Is your company a SaaS(aholic)
Admitting that you have a problem
The first step in any addiction is admitting that you have a problem. SaaS usage is expected to grow by 18% again in 2022, according to Gartner. The Corona pandemic has put many companies out of control with their established software procurement processes and the only thing that mattered was to keep the business running. This also meant that the business units and their requirements were the determining factor for the purchase of SaaS solutions and not the IT. The people in charge of many companies are rather subconsciously aware of how much SaaS is actually in use. So do I have a SaaS problem or do I not?
The “not so ready” SAM (Software Asset Management) department
In enterprise organizations, many SAM departments were simply not procedural prepared for SaaS and may still not be today. Old norms still apply here. Well-negotiated contracts with long terms with large vendors such as Microsoft or Oracle are their bread and butter business. Tools that enable the management of these master agreements are the tools of their trade. But 100–200 SaaS contracts with short terms, own contract conditions, constantly changing user groups and packages over strain these departments and their tools. I think here we may have a problem?
We are not the one to fix this (Central IT)
Central IT could also play a part in this dilemma. Software implementation processes are often lengthy and not designed for “give me a credit card and I can solve my business problem tomorrow with this SaaS software”. Charging and closing contracts quickly is also not the strength of a Central IT.
And is there actually any SaaS governance? The SaaS applications are all far too different, how can there be any uniformity? I think Houston we have a problem!
5 Steps to solve your problem (not easy ones sorry!)
1.) Find out how bad it is
Probably the most effective method is to conduct a so-called SaaS assessment. This can prove difficult depending on the size of the company. Surveys of departments often do not lead to a correct result because the knowledge about these very small SaaS solutions is usually distributed even in smaller Teams. The best and most honest friend here are the Internet perimeters, because there is no SaaS interaction without going through the central Internet exit. Any tools that record Internet traffic are helpful here. These can be security solutions but also CASB (Cloud Access Security Broker) solutions.Meanwhile, there are also specialized solutions on the market specifically for the discovery of SaaS applications.
2.) Create a cross-functional team of experts (SaaS Center of Excellence)
As we have already seen in the description of the disease it is important to bring all parties to the table. The SaaS Center of Excellence (SCoE) is to SaaS what the Cloud Center of Excellence (CCoE) is to the public cloud. It is the central point of contact for all questions relating to SaaS. It should be able to answer both technical and contractual questions. Together with the CCoE, it is the guardian of a company’s SaaS governance. It creates and develops this governance further. The SCoE is also the primary contact and contractual partner for SaaS providers. The SCoE could usefully be placed both in the central IT and in the finance organization. Ideally, it should consist of the following members:
- Software Asset Manager
- Purchaser
- SaaS Technical Expert
- SaaS Solution Architect
- Information Security Specialist
- Data Protection Specialist
3.) Create a SaaS Governance
The SaaS governance forms the baseline for the future handling of your SaaS applications. It should take the following aspects into account:
- First of all, a SaaS classification such as “Managed SaaS”, “Self-Managed SaaS”, “Free SaaS”…
- SaaS value limits and approval limits
- Identity Management
- Information Security Rules
- Data Protection Rules
- Service management and responsibilities (SaaS ownership)
- Exit strategies and procedures
- SaaS risk management
4.) Create a SaaS process
The SaaS process should be fully comprehensive and cover the entire lifecycle of a SaaS application. This means that it begins when the business purpose is identified and ends when the SaaS solution is finally decommissioned. It is important to distinguish between solutions that affect the entire company, such as Microsoft 365, and solutions that are only used in a single department of twenty people, such as a solution for applicant management in HR. Here it is advisable to set up a light and a full process. The light process is designed for speed and standardized processing and uses prefabricated side processes. The full process is more similar to the normal software implementation process that is already known from the old world. This method ensures that companies do not lose speed by introducing such processes. The owner of these processes should be the SCoE, because it unites all relevant stakeholders.
5.) SaaS Management
The final step is SaaS management during the runtime of a SaaS solution. Here it is important to keep an eye on contract extensions. Conduct contract negotiations. Streamlining SaaS applications, if possible. Keeping track of and responding to changes in contract terms (DPA, privacy policies, usage policies). Deletion and termination of SaaS applications is of course also part of this. Again the SCoE should be the owner of all of these tasks.
Final words
An alcoholic remains an alcoholic for the rest of his life. SaaS is already an integral part of the corporate software portfolio and is here to stay. It is therefore really important to accept this problem and to find solutions that are sustainable.
Let me be the one to help you tackle this problem and consult me if you like
