Are You Oversubscribed? The Hidden Costs of SaaS Sprawl

Show Notes

We're back with a question every business should be asking right now:

Are you oversubscribed?

We're joined by Julian Kuiper and Robert Whyte to unpack the increasing challenge of SaaS sprawl. Whether it's hidden subscriptions, shadow IT, overlapping tools, or a myriad of other reasons, the uncomfortable truth is that many organisations are paying for far more software than they realise.

Subscription software can be both a huge advantage and a serious management headache. If you've ever looked at a software bill and thought “hang on, what even is this?”, this one is for you!

You can follow our guests on LinkedIn:

• Julien - https://www.linkedin.com/in/julienkuijper/
• Robert - https://www.linkedin.com/in/robert-whyte-a401b959/

Transcript

Jason 0:04

Welcome to Optimize to Innovate, a show where we help organizations stop wasting money on things that don't add value to their business and understand the technologies that actually will. Join us as we share practical insights into the latest trends and innovations with industry experts across everything from software and FinOps to cloud, data and AI. Today we are going to be talking about are you oversubscribed? I'll let Alex introduce that in a minute. But first of all, we've got some great guests with us today. So as uh we've had some horse racing recently, let's gallop into this week's episode. I'd like to ask them to introduce themselves. We have uh Julian Kuiper and Robert White. Julian, would you like to introduce yourself first?

Julien 0:47

Yes, thank you very much, and uh good day, everyone. So, as you said, I'm Julian Kuiper, and I'm today the product manager of all the ITAM services that we are selling at Soft One, which means designing the sales, pre-sales step, and also the various um activities we do when we deliver those services. And before that, uh so as you can hear, I with in my accent when I talk, I'm from Paris, I'm French. And before that, I was actually the um ITAM director of SAP, so a lot of immersion in Germany as well, so a kind of international trip. And I also was the ITAM and FinOps director for the House of Chanel, very chic, but also very demanding into the uh yeah, the the the ITAM and the FinOps services we're implementing there. So now the microphone to you, uh Rob.

Robert 1:38

Thank you very much, Jillian. Yeah, good afternoon, good day, everyone. Um my name is Robert White. I look after the ITAM managed services um team in West Namir, and um I'm actually um about to move into another role in Software One as the global ITAM managed service uh product manager, uh working alongside Juline. Um and uh my background, oh as you can tell from my accent, of course, uh I'm Scottish and uh my background in ITAM is 15 plus years in ITAM managed services, um designing and building um solutions for customers uh in the position of looking to get control of more visibility of their ITAM environment and their their cloud spend as well in the FinOps environment. And uh I've got quite a uh interest in the ITAM tooling environment as well, so the ITAM products as well, such as um Flixera Snow, ServiceNow Zen Sam. Thank you very much.

Alex G 2:33

So here's the interesting bit, actually. So I've been working in IT. Well, interesting for me, maybe, maybe not for everybody else, but I've been working in IT for more than 20 years, right? And actually, until I joined this organization, I didn't even know what ITAM or SAM is. Uh so for those other people who are maybe listening in who are more infrastructure focused, what is this whole ITAM thing first?

Julien 2:53

Oh dear, so you want me to enter one of those dinners when I have to explain my job to people around the table who have no idea what we're talking about. So yeah, so basically, this is IT asset management and software asset management. And what it means in essence is that when you have software in your organization, uh it all comes with a contract that defines the way you can use and you can deploy and you can enjoy those software. And this contract has quantity of items you're buying and uh has a price tag at the end. Now, the way you are actually using it and the way you're actually deploying it can be totally different to what it is described in the terms and conditions. And what we are trying to do in the ITime practice is to align those uh those two uh aspects, so the contract and the usage, and use put in your mind a scale in front of you, and this scale has to be balanced. If the contract is overweight compared compared to your usage, then you are overusing and you are overspending, and that's not good. You are wasting money. If the balance is on the other side, then the problem you have is that you are incompliant and you risk fines for being audited by overusing what you have the right to do, because nothing prevents you to technically to overuse what you have contracted. In a sense, it's as simple as that. Helping organizations to have this balance at an even layer so that they use only what they need and not more than what they need, so that they don't overspend with their software assets.

Alex G 4:25

That makes sense. And so, well, actually, that's uh that's an interesting one because I I guess most people, whether it's whether it's at home or it's at work, uh, they'd probably ask the question or been asked the question, why are we still paying for this thing? Uh and then you get that awful gut feeling, you're like, oh, oh yeah, okay, maybe we've been uh pouring money down the drain on something that we didn't necessarily need to do, which I think leads us quite neatly into today's session. Um so the question we're asking ourselves are are we or are you oversubscribed? Um so with that, um, I think we want to we're we're gonna focus on the SaaS area today. Uh, and we are absolutely, I want to be clear, this is not gonna be a SaaS bashing session, uh, because actually the whole model of SaaS is fantastic and has some amazing use cases and so forth. But it's a really interesting topic to talk around in terms of subscription-based services. Um, and so we're gonna maybe uh ask a few uncomfortable questions, talk a bit about value, uh, a bit about the visibility of our SaaS estates, um, and also who is really benefiting uh once everything is on this subscription basis.

Jason 5:34

Yeah, that's a really good point, actually. That question of who's benefiting. I've been thinking about that prior to this session. Um, and it's something I'm really interested in exploring further because you know, we know that um for software vendors, um, that their revenues are going up, especially some of the large publishers like the Oracles and the IBMs, as a result of that. We also know that cloud hyperscalers have spent a lot of time wooing um independent software vendors to take advantage of the architectures and the capabilities that they provide. And of course, they win when software is provided through them as well. So, um, and we know for the customer that there are benefits to consuming SaaS, otherwise, people wouldn't be using it, right? So, so is this a three-way win? Is there any downside in this equation? And that's I think what we want to dig into here. So, my first question to you guys is is SaaS actually a mega trend, or has it just become the default method of consumption due to a lack of scrutiny?

Julien 6:31

Okay, so I I can I can take that question as well, and then and then I will pass the the microphone to uh to Rob for the more how how we measure that and how we can find solutions. But as as a very high level, yes, it is a mega trend. In 2030, 90% of the software estate is projected to be SaaS. Okay, SaaS is easy to consume, SaaS is very easy to subscribe. So it's a it's a twofold benefit from both the vendor and the customer to go to that model. Also, coming from an IT background, I knew that migrating a software from a version X dot Y into the next version was sometimes extremely complicated, uh costing a lot of money, using a lot of resources. With the SaaS model, you don't care about that anymore because you just subscribe to a platform which is ready-made for you anytime. Now there is a catch as well, right? In the past, we used to procure software from a CapEx perspective. We bought the license and we had um, well, sometimes tiny, sometimes a bit more maintenance fee that was yearly. But of course, this is not a very much sustainable model for the um software vendors. So for them, it's definitely much better for their business model to have subscription fees that are renewed every year. Why do you think we pay Netflix uh uh 20 euro every month, right? Because this is uh this is uh insurance of revenue. So, all in all, it's benefiting everyone. But there is, of course, a lot of pitfalls and a lot of risk uh behind SaaS and also the explosion of the number of SaaS because the the easiest it is to procure, well, the easiest it is to become with way too many SaaS to manage. And that's where the devil starts to pop up.

Robert 8:15

Yeah, and to follow up on that, um Julian, it's exactly the problem where customers they want it to run at scale. Everything wants to run fast today, and it's much easier to do that with SaaS. Um and it's even easier for companies to develop in that environment because they're not restricted by operating system technology restraints, you know, including even being between mobile, Linux, uh, you know, Mac, whatever the the operating system that people are um moving towards. I mean we've met customers that actually are 100% SaaS in in our in our lifetime in ITAM, which is an interesting concept that you never think would happen. And it's because again, it's it's a different way of looking at things, it's a different way of uh building your business around these products. But to Gillian's point, it comes with its own challenges. It comes with the inability to get visibility of consumption usage, who's subscribing, making workflows that manage, you know, from a technical perspective if people are joining and leaving the company, who's getting the right access, whether the SaaS provider is even allowing you to split the access down to different functionalities within the tools. You know, you're like again, using the Netflix analogy is quite an interesting one because you have multiple layers of subscription. If you pay the least, you pay adverse. You don't really get that so much in the SaaS world. It does exist, but you don't get it so much in the sense where you could be subscribed to one product, and in order to get access to everything, you have to pay the full package, there's not an individual splitting the packages. So there's there's many challenges when it comes to actually finding the right product and the right usage and visibility and consumption. And that's what we want to kind of go into more, is to help customers understand. Um, you know, there's five or six main SaaS products in the environment that does a certain function. What one's the right one for me? You know, I'm already paying for one from Microsoft. Why would I be paying for another product that's identical but someone else likes it in the environment? There's just so many, there's so many layers to this. So we try we have to try and map all these functionalities out and find technical ways to do that for customers so that they can make an informed decision on the products that they need for the future, including security as well, and AI included in there. So let's go in deeper into that.

Alex G 10:22

That whole concept you were saying about Netflix, like at home, I've got you know, we've got Netflix, we've got Disney Plus, uh, etc. You know, we've got Amazon. Um but with those different subscriptions, they're each providing me with different content, albeit the same outcome, which is uh for me to vegetate on the sofa while watching a program, right? Um but I I assume the same problem really is also occurring with a lot of organizations who are buying different pieces of SaaS software in different departments, they're ultimately meeting the same outcome.

Robert 10:57

Yeah, 100%. We we see very often, and then when we're looking at um the rationalization of applications, not just on-prem but in SaaS, we're having to go into the very depth of what the functionality of the tool is at renewal. And procurement are going to struggle with that because they're not using the tool, they're not getting visibility of that. And even the SAM team then have a problem getting deeper into that. So, who is ultimately ultimately responsible for getting that visibility, what can give them that visibility and that split so they can understand whether they're comparing apples to apples or apples to bananas, for example.

Julien 11:30

And and to to build on your example, uh Nick, it's it's um you spoke about your various uh um VOD subscription, but do you know when was the last increase of Next Peaks? Do you know how do you know the exact price of your cell phone plan? Do you know how many security um uh you you're you're subscribing? Do you know what is your bank uh subscription fees? Do you know all the subscriptions you are paying today for your household? I bet you. I bet you that you have no idea, or at least you are you are 50% off. And even going into the usage and into the in-depth of it what it is exactly that we're using, the span of all the SaaS and all the subscription you're having is very often um off by 50% in the eyes of any CFO or CIO. And that's also the problem we're having. It is so easy to subscribe and it is so easy to forget. And at one point, you need to ensure that you've got this entire visibility and a constant look into what I am allowing in my organization. And it's not only a question of cost and usage, it's also a question of risk that you're introducing because behind each and every SaaS, there is a contract whether you click very fast on I accept, right? You might have not read all the things you uh you accepted when you clicked on I accept, right? And I think um, Rob, you can develop into that because SaaS contains AI usage that you might not really be okay with. SaaS contains data management that your organization might not be super okay with. And all those things beyond the cost and beyond the span of subscription is something that is today a genuine threat to organizations.

Robert 13:15

Yeah, just briefly on that, like a lot of companies don't ask the question to their SaaS provider, where are you storing my data? You know, and who's getting access to that data. So, um, and that's a part of the things that you need to be asking as well. Not only just what functionalities, but where is it going? You know, who's who's who's looking at this information? It's so easy again to spin it up to give access to teams that don't have to go through the standard pro procurement processes whatsoever, and then suddenly corporate data is going out into the environment.

Alex G 13:42

Interestingly, in the in the current, if we call it the zeitgeist around digital sovereignty, that's such a massive topic in the moment. And and I'm quite sure there's a lot of organizations who are procuring SaaS software where that data could be being stored uh well, literally anywhere, because the whole point of it is you don't care what's happening on the back end. So there's some quite interesting questions to be to be had on that topic.

Robert 14:03

Just so I was just saying there's at least from the visibility can we can we can dive into that about all the different ways to find out where it is, etc. But like as long as it becomes adopted by the business and they create policies and follow the processes. And interestingly enough, in the ISO accreditation of SAM, there isn't really anything for SAS at this point in time. You have we have we have completely far down the line. Wow. Yeah, it doesn't really exist in that sense where it's covered. Uh and we have developed that in Software One, you know, because it's such a big a big part of the discussions we have, that we've included what we see as uh would be good industry standard for SaaS management and you know approaching it from a governance perspective.

Jason 14:42

So that that's that sounds surprising, but then when you think that um cloud commercial cloud services launched with Amazon in 2006 and the FinOps Foundation was formed in 2019, you can see that lag, right? And I guess this is the point here because um SaaS it it is growing dramatically in terms of it being both um the proportion of um software spend in an organization and also the number of organizations and and the number of subscriptions SaaS subscriptions they're running. So where do you see the the sort of the the big challenges at the moment around that lack of, I'm gonna call it a lack of maturity actually, um, because it feels like that's how we should be describing it in terms of maybe some of the governance frameworks that have been installed or or provided so far.

Julien 15:35

Yeah, I I think I think uh you nailed it in a sense that ITAM practice as an ISO standard for sure. Phenops doesn't have yet, and SAS doesn't have yet, but SAS is a practice that lives between FinOps and ITAM. So you could, in one sense, apply the ISO standard at some extent to the SaaS practice. However, definitely there is uh a gap to fill here, and there is a level of normalized maturity that we one would expect into SaaS management. And and today, humbly, Software One is trying to fill that gap when we speak to customers. And and maybe this example can illustrate um that situation is that in in the ITAM services, our service offer is pretty standard, right? We we have we have standard packs that we can offer to a customer. But when we try to uh offer SaaS services, SaaS management services to our customers, then the the panel is is is 360 degree wide because each and every customer has a different pain with SaaS. Uh some want us to help them with the tier one, very big ones where it's high cost and that not that many uh number of transactions where it's really measuring each and every subscription that at the end of the day can come up to a 10 million bill. And on the other hand, there is customer who says, Oh my god, I want you to help us over shadow SaaS because we have no idea what's out there, and we have no idea how many double functionality or double SaaS that does the same thing than the other, and how much we waste on that. That's what we call the tail-end SaaS management. Others would tell us, hey, uh, Dear Software One, we we have okay, we have all those SaaS, but it's so many portals we have to manage. Can you help us with portal management of all those SaaS? Something unexpected. Well, we had that a little bit in the ITAM world, but it's totally new for SaaS with SaaS management, sorry. And um, other customers have okay, we have a catalog, but the the easiness of subscribing to SaaS is so so big that now our catalog is totally outdated. So, how can you help us to hunt for shadow SaaS and put all of them back into a normal workflow of tracking what SaaS is approved and what SAS is not approved? And I can quote like other examples for 10 more minutes. So there is no such thing as a standard solution for customers who have issues with SaaS, hence the complication of having like ISO, ISO-like standard or a maturity that would say, Oh, this example is a high level of maturity because compared to what? Compared to what pain. So that's what we try to do today with Rob and the colleagues is to identify, okay, what are the typical pain? Do we speak about cost? Do we speak about uh compliance? Because it's a one thing very important, it's not because it's SaaS that it yet you cannot be in compliant, right? You can totally be in compliant even with SaaS. Um, is it a question of uh shadow IT management? What exactly are we trying to solve here? And and uh um even if we can identify those buckets, it's always a one-to-one type of analysis with each customer. Okay, let's discuss about your pain and let's find panels of solutions where we define the roadmap with the customer and say, okay, let's tackle this first, then this one, then another one based on their agenda.

Alex G 18:53

So we have this whole gamma of customers and organizations who all have different challenges around SaaS. Um, but what you know, what's what's the trigger for initially realizing you have a problem? Uh I mean, I imagine for many organizations. I mean, I know at home, if my wife says to me, uh, you know, what's this thing on the bill? That's one thing. But how are organizations typically triggering the uh the problem moment, if you will?

Julien 19:18

Yeah, no, that that's definitely uh a very good one. So um it's all about visibility and and showing to the customer their SaaS prol is always a big wow or out effect. And I'm gonna quote you an example that that we had a couple of years ago where a customer asked us to do uh to do a kind of an application consolidation exercise. It was not that much SaaS driven at that time. So we we asked for an overall discovery of on-prem and an overall discovery of their SaaS. And uh we sent the data, the raw data to the customer. And a couple of days after they came back with a very nasty email, basically um shouting at us saying, Hey uh Software and how can you be so unprofessional to send us the data of another customer? So, oh my god, we were all very scared and and worried. So we looked at the data, it was like, no, we double checked, triple checked, no, this is Mr. Smith's data. And um, we came back to them and we actually explained to them that no, all those SaaS are actually yours because look at this, look at the URL, look at the background, this is definitely your environment. And there was a big ouch effect on their side that actually turned that application portfolio consolidation type of exercise into oh my god, let's speak with the security officer and let's see what's going on. Because um, it was three times more than the number of SaaS they knew of in their organization. Not 30%, uh 300. And and that was not a unique case. So it was unique that they yelled at us, but uh it's not unique to find three times more, even more than three times more of unknown SaaS into a client environment. Any other example or situation like that, Rob, on your side?

Robert 21:04

Yeah, similar examples on the the aha moment, you know, the the the you don't know what you don't know. That's the this is the problem with this, and that's the trigger moment, is when they think that there's something wrong or that's it's obvious that something's wrong because it comes up. And the other one is a one of the triggers is cost. So the cut the question is why are we spending so much? You know, even for expenses and SaaS stuff being expensed, etc. Why are we spending so much and all these unknowns? We know that something's out there, we don't really have that visibility. And I'm probably sure that anyone that's listening to this, even if they they have a good handle on SaaS in that sense, uh we've had that before. No, we understand our SaaS environment, we know everything, we've got visibility of it, and we simply trigger uh one of the many different ways that you can gather that data uh on one of the SAM tools or from from from other methods. And again, they go, Oh, right, okay, didn't realise there was that much out of there. Um and it's not so much uh always unearthing again a massive spend problem. It could be a security problem, a pro a process problem. Again, we don't there isn't a standard way of doing this, there isn't a SaaS, you know, um model to work towards. It's it's it's a combination of the ones we spoke about, you know, FinOps and ITAMP. So you've got to to look at that. So so yeah, there's there's a few triggers, but it's usually the unknown fear and uh the cost, and that's the examples we are seeing the most from customers. And then of course, now we're talking about AI and people adopting that and using that all over the place. That falls into SaaS because it's a subscription or it's and you know, so there's all this shadow AI happening as well, which comes into the the um SaaS discussion too.

Alex G 22:40

Death Death by a thousand cuts, which is actually when somebody eventually realizes they're starting to bleed, and then they say, Oh, where where's all the bleeding come from? That's actually what's triggering these conversations. And then at that point you then realize, oh, this problem's actually bigger than we thought it was. Or actually, you know, depending on how you look at it, the opportunity is bigger than we thought it was. Because if you can rationalise, then back to the whole point of you know why we're here talking today, it's about optimizing your environment.

Robert 23:05

There's so many leverage levers to pull when it comes to SaaS. This is the thing. Like it's not a case of am I compliant, can I get rid of some stuff? It's just there's so many other leverages to pull that other parts of your business will grow interests in it. And the conversation comes up around security, the conversation comes up about data, uh, and again, AI, the conversation comes up about functionality and you know, um speed at creating moving more more towards SaaS rather than away, you know. So so it it it does bring a lot of people on that journey with you when you start the start picking at the edges to find out what's going on.

Jason 23:38

So let's let's um talk about this issue of SaaS sprawl, which is Julian, that that shock you were talking about, where companies realize that they have got way more things they are signed up to. Um, and and as per the episode's title, they probably are oversubscribed, right? Um if we think about what the blockers are for people rationalizing. I mean, if I think about software one, we changed our expenses provider from Redo to Concur, and they're both SaaS platforms. We did that quite quickly. I'm not aware that there was a trail after that of people still using Redu, Redoo and licenses, you know, being incurred for it. But is it actually quite hard to you know ensure that people have moved if you're switching providers, they move from one platform to another?

Robert 24:25

It's very difficult to have the full process when you're it's probably just as as hard or is as hard in a way for uh moving from one product to another on-prem still as well, you know, from from that. But at least from the perspective of a licensing perspective, you would just cut it off. Whereas what's happened is the subscriptions are not getting cut off, you know, they're they're continuing on. So um it's so easy to to unsubscribe, but it doesn't always happen. So that's yeah, the whole the whole journey of making sure that you step away from the other provider and the data's destroyed and you go through all that process, it isn't it often doesn't exist.

Jason 25:02

And just one question about that, then because when maybe it's a parallel, when I we're working with companies to help them plan migrations to the cloud from on-premises, one of the things that seems to be the hardest blocker is any company identifying application owners, the ones who can take ownership for something being done, for something happening. Do you see that same struggle then in the world of SaaS?

Robert 25:25

Uh we have situations where you have two or three people that have uh the same program, the same subscription in completely different departments. And then you realize you you but the SaaS provider isn't telling them either. They're not telling, you know, Company A, three people are buying this product from us under three different subscriptions for the same thing. You know, there isn't a product owner. They're benefiting from it, so they're not going to tell the company. Um and I've seen that in large organizations actually, where multiple departments have the same exact products and they're buying it from different descriptions, subscriptions. Helps us because we can consolidate it and we have that conversation, but they're not getting that visibility.

Alex G 25:59

Are you suggesting it's not in their best interests to give a discounted volume price if they don't need to?

Julien 26:06

So the the example I had is actually on the opposite side of the spectrum. And I had this this situation with a customer um that wanted help exactly with uh this this question of um application honor or business owner, because as we mentioned earlier, SaaS is very easy to adopt. So imagine an organization, and this this case genuinely happened, um, an organization that that procures from a non-IT uh department a very important uh critical for the business piece of SaaS. And this one was um was was having uh a heavy side of seasonality. So use for a quarter, not for another, use for another one, and like that. And what happened is that a big part of their marketing business was depending on this SaaS. And since it was procured by a person, was not used about terms and conditions, and not in neither in procurement nor in nor in uh in IT, at the day of renewal, which was by the odds, a week before a super important week for that SaaS to work, they forgot to renew. And they were that close of losing millions because of forgetting to renew that piece of SaaS. So it's not always on the side of, oh my god, I have too many SaaS and I need to cut some. When I have a SaaS which is super important, I need to manage it with the practice that is applied in IT and in ITAM to ensure professionalism in the follow-up, in the renewal, and all those types of exercises. So it can also create business disruption if people who are, I mean, it's not because they are bad or whatsoever, it's just not their job to buy software. So this aspect in SaaS management is also quite important, and it's not always IT wanting to bring like heavy processes. No, it's actually to safeguard the business.

Alex G 27:55

Let's put ourselves in the shoes of an organization who's facing these challenges, right? Uh and one of the things that we're always really keen to do on the show is talk about the practicals. Um, so I'm an organization, I I know that I have an issue. You've mentioned discovery. How do I go about discovering what I, you know, all this crazy stuff that I've got all over the joint? And then what do I do with that? How do I implement that kind of new level of governance in my organization?

Julien 28:22

Okay, I'm gonna take it from the non-technical perspective, but then Rob will take it from the technical perspective. There are various aspects that might sound um um superficial, but uh that are actually very important. When you want to discover SaaS, you're actually going to discover what people are doing with their computer, right? And in company, in in companies who are located in countries with union, for instance, France, UK, Holland, Belgium, and so on, you actually have to sign a contract or to have an agreement between IT and the new union to actually be allowed to deploy such measurement, okay, because it can be seen as uh HR wanting to measure what their employees are doing. So it's also uh important to that to do that, uh to do this measurement when you want to optimize the SaaS usage. But if you want to discover, have visibility on SaaS and measure what the SaaS are actually using, you need to have uh uh an open contract with the union and declare what you're gonna do. Otherwise, this project can stop right from the beginning. The second thing. Yeah, but it's it's it's actually very so it's not it's not impossible, it's just it's possible, it's just really, really in the critical path of any visibility project for SaaS discovery. The second thing is that because it's about URL and sniffing what's going on in the network, you need to partner with security, right? You cannot do that on your own and decide to implement or to look into what's going on into my uh my network packet without involving security. And typically, those two aspects are either overlooked or considered as impossible to overcome. And they are not. It's feasible, many customers do it. It's just that you must not forget those two steps. And now, Rob, to you to explain exactly what it is that we do when we do this uh this discovery because it's it's uh not that complicated, but it's a bit more than what we used to do with the agent and agent less and agent discovery in the uh on-prem world. Yep.

Robert 30:22

Thank you, Julian. Yeah, and and actually to that point that Julian said about knowing you need to take security and you need to you know have a word with the right people within your business to say, I'm going to be investigating things in the network, etc. That actually only comes up because of what I'm about to express, how you go about it. Because people that try this, start this journey don't realise that, and then they start on uh turning things over to discover it. So the the first thing is you probably know there's lots of SaaS tools out there. There's lots of many SaaS tools. Again, it's just spin up just as quick as you can create a SaaS product as you can spin up a SaaS tool. Um but the key drivers are as follows. Um, you have browser extensions which are live on top of people's machines, so they monitor what people are visiting, they take the information and then they normalize that against known URLs for SaaS logins. These URLs are not the actual login page, it's the post login page. So something has taken place, they've moved from a login page to being logged in. That to a degree counts as a usage. So that person's account is there and also that. So that's one technical part of it. The other side is that there's also a uh you've also got um cloud um Z-scalers, you've got cloud proxies, and from here you have uh a tool called Cas B, as it's known as. And there's many of these in the environment. You've got Microsoft Defender, um, Zscaler, etc. So there's these ones, these solutions that already have this traffic information passing through them. Okay, and what you do from there from a CAS B is you use that information just as you would from browser extension, but you're seeing it from everything that comes through. Now, the beauty of a cloud proxy is that even people that are working from home, etc., are also using that channel. So the data is coming across from all the devices, including even networking devices and servers. Um, again, that is then run through a normalization database, the URLs are collected to work out. The difficult part of this, and again, touching on what Jillian said, is you are saying everything. So if there's sites that people shouldn't be visiting, etc., there becomes a concert you start peeling back the wrong things. So um it's important to take that into consideration as well when you embark on this. Now, if you have a tool, a some a SAS tool, etc., they will normalize all of that, they will probably filter out the stuff you don't need to worry about. So that's very important. However, if you want to do it on your own without a SaaS tool, you're looking at basically a needle.

Julien 32:49

Yeah, yeah. Thank you, Rob. And and actually, normalization is is part of the heavy lifting of the next step after just raw visibility. Because when you get this this soup of uh SaaS in an Excel spreadsheet or CVS or whatever, then you need to separate out okay, what's the bank access, what's the doctor lib access, and all those things that are genuine, and then what are the ones that are really showing SaaS usage and and uh making out of this data, transforming this data into meaningful information. And this is where the SAM tools enter the game because some are very strong into classifying all this and already pre-sorting all this is marketing, this is finance, this is HR, and this is these are the types. And some toolmakers have even better capacity into saying, okay, so you've got all those ones that you declare are out of control. So let's help you implementing a workflow that will hunt for the for the business owner, for instance, or um hunt for the ones that are dangerous and classify them and putting them in a workflow before they enter your catalogue. So from visibility to rich management to real management, there is a genuine um uh motion and practice and initiative to put in place with various tools of the market.

Robert 34:03

And I can I just give another two examples if that's okay as well, of discovery uh methods. You've got uh you'd reminding me them of them when you were speaking there, Jolene. Uh you've got the uh um expenses systems that we connect to as well to pull data from expenses systems that helps you get visibility of things out with the standard uh processes of procurement uh because people are not going to pay for a SaaS product and not want their the money back for it a little expensive. And the other side of it as well is single sign-on and direct connection. So if a SaaS has been adopted, uh connecting to single sign-on will give that that visibility and control, um, which sometimes actually reveals more than you realise as well from that perspective. And of course the direct API connections, uh, if you want to find out even more information about what you own inside each an individual big vendor, for example, such as your Salesforces, um, Workday, you know, Microsoft, uh, those kind of products.

Alex G 34:58

Hopefully, if you're procuring at that kind of volume, hopefully you have better visibility there.

Robert 35:03

You know about it. But remember though, uh as we move further and further and further into the SaaS world, the things that you bought where one or two products came from SaaS, Adobe's a good example. Everything's in there now, or more near nearly everything is in there. So inside that SaaS subscription is no longer one or two products, it's you know 50 to 60 products. So it's quite a lot in there. So that direct API is so more vital because you want as much data out of there as possible to understand what you're actually doing as a as a business.

Jason 35:28

And if we think about the the reason why you know FinOps Foundation created a scope to help understand how to best manage SaaS products, I think it it's it's easy for us to kind of make out that it's a simple thing of just knowing what you're subscribed to. But there's the the kind of concurrency you're subscribed to, but there's also the consumption element as well, isn't there, Robert?

Robert 35:48

Yeah, yeah. The consumption element's the the the icing in the cake, really, once you know, because that allows you to then understand exactly how much you're paying and who's using what exactly. So that's the thing. And not all of these providers um offer that visibility as well. So you have to compare it with something else. You have to, to Julian's point, you have to use an ITAM tool that tracks the usage you're doing on the device, but it knows you're also at the same time logging into a cloud SaaS subscription. So the two come together and it says, yes, this person used this product within the SaaS, because you can see the EXE running, for example, and it's talking to a specific URL, that puts it together. But that SaaS provider will not provide you that information despite having it somewhere in a database. It's locked away.

Julien 36:31

It is sometime uh a genuine journey to actually get this information from so some very vicious SaaS providers. I'm not gonna name them, but uh yeah, sometimes it's uh sweaty and not fun. Um, and and also as a uh as a as a last sentence, I mean, definitely the SaaS management and the FinOps world are getting together because uh where in the traditional on-prem world, you would have a true up on a yearly basis and you would add your uh latest addition of employee of reduction of employee at the end of a contract. With SaaS, it's very dynamic. It can change every month, every week, and sometimes every day. And the price model can be that dynamic. So going very close to what it is to have um uh to cloud consumption and cloud uh consumption um uh invoices, right? So that's why the world of PhenOps and ITAP and SaaS are getting together closer.

Alex G 37:29

But one thing uh uh we're we're just we're starting to run out of time a wee bit, but there was something that you mentioned earlier, Julian, that was really interesting. And we haven't really had a chance to get into it because we've been talking about how we're optimizing costs, how we're discovering what we've got, and that stuff is incredibly important. But the other thing you touched on was the your data. And so I'm curious, uh if we think about it from a security standpoint, but even just like basic data governance. Like, let's say, for example, tomorrow my SaaS provider decides they're gonna change how they're gonna do stuff, or maybe they decide they're gonna close down a particular feature or whatever. Like what happens to me? How much control do I have? How do I manage that?

Julien 38:09

Yeah, unfortunately, you don't have much control uh beside um making sure that you pay attention to the notification you received about the terms and conditions changing and not just clicking and say whatever for tomorrow, right? And uh, this is where your legal colleagues will be your best friends because oh, then all of a sudden they will have like um hundreds of contracts to review on a on a bi-monthly basis. So I'm exaggerating a bit, but definitely if you want to uh scrutinize all the all the contract and terms and conditions for legal, it's uh it becomes an almost impossible journey. Um regarding data, I just want to point out one uh figure is that um, well, when you're using a SaaS, you're obviously inputting data in it in all sorts of fashion. You put your files, you put your um your creation, you sometimes you put your IP. And in those famous terms and conditions where you clicked on I accept, for at least 35% of the SaaS today, uh you sign something that says that the SaaS provider can use this data for their own AI purpose. And that is totally unacceptable, but still it's accepted. So that's one very heavy aspect of uh of the data management, especially when you put your own IP into this. Then there is the gen the general data protection depending on where the data resides, and then there is all the overall security aspect that is not just about um uh data security, but also potential cybersecurity if this SaaS product has some weakness in its own development that can be an entry door for hackers. And here maybe Rob has a bit more knowledge or example than me on that, but it's also a genuine threat. Uh, I remember that at one time Spotify was was somehow uh uh an open door that was corrected, but for a couple of days there was an open door. So I don't know, Rob, if you've got any more um examples on that or not to go into too many examples, but it's just a lay this delay of the land, isn't it?

Robert 40:12

From the product. It's uh you're you know, you and many, many other customers are giving a company data, you're connecting it to your own internal data systems and you're uploading them. And at any point they could move their hosting provider and you know, go from a uh uh say a cloud server and move it into say uh Docker or something similar. So in the end, it really it's difficult to understand from each SaaS provider how segregated the data is, how secure it is, who's got access. But at the end of the day, that's their product. You know, that's their product that you're putting your data onto. And if they have some access or admin access to the back end, then they and they have access to your data just as much as any hacker could if they could get access to that. So it does come with its own security, and it's why, of course, obviously, security-minded businesses will probably steer away from SaaS, despite it having a lot of functioning, you know, where where they they start to develop more of the actual future programs and their tools, they come away from developing on their on-prem and it yeah, at least that's a really good point, Robert.

Jason 41:07

I just want to pick up on that because just because you can build um secure multi-tenanted applications in the hyperscalers doesn't mean that people are, does it? And if we think about, if I think about where I'm my familiar territory, PCI, when people engage with um building blocks, tools, and services that they're gonna put card data through, they have to get the services verified as being PCI compliant, right? So you have to have a chain of building blocks that add up to the overall security posture that you want. And any weak point in this, whether it's on the front end, you know, in terms of the way the data's being secured, processed, the way they do encryption, even down to how they move it off to be processed wherever it's being processed, could be the weakling that's exploited.

Robert 41:53

And then you've got to consider like you can you know that information from the field of of where you work. Would a procurement person know that? Would uh, you know, some other individuals inside the you know, a company that's moving something from an on, you know, they just need an on-premise piece of software into cloud. So they've agreed to the new subscription. You know, they're not thinking of uh it's not their responsibility to think of these things, you know, but at the end of the day, uh that's the situation. These are there, they are. And that's what we you want to try and help on earth. These are the questions you want to be asking, you know, from a person that's going to do SaaS uh discovery for you and SaaS uh rationalization, they should be asking these kind of questions uh from the contracts and looking into that.

Alex G 42:29

The the interesting bit there, and without going into I was I was getting my uh you know cloud architecture brain on there because I was thinking actually what I've seen as a pattern is especially with uh call it more modern or startup style SaaS vendors, etc. Less so I think with some of the traditional vendors who are shifting to SaaS, but certainly a lot of the new ones, they are actually building their SaaS architectures as conglomerations of, if you will, other SaaS. So, for example, they use third-party identity management, you know, like somebody like Okta or whatever. So actually, in some ways, that adds a layer of complexity to these architectures. But the flip side being they're also bringing in what you could call best of breed in those various different spaces. Um, and so we get to this really interesting point of how is your SaaS architected or your how does your SaaS provider architect their solution to then optimize not only for uh your security but for theirs as well. Uh so it's it's a really interesting topic. That's maybe one for another day, I think we could dive into uh the the complexity of SaaS and the multi-cloud architecture.

Jason 43:35

Just a quick question before we we go maybe a bit further with the risk of data and where it's going. Um, you know, the at the moment, Alex, we talk a lot about vibe coding, right? About the fact that it's becoming easier for organizations to build software fundamentally, right? So do you see, I mean, this is a question really for you, Julian and and Robert is do you see in the future that actually the SaaS um offerings are Are less mature because it's easier for organizations to quickly build a set of requirements into functionality, make it available through that universal place, which we call the cloud, the web, the internet, whatever, but without the disciplines around software development lifecycles that have been really keeping us safe up until now.

Robert 44:22

Yeah. I I don't if you don't mind, I could take that one, Julian, because it's uh a subject that's I'm quite interested in outside of work as well, as it gets discussed in the um the market and the IT quite a lot about the AI and the adoption of AI and vibe coding and you know building your own programs and replacing uh stuff. And it happened in you know the early 90s when people moved away from specific big products where they were uh hiring companies in to come and build them programs. It's now happening with AI because people are picking up the tools to be able to build these things and they have absolutely no governance around what they're building, they're they will build whatever they want essentially to match, which is perfect. And there was a quote by some famous people in the industry in tech, uh, which I'll not name their names because it just depends. Um, and um they they said that SaaS products will be dead in a few years, you know, 10 years or whatever, because they'll all be moving to basically coding uh their own programs, etc., in the environment. That of course comes with its own problem and its own discovery, etc., as it as it moved towards that. I don't think that's very true. But what it will it will also help accelerate is more companies will probably build more SaaS products. I would see that being a the situation because it's much easier for getting teams together to build products using AI today. Uh so a good coder's coming out of university, etc., will be able to accelerate their coding, you know, to build SaaS products that to your your point, Julian, will not have uh sorry Jason, will not have the you know, will not have the security and the governance around it.

Julien 45:50

So yeah, one one final word on that, if I may, is that again I come back to this notion of IT portfolio management and application portfolio management slash consolidation. Now it's not about just what you buy, but when you do this exercise, it's also what you make. So when you want to see really all the functionality, business functionality you bring to an organization, you not only now have to see what I have procured for on-prem, augmented what I have in the cloud, augmented with what I bought as SaaS, and now augmented with what my organization has developed with now the easiness of developing solutions to have this entire portfolio managed as one portfolio that get that gets extended day after day. So does this does this mean the end of SaaS? I don't think so. I just think it's the increase of the complexity of the portfolio. That's just what it says.

Alex G 46:43

Right. Ongoing evolution. I guess if we if we wanted to work in an industry where there wasn't a significant amount of change, we probably chose the wrong one, didn't we?

Julien 46:51

Exactly.

Alex G 46:52

And this this ensures that we have business for many, many, many years. That's awesome. Well, gentlemen, thank you very much. I think we are just about up on time. Uh so I guess before we wrap up, um, I'm gonna ask you one last little thing then. So uh I'm sure there'll be lots of people who would love to stalk you online after this uh after this session and hear more from you. So how could they do that? Um is there anything that you would maybe recommend that the you know people might might want to learn more? Uh and what would be your one thing that you would say to us that we should take away? Julian?

Julien 47:26

Okay, sure. So of course, uh one can reach out to me on LinkedIn. Uh there is not that many Julian Kuiper with a K on LinkedIn, so feel free to invite me and we we can discuss further on. Um and uh we will also, I think, uh Nick put some some links on our uh internal publication about uh about SaaS management. Uh Robert, any other sources we can have or how people can reach out to you?

Robert 47:52

Yeah, thank you, Jillian. So yeah, so you can reach out to me on LinkedIn. Uh so Robert White with a Y. And I'm always happy to have a conversation around anything item, and including SaaS, of course. And some of the really good resources in the industry is Gartner as well. So Gartner and herself have done reviews into SaaS, the adoption of SaaS, um, where it's going in the future, etc. So there's really good resources from Gartner's website that we can share links to as well.

Alex G 48:17

Awesome.

Julien 48:18

And uh final takeaways? Yeah, regarding key takeaways. So I I think we we were very clear about the first step to the journey of SaaS management is visibility, right? And don't be afraid to look at things you are not gonna be happy with. I mean, there is nothing you can do if you don't know what's in your organization. Second thing is that there is no one silver bullet to take care about SaaS management from an A situation to a mature and optimized situation. The journey can be very different from different customers. So don't hesitate to get uh advisors, to do uh benchmark advisory where you are, and also what are your priorities? Is it the tier one SaaS? Is it the tail end SaaS? Is it shadow IT that's hurting you? And of course, above all, there is one which is non-debatable it's security and data protection. So yeah, if you put all those all those key takeaways, um uh definitely organize your journey with a business case. And also, this business case can be rather easy to sell to your executive because I guarantee you there is going to be at least 30% saving the day you rationalize all your SaaS, right? Security will be more than happy to have um uh reports and and data to know where their risks are, and uh also uh you will you will be able to um develop governance models that will benefit your overall IT, ITAM PhenOps uh endeavors.

Jason 49:48

Fantastic. Well, you've been leading us through an exploration of the world of software, especially as it's been SASIfied, as we like to say. And you know, what's clear is that businesses are benefiting from the variety of uh suppliers out there, the competitive features, the functionality, the speed to market, you know, the fact that it embraces all of these wonderful things like digital sovereignty. So there's a lot to gain from the world of SaaS, and that's clearly why so many people are subscribing. I think what was interesting was that question are you oversubscribed? It's how can people tell? Um, great insights from you guys. Really appreciate it. Thank you. So, to our listeners, if you'd like this episode, hit subscribe on your podcast app and leave us a review. It really helps more people find us. And if there's something you want us to cover in the future, um please don't hesitate to leave us a comment or let us know via socials. We are at Software One, just about everywhere, or you can email us on O2i, that's the letter O number twoi at software1.com. With that, thanks for listening, and we'll see you in the next episode.