Comment by cosmie
6 years ago
I agree that becoming the official software across a large organization is a huge win. It makes your solution the path of least resistance internally.
But as far as using unapproved SaaS, they won't officially allow you to. But it does change the power dynamics at play considerably, since it's a matter of compliance rather than capability.
An unofficial piece of desktop software is a non-starter, since simply installing it would require notification to and the assistance of IT for the majority of corporate workers that don't have the proper privileges to install it.
An unofficial SaaS, however, can easily fly under the radar of regulatory and legal compliance teams, either via free tiers that don't require payment or via small enough T&E expenses that they never get noticed above the user's immediate reporting chain. This puts a soft limit on the amount of friction and red tape that IT and legal teams can put onto business users, because if you make it too hard for them to get the tools they need to do their job, they'll just go around you.
That leads to a lot of interesting dynamics.
- My current company uses Skype and Microsoft Teams for internal communication, but the way it's configured makes it super unreliable. IT has repeatedly expressed that the issues are user error, and not their problem. So we have entire offices and divisions that use unofficial Slack communities, some paid and expensed and some free. And it's already so embedded in various workflows (including client facing ones) that IT can't rote block it. It's now forcing our IT team to evaluate Slack as an official vendor, because we're using it anyway and they have no insight into usage (which leads to those regulatory and legal concerns you mentioned).
- My current company uses Exchange for email, but routes everything through Google for spam quarantine services. Our company email is a registered GSuite account, but every service (except the automated quarantine) is disabled because they don't want us using the other products. The division I work for does client consulting, and I need access to Google Ads, Google Analytics, and Google Docs (when a client dictates) to do my job. And many clients don't want to give access to personal GMail accounts. The solution? The account team that was most impacted is paying for and expensing an entire second, unofficial GSuite account on a random corporate subdomain they already had set up. IT even nudged me to that account team when I raised a stink about access needs. Turns out over 25% of the company is using that shadow GSuite account, and we're beholden to the good graces and P&L of the account team that's currently eating that cost.
- It's hard to police this. Even if you try to implement internal controls on the financial to catch these sorts of things, there are always ways around those. For example, I've seen plenty of clients leverage several of our existing agency retainers or contracts to have us acquire solutions on their behalf (which we use on their behalf, but also expand access to them) and just bill it as a passthrough cost against the existing spending authority. This would be a non-starter for desktop apps, but works really successfully for SaaS.
But as far as using unapproved SaaS, they won't officially allow you to. But it does change the power dynamics at play considerably, since it's a matter of compliance rather than capability.
Well, yes, in the sense that someone might manage to access such a system despite any corporate security barriers if, as you mentioned, they initially managed to fly under the radar.
Of course, if caught doing that without the appropriate authority in the kind of environment I was talking about, that person would mostly likely be fired immediately at best. Potentially they could be sued for more money than they would ever earn if they wilfully caused compliance violations that resulted in big financial penalties. Potentially they could even face criminal charges that could see them imprisoned, depending on the nature of the violation and the jurisdiction in which it occurred.
Personally, I wouldn't consider it ethical to try to attract additional business in that way. As a practical matter, it's also highly unlikely to succeed with customers in sensitive sectors like finance, healthcare or defence/security work, though of course those are organisations towards one end of a spectrum and the IT departments in less security-sensitive organisations wouldn't necessarily be deploying the same level of countermeasures.