The Role of Leadership in Cultivating a Secure Business-Led IT Culture

Remember the old adage, you’re falling behind if you’re not constantly evolving? This statement couldn’t be truer for SaaS adoption and usage—and the resulting cyber risks.  

Since the pandemic, employees have grown accustomed to acquiring their own technology and SaaS applications, bypassing IT and security teams. While this practice, AKA “business-led IT,” supports organizational agility and innovation, it also introduces various new security challenges. As leaders of our organizations, we must cultivate a secure business-led IT culture, retaining our innovative spirit while protecting our digital assets. To do so starts with understanding what’s driving business-led IT, managing the risks, and creating a safe environment to explore and innovate without fear of repercussion.

Understanding the Context of Business-Led IT

According to Gartner, by 2027, 75% of employees will acquire, modify, or create technology outside of IT’s visibility.  Why is that? It’s not because employees are defiant or indifferent to IT or security guidance. Rather, the reasons are quite practical:

• Employees know their SaaS requirements and desired outcomes best.

• SaaS tools are more accessible to employees—anyone can start a trial subscription, often with just an email and password.

• A solution is needed quickly vs. going through corporate protocols and extensive SaaS review protocols.

As business leaders, we should be delighted that employees want to perform their jobs well and seek to improve their outcomes. Our leadership stance here is critical; we cannot squash the entrepreneurial spirit of our teams. At the same time, we need to support our security teams and IT leaders—it’s a delicate balance. So what’s the answer? Openly discuss the challenges of business-led IT and the associated risks with your executive team and agree on the company’s risk tolerance—what you’re willing to accept vs. what is unacceptable.

Addressing the Risks of Business-Led IT

To be clear, shadow SaaS isn’t bad—it’s harmful when left hidden and unmanaged. Among the risks:

Unsanctioned SaaS applications often lack proper security measures, making them vulnerable to cyberattacks. Most employees are notoriously terrible at creating strong passwords. According to a Google/Harris poll, 66% of Americans use the same password for multiple online accounts, and Cybernews reports that the most common password is “123456.” (Enter facepalm here.) Weak passwords are easy prey for cyber attackers, not to mention an open door to your network. The takeaway: IT oversight of shadow SaaS applications is needed to enforce best practice security measures.

Unmanaged SaaS opens the door to potential compliance violations. Many industries are subject to strict regulatory requirements regarding data handling and storage. Since shadow SaaS is outside of IT’s visibility, it can lead to inadvertent non-compliance, resulting in hefty fines and legal consequences. For instance, the General Data Protection Regulation (GDPR) imposes severe penalties for data mishandling. PCI DSS 4.0, NYDFS Cybersecurity Regulation, and HIPAA all require MFA for individuals accessing sensitive data. When IT can monitor SaaS, the appropriate security controls and authentication can be enabled, mitigating compliance concerns.

Shadow IT creates tech silos, sometimes resulting in excessive tech costs or redundant accounts. When IT has visibility into the apps used across the organization, accounts can be consolidated and optimized.

Encouraging an Entrepreneurial Spirit While Mitigating Risks

Highly engaged business units achieve 23% higher profitability. –Gallup  

Despite the risks of a business-led IT environment, there is also a great payoff. When employees are empowered to choose the tools they need to perform their jobs optimally, innovation, productivity, and performance soar. Gallup studies show that highly engaged business units achieve 23% higher profitability—employees want their voice heard and their needs met, including having the right SaaS applications. So, how do we balance employee empowerment with SaaS security?

1. Security must be viewed as a shared responsibility. Educating employees on the potential dangers of the apps they sign up for can go a long way. Often, employees don’t think about corporate security or the impact of their SaaS choices, only their job-related needs.

2. Develop and enforce clear policies regarding SaaS usage, particularly AI. According to a survey conducted by The Conference Board, 57% of respondents said their organization doesn’t have an AI policy in place, and 17% were unsure. Without proper guidance, employees will make decisions independently. Develop guidelines for employees and educate them on your corporate policies.

3. Leverage technology to monitor and manage SaaS usage. Relying on employees to report new SaaS to IT is a worthy idea until the human factor sets in. Employees forget, and manual processes create organizational inefficiencies. SaaS identity risk management tools like Grip can help gain visibility into SaaS usage, identify unauthorized apps, automatically detect new apps, enforce security policies, and flag which apps should be moved to SSO or MFA, reducing your SaaS risks while still empowering employees.

Final Thoughts

Gartner predicts that employee-driven SaaS will only grow. While business-led IT can be perceived as undermining an organization’s security protocols, the benefits can lead to enhanced business performance. Leadership plays a critical role in cultivating a forward-thinking and secure business environment. By understanding and addressing the challenges of employee-initiated SaaS, we can steer our companies toward a future where innovation and security go hand in hand.

To learn more about Grip and how the SaaS Security Control Plane empowers business-led IT while securing your SaaS environment, book time with our team.

‍