoffs, while continuing to focus on artificial intelligence (AI) and other new technology investments. The emphasis on doing more with less has never been more significant. 

How Do We Get a Better Grasp on Managing SaaS Going Forward?

Most organizations have reached the point where their SaaS application usage is too complex to track with existing tools. An organized approach, starting with identifying gaps in discovery and licensing, is key for getting a handle on the unknown SaaS usage facing many organizations. Procuring the right tools is the next step. 

Additionally, 56% of survey respondents said if budget, resources, and time were not a factor, they would create training for those employees with the purchasing power to buy SaaS applications. Training is an easy line item to cut when facing budget pressure, but the costs of employees purchasing SaaS applications independently and without guidance are likely far greater than the initial costs of a training course on procuring SaaS in a responsible way.

Setting up organizations for resilience through hard times requires careful thought and planning, encompassing a competing range of priorities including SaaS, cloud, innovation, and risk. Despite the warning bells of economic pressure and potential budget cuts, SaaS spending continues to see growth. It is essential for IT teams to gain the visibility they need to monitor SaaS application use across the entire business. Without the ability to track and monitor every application, organizations are putting more than just their budgets at risk.