A new report from Snow Software suggests IT leaders are seeking more guidance on managing risks associated with generative AI tools like ChatGPT, even as they continue to grapple with longstanding challenges securing and optimizing software-as-a-service (SaaS) applications.
The Snow Software SaaS Management Survey of 1,000 IT leaders found 96% remain confident in their SaaS security posture overall. However, 23% called out generative AI apps as their top SaaS security worry.
The data implies IT teams harbor anxieties about potential dangers from their collective apps, with 40% worried about data protection and privacy despite most having extensive security tools. There also appears to be some confusion over who's accountable for purchasing and managing SaaS apps, with IT asset management (ITAM)/software asset management (SAM) teams and CIOs most often cited.
Meanwhile, controlling SaaS spending remains a pressing worry, though 90% expressed confidence they could identify savings.
"It's interesting that 96% of IT leaders reported they felt confident or very confident about their organization's SaaS security measures," Becky Trevino, executive vice president of Product at Snow Software, told ITPro Today.
SaaS Visibility and Management Remain Key Challenges
Although the vast majority of organizations are confident in how SaaS is handled, that confidence could well be misplaced.
What Snow Software has found when it runs its SaaS management solution in a new environment is that nearly all IT leaders are shocked by the number of SaaS applications they didn't know were in use in the organization, according to Trevino. That reality would seem to indicate a severe visibility gap between what IT knows is running and what end users are consuming, she said.
"In future years, this visibility gap is going to present a higher risk for IT than it ever has before," she said.
Generative AI Is Compounding Security Concerns
The rise of generative AI with ChatGPT is a top-of-mind concern for respondents to the Snow Software SaaS Management Survey. The data shows 23% of IT leaders view generative AI applications as the top security threat among SaaS apps. This outpaces concerns over other technologies like open source or file sharing. More than half of respondents also indicated alarm if a vendor used generative AI without informing them.
While IT leaders in last year's Snow SaaS survey had general SaaS security concerns, generative AI has emerged as the main driver of uncertainty in 2023. The unknown risks posed by generative AI are causing substantial anxiety, more so than other innovations.
SaaS Shadow IT and Cloud Accountability Risk
A key observation in the Snow Software report is that there isn't clear consensus on accountability overall for SaaS.
Trevino noted that most organizations lack a single owner for SaaS management in the organization. This responsibility is typically delegated to individual business units and/or heads of operations within functional units. In these scenarios, IT organizations typically manage the larger applications, such as Salesforce or Microsoft 365.
"In our view, the CIO is the one person in an organization accountable for all SaaS usage and spend regardless of where the application is used or procured," she said. "The reason we think this way is that the CEO and the board need their own person in the organization responsible for the safe use of technology, and that responsibility falls under the CIO."
Trevino emphasized that CIOs who do not take an active role managing SaaS — even if the spend sits in the business units — are failing their role. Snow Software's recommendation is that the IT department identify a group in its organization, whether that be IT asset management or FinOps, to take ownership of SaaS management. That group should then manage governance in partnership with finance, procurement, and individual business units or operational heads of business.
How to Better Manage SaaS Cloud Spend
Organizations also continue to face challenges when it comes to controlling SaaS spending. Part of the challenge stems from a lack of visibility.
"There's an old saying in IT: You can't manage what you can't see," Trevino said. "The first step is to define an owner and quickly after that is to get visibility of what SaaS is running in the environment both in terms of spend and actual usage."
According to Trevino, there are many SaaS freeloaders in an organization. These are the people who use up a license but rarely use the application. IT needs to have tooling in place to discover SaaS applications, measure usage, and optimize spend.
"With this tooling in place, IT leaders can rein in SaaS sprawl to better manage costs and also identify the hidden risks from SaaS sprawl and usage of generative AI tools like ChatGPT," she said.
About the authorSean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He consults to industry and media organizations on technology issues.