8 Key Learnings about Shadow IT and Rethinking ITAM from Jeremy Boerger

TABLE OF CONTENTS

About the Guest

Jeremy L. Boerger started his career in the Information Technology Asset Management (ITAM) industry, helping businesses build and rehabilitate successful software and hardware asset management practices. He is also the author of the book "Rethinking  Information Technology Asset Management" which iterates on the best standards for ITAM teams. He founded Boerger Consulting LLC in 2016 to help businesses realize the potential of fully functioning ITAM and SAM programs. 

image

What to expect from the podcast

Jeremy speaks about his Y2K experience and his struggles with on-prem software. He also talks about Shadow IT, the advantages and challenges of the cloud, and how ITAM has helped organizations break through the obstacles. 

Listen to the podcast here

Breaking of Transcripts

Jeremy Boerger About the Increasing Power of Our Computers and How SaaS Adoption Has Helped IT Companies to Work Efficiently

Jay:

Welcome to SaaS Whispers. We'll talk about how the history of SaaS can be a guide for the future and how to manage all of the goodness of SaaS. We'll also talk about how security should be a major consideration when choosing SaaS and how asset management software can ensure that SaaS in your organization doesn't get out of control. So to help us with all of these issues, let's bring in Jeremy Boerger. So, Jeremy, it's an absolute pleasure to have you on. Tell our listeners about yourself.

Jeremy:

My name is Jeremy Boerger, owner, and founder of Boerger Consulting. I have recently published a book, “Rethinking Information Technology Asset Management,” which is a culmination of 20 years of experience in the ITAM sphere. My first job in IT was combating the Y2K bug and doing hardware and software upgrades through a manufacturing organization. My boss at the time said, you know, we don't want to lose you. But we've got this issue with our Microsoft Office agreement. And can you figure it out? And not only did I figure it out, but I also enjoyed it. The result set me on a trajectory to enter this field.    

Jay:

I'm just curious if things evolved as you thought they would. We're here to talk a little bit about SaaS, but is this kind of the direction?

Jeremy:

In particular, we shouldn't be too surprised about SaaS. Because back in the day, say, 1970s 1980s, nobody ran the software on their hardware. It was all on mainframes, and you access that software through dumb terminals. Well, the microprocessor, power, and price increased and decreased, and more of the software got run localized, but now we're seeing a shift to centralizing software and processing power. So it becomes easier for service support and cybersecurity. Instead of having all of these devices running around, consolidated back to what is essentially a main and a dumb terminal.

Spotlight or Focus Points:

✅ Jeremy Boerger talks about his first job and how we got inclined toward IT Asset Management

✅ How the softwares were accessed in the 1970s and 1980s

✅ SaaS applications can be accessed from anywhere

✅ Cloud has changed the way of storing data

Jeremy About Why IT Asset Management Is Necessary for IT Companies

Jay:

Yeah, I see a parallel here to what happened with cable networks, when you would pay one bill and get all channels whether you need them or not. And now everybody's cutting the cord. So now, everyone has got their platforms. And I'm having difficulty keeping track of all my different subscriptions. And it used to be the same, you know, software companies would try and cater to every part of your business. And now, with SaaS, it's like it's all being divided up. And I think that specialization is good. But at the same time, it brings many issues; I don't know what we're subscribed to as a family.

Jeremy:

Right? Well, that's where you get into asset management, right? I should say that the total cost of ownership is becoming more and more difficult because you've got all this extra price demand coming out for the services. As you said, nobody got fired for bringing in Microsoft and IBM. But now, what if you don't like Microsoft? What if your preferred work area is WordPerfect if you're a lawyer, so the interoperability now becomes the key feature and, at the same time, almost kneecaps the demand for specialization? So why do we ask people? Well, do you know Word? Do you know pivot tables? Do you know this or that? Does it matter? But at the same time, if everybody's making all of these individual price decisions and purchasing these individual subscriptions because it's their personal preference, the cost spirals out of control.

Jay:

Yeah, I think that's such a great point. But, I don't know how many companies are aware of the issue because I work with several companies where if I need a SaaS program, I can subscribe to it and expense it. And so, how many different people like me within that company are out there expensing the SaaS programs, and how much duplication is there? So from what I hear, the company I work with is tracking all this on a spreadsheet. And I understand, but is that the most effective way to do that?

Jeremy:

No, it’s not, but what else do you have? Right. So this is where software asset managers, in particular, are not caught flat-footed. They saw this problem, and the personal credit card problem had been the bane of asset managers. As you said, if you had a personal or an expense card, you could commit the organization to whatever you wanted. But, the company did not have the tools or time to dig into those purchases and see what was happening. So that's where a strong Asset Management program, not just SaaS but also the hardware piece, is necessary. Otherwise, you are just hemorrhaging money, and you won't realize just how much money you're hemorrhaging. And that's, that's kind of sad. Especially when most organizations have the only avenue to stop unexpected software costs is layoffs, they have the only flexible action they can take on the employee side, not the technology side.

Jay:

This is just not an inventory program that says everything we have. They're more robust, right? You can grant access and permissions and describe how some of these programs work and why they'd be beneficial.

Jeremy:

Well, they're kind of all over the place, right? I don't think the market has decided on the best way to do this. I've seen programs that leverage artificial intelligence. I've seen programs that are heavy on the procurement side and those that are heavy on the security side. They sit on a firewall and watch the traffic going back and forth against known IP calls and import calls to catch SaaS Data Management. So I don't know where the best piece is. But it's a really exciting time because you're no longer just left at your own devices, which is why the spreadsheets are there. So there's a solution out there to solve this problem. Which is going to be the preferred solution, I don't know. But there's no reason not to have a tool to manage your SaaS anymore.

Spotlight or Focus Points

✅ Obstacles faced in keeping track of SaaS 

✅ A strong Asset Management strategy is necessary for SaaS as well as hardware

✅ Spreadsheets are not the best way to manage your SaaS

✅ To solve the problem of IT Asset Management, there are tools to manage your SaaS known as SaaS Management Platforms

Jeremy About Shadow IT and the Issues Related to SaaS Security

Jay:

Well, I think it should be a sign that you need a tool because there's a term out there that we use to describe this shadow IT, right? So if there's something that qualifies for its name, shadow IT, that tells me you probably want to prepare yourself and more against it.

Jeremy:

Right, but that also means you have a decision to make. One of the tenets that I described in my book is that knowledge of a problem inherently changes the nature of the problem. We call it to shadow IT. But now you've got to make a decision. Are you going to attack it directly? Or are you going to whistle past the graveyard? And you'll get what you deserve, depending on your decision.

Jay:

Yeah, absolutely. One of the things that I'd like you to expand upon is security regarding SaaS. There was a time when you would have everything in the house, your mainframes, your IT department had to be hyper-concerned, and you had to run all your certificates and all of those things. And now you're counting on each SaaS piece of software or each company to do that, and I can see it's a benefit. You do not have to carry that burden anymore. But you're placing a lot of trust in these other organizations. I mean, a lot of times, they are the ones housing all of your data. So how can you have confidence in security in their SaaS programs? And what are they doing to ensure that safety? 

Jeremy:

Even scarier are the terms of an agreement you agree to when you pass your data over to a third-party SaaS system. Has anybody reviewed the contract to determine where the demand of a data breach, cybersecurity issue, or accidental leak occurs? Just because you are paying money to a third-party SaaS system does not relieve you of the obligation to manage that data. I can see the benefit of offloading some of this work and some of this control. But the risk is incredible. And I don't think enough is being done to it. NIST helps to have a national organization; High Trust is assisting as well as having a private organization. But then you've got to start looking at the International piece, and it's still a wild west stance between who's really on the hook when you contract out your data.

Jay:

Yeah, for each security breach, if you're counting on another company to house all that data, as a corporation. That's a big concern. And then also, the consumer doesn't care. You can't tell your customer. Well, we paid somebody else to do it. And they're the ones that messed up. They're not going to let you pass the buck on this.

Jeremy:

Right, I applaud the folks in cybersecurity for bringing up the concept of reputation risk. What happens to your brand and your identity? If the customer base no longer thinks you're trustworthy enough to hold their data for their business, they're there to buy your widget. And it goes a couple of layers deep, right? It's not just the secondary and tertiary communications that happen. What about backups? This happened to me once, and I will do my best to change the names to protect the guilty. But a hospital organization contracted with a voice recognition program to do patient transcripts. The doctor would speak into a microphone, hammer out all of the nasty medical terminologies, and then insert that into the electronic medical record.

Great tool. Excellent. Saving time paid for itself without hiring a bunch of nurses to sit there and listen and type all that stuff. But the hospital was doing its due diligence. They said this data is patient data. HIPAA-controlled has to be stored on servers in North America. That was all well and good, except that a backup of their data center was stored in Romania. So the hospital did everything it thought it had to do. But the contractor is the one that's the bad actor. Because they sent the data back over to Romania, which got hit with a big bug, I can't remember what it was, I want to say WannaCry, and it shut down the service, this hospital for the better part of three weeks, had to go back to pencil paper and live transcriptions. I mean, now, that's not going to have what they refer to as an adverse patient outcome, which is usually terminal. But it was close. This shows how far your data can spin out of your control when you hire our software as a service provider. So the owner still resides with you, even if the service support features and user management part of the contract get offloaded and out of your budget. 

Spotlight or Focus Points

✅ Acknowledge the term shadow IT to look out for solutions

✅ Shadow IT are the apps that are not under the supervision of the IT department 

✅ The terms of the agreement should be looked upon carefully before you agree to pass your data to the service provider

✅ Data breaches and their severe consequences

Discussion on Data Storage and People’s Cavalier Attitude Towards a Sense of Privacy and Security

Jay: 

Yeah, I'm just thinking about the companies and places that have my personal data. In some places, I'll share it stored in a file folder, right? But, in other places, it’s stored on their servers. And in other places, it's stored in SaaS applications, CSM software and those types of things. So, how much of your data is offloaded? I'm going to bet. And I'd love your feedback on this. The average everyday consumer believes that their data is stored at that company and that it's not being sent to other places or servers. And they're trusting you with that data. Would you agree with that?

Jeremy:

I would like to give you an example of our sense of privacy and protection, Okay? We go out for lunch, sit down, order and have a nice meal. Great. Time to settle the bill. What happens in this country? You give her your credit card, and she disappears with it. She comes back; here's your receipt. What happens between you give that credit card to a stranger? You might know her name. She disappears for the better part of three-five minutes and comes back. Everything's fine. 99% of the time? Absolutely. But because we have such a volume, it scales up, and credit card fraud happens. I'm not saying that you have to constantly worry about where your data is. But we're so cavalier on even the most basic transaction. So I am not surprised that cavalier is bleeding into signing up for free data story or AWS?

Jay:

Yeah. And then part of that cavalier is everybody using the same password repeatedly, right?

Jeremy:

Oh, use this password. That's why there's a great line. Fate works because everybody thinks it will be different this time.

Jay:

Yeah, it's such a great point. But, it takes me back to SaaS management if you're a company and doing your due diligence to determine if the SaaS product you want to use has the proper security. And you're doing that due diligence. And then one of your co-workers is doing the shadow IT thing and just signing up for some fancy widget they saw online, and now they're offloading your data onto that service. So this seems crucial to incorporate SaaS management software into your everyday operations.

Jeremy

It's not enough to do your due diligence. You have to monitor and manage because there is no legal recourse for failure.

Spotlight or Focus Points

✅ The safety of the data that is stored on CSM software and other cloud-based services

✅ Example of people’s cavalier attitude toward a sense of privacy and security

✅ SaaS Management can help you protect your company from Shadow IT

Jeremy Talks About Future Casting for His Book About What Will Happen With SAM

Jay:

Do you think there's going to be a snapback from SaaS at all? I feel like I'm to the point now where I've got so many different streaming services that I long for the good old days. So do you think we're going to go back, the people will have will put, you know, electrical tape around the cord that they cut?

Jeremy:

I don't know. You mentioned the good old days. There's a demand for people to want to pretend that we could go back. Can you ever go back home at all? No. I am not sure. I did some future casting in my book about what will happen with SAM. Well, I see two events happening. The first is the concept of the digital twin, which comes from the work on the Internet of Things. You can do the data harvesting with remote sensors and these interconnected widgets. It creates a live, interactive, and real-time model inside a computer of what's happening in the real world. SaaS is here to stay, and data lakes are here to stay, and that's where it will live. The second prediction I make is blockchain, not Bitcoin or cyber, but they actually shared ledger distributed ledger and smart contracts that power how transactions and information are passed between individuals. And for that to work, it necessitates a multi-node approach. But you still have to share information back and forth. It's too cumbersome to have individual endpoints communicate with each other. It is much easier to have a centralized, at least handshake, backbone to get those devices to communicate, share information, and then pass data and transactions across to each other. So with those two predictions, I decided to put myself in a corner. I don't think we're ever going back.

Jay:

Right, I think you're right. There are so many things I love about SaaS. I love this specialization, right? I love that you can identify this smallest aspect and say we will deal with that. It becomes challenging for large software companies to have that level of maneuverability. I also think it keeps the competitive forces rolling. You got new SaaS programs, and I love how competition feeds progress and those types of things.

Jeremy:

Right now, yes. But everybody's trying to get their idea out in this kind of wild west where it all goes. There's also the threat of the monopoly that will come out of it. Remember, Amazon's web service was the only game in town for the better eight years when it launched in 2010. I mean, Google and Microsoft are doing their best to catch up. But now, Amazon has this headstart. They can now start to manipulate how these new startups are trying to interact and suppress their threat, suppress the threat to Amazon's activity, and it happens all the time. Right. Automobiles, locomotives, you name it. It's just the nature of the economic beast. So I agree with you. But we must pay attention to bad actors who try to undercut that new technology and growth.

Jay:

Yeah, I agree with you, and that's always a danger. As you pointed out, it's been a danger since the beginning of time. You get these behemoths that, you know, like you said, with Amazon, they see something on their platform that they love, they can buy it out, they can duplicate it, you know, they can do all types of things and just chase that potential competition out the door. 

Jeremy:

Yeah, and what does that leave us? That leaves us with a couple of huge players that can then dictate terms to what the consumer thinks they want.

Spotlight (or) Focus Points:

✅ Jeremy predicts two things for the future one is a digital twin, and the other is a blockchain

✅ There’s the threat of monopoly. Amazon’s web service was the only one in town for eight years in 2010. Google and Microsoft are doing their best to catch up

Jeremy Talks About His Book and How It Can Help C-suite People To Optimize Their Spending on SaaS by Asking the Right Questions

Jay:

Well, tell us a little bit more about your book. Who is targeted, and what was your goal? What was the light bulb that said, this is something that needs to happen?

Jeremy:

It was powered by a bunch of red wine and chocolate-covered bacon, which is a story in and of itself, and you'll have to wait to hear it. Okay, the name of the book is "Rethinking Information Technology Asset Management," which is authored for the C suite, the CIO, the CEO, and the CFO, who is tired of getting hammered by the software auditors coming in, telling them that you don't know what you're doing with our software. We know better than you. You owe us money, and your job is probably on the line because you keep busting your budget. Getting your forecasts for the next fiscal year takes too long. We thought we were doing fine. Then, somebody bought something on a p card we weren't expecting; what the heck is this SaaS software that somebody in accounting decided they wanted to sign up with? It's all the same thing. So that's the audience, the person in control of the IT budget that is tired of getting rolled by their software vendors.

Jay:

Interesting. So basically, you're helping educate those people who are in charge because they might probably don't have that IT background. And so they're being said something, and they have no way to go in and verify it. So you're kind of helping them get a little bit of education over those issues. 

Jeremy:

Indeed, there's a particular language that you've got to learn, and you've got to learn facts. The difference between a client access license for a device versus an end-user is that I can only do so many JIRA calls in an hour. What do you mean that you're changing the terms from a core license to a CPU license or back again? And I can't figure out why. Nobody in my organization can say precisely how much this will cost, or can we save by moving to a different platform? One SaaS says this, and the other states that, but what's the actual cost? This book helps that person that C suite that responsible and accountable person, ask the right questions, get the correct data, and make the right decisions to push back on this money hemorrhage. That's bleeding away profit.

Jay:

Yeah, I can see IT trying to take advantage of your lack of knowledge a little bit, you use the word roll, and that has the imagery that I can see. I can see that playing out in the workplace.

Jeremy:

Yeah, one of the other things is that the best documentation will win. You’ve got to be able to get on paper in front of other people. This is why we're right. Here's why you're wrong. And push back. If you don't, the other person's going to win. And you will be playing their game instead of servicing you.

Jay:

Where can somebody get the book?

Jeremy:

There is the publisher's website, but it's also available on Amazon, Barnes and Noble, and in a couple of other independent bookstores. The ebook version is also available on Amazon and Barnes and Noble. It's also on Apple, ebooks, and a handful of others. So, wherever you prefer to get your trade paperback or PDFs, you'll find it.

Spotlight (or) Focus Points

✅ Jeremy talks about his book, which is authored for the C-suite people to make better and more informed decisions

✅ The best documentation will win. You’ve got to be able to get on paper in front of other people why you’re right.

Jeremy About Being on the Lookout for New Innovations and Technologies and Not Being Stuck on the Same Technology

Jay:

Well, Jeremy, it's been an absolute pleasure getting to know you, and I enjoyed the discussion.

Jeremy:

Thank you. It's so lovely, again, to look at what the future is bringing to the SaaS community. Between the players and the technology is so new and exciting. And like we said, I knew I was hard-pressed to see us pulling back away from it. This will be here to stay, and the sooner we get our arms around it, manage it, control the spending, and maximize the return on investment, the better.

Jay:

Yet recognizing it's going to come with some steep growing pains. Jeremy, anything else you want to add?

Jeremy:

What I would suggest would encourage the listeners. It's okay to play favorites. But be on the lookout for the next cool technology. Don't be so locked into one particular way or one special delivery. There are so many options out there. And businesses and user patterns are so unique. Find one that works. And if you don't like it, push back and find one that works better. 

Jay:

Yeah, I think that, from what I've seen, corporations like to find a solution that works for them right now. It's a great solution. And then they cling to it, right? It works for us. And technology moves forward. But you know that change within a corporation can be so tricky. And so I think, isn't that what you're saying, keep your eyes open, keep your head up and watch as innovation happens?

Jeremy:

Indeed, I can give you an example right now here. I know an organization is going through some growing pains with its SaaS management, incorporating a new SaaS platform into its PMO. And it's not going well at all. Because the organization is dictating, we've got to use this platform, which says we're flexible and can do however you want. And the PMO is saying we really want it to be like Microsoft Project. Well, we can't do that. Well, then, why are we?

And why can't you do it? Why can't you make it more flexible? Well, I think, especially from an individual level, the biggest risk that SaaS has right now is to get yourself locked into an old mode of thinking and missing out on the new tool and the next perfect fit because you're comfortable with technology, or you're satisfied with this relationship and fear, the latest and the innovative. And if it ain't broke.

Spotlight (or) Focus Points

✅ The SaaS is here to stay, and it is better to manage, control and maximize the return on investment in SaaS 

✅ Always be on the lookout for new technology rather than being stuck on one software

✅ There is a risk involved that companies may hook onto the same software as they get comfortable with the technology and miss out on the new technology.

FEATURED BLOGS

The Ideal Cost Optimization Playbook to Control SaaS Spend

SaaS Management: 3 Key Challenges

A Framework to Eliminate SaaS Wastage

SaaS Vendor Management in 2022: The Definitive Guide

Symptoms of an Unoptimized SaaS Stack (+ Solutions)

FEATURED BLOGS

The Ideal Cost Optimization Playbook to Control SaaS Spend

10% of company revenue is spent on SaaS. It’s a staggering metric, and a high percentage of income is wasted inefficiently on business tools. In comparison, companies spend, on average, 15% on employees annually.

SaaS Management: 3 Key Challenges

With this explosion of SaaS at companies, there arise SaaS challenges caused by apps getting out of your control. These SaaS challenges varies in three dimension: spend management, security and complance risks, and various SaaS operations tasks like automating SaaS procurments, renewals, employees onboarding and offboarding.

A Framework to Eliminate SaaS Wastage

‘Muda’ is used to describe any activity that uses resources but doesn't generate value. It is the Toyota system for identifying and eliminating waste in all forms. It is the same thing that helps Toyota sell more cars than Ford, General Motors, and Honda at a higher margin.

SaaS Vendor Management in 2022: The Definitive Guide

An obese SaaS stack leads to SaaS wastage. It's a disease! It not only causes financial issues but also gives you security and compliance problems. That's why you must keep tight control on your SaaS stack. And it begins with managing your SaaS vendors. 

Symptoms of an Unoptimized SaaS Stack (+ Solutions)

In this post, we've discussed 7 symptoms of an unoptimized SaaS stack and solutions to optimize the same.

Related Blogs

See More

  • IT Asset Management (ITAM) Best Practices in 2023 Across the Globe- Featured Shot

    IT Asset Management (ITAM) Best Practices in 2023 Across the Globe

    IT Asset Management (ITAM) is a collection of business practices to track and manage the lifecycle of  IT assets. It integrates financial, inventorial, and contractual aspects of the IT assets to optimize spending and achieve optimal IT-business alignment.

  • Top 8 GRC Software in 2023- Featured Shot

    Top 8 GRC Software in 2023

    The GRC tools are not one-size-fits-all kinds of stuff. A wide range of products and solutions are available in the market to meet the requirements of various kinds of businesses. Because of this, choosing a perfect GRC tool can be a little difficult for you.

  • 6R Strategy for Cloud Migration- Featured Shot

    6R Strategy for Cloud Migration

    An organization's cloud migration strategy includes prioritizing workloads for migration, determining the correct migration plan for each individual workload, developing a pilot, testing, and adjusting the strategy based on the results of the pilot.