SaaS Governance Redefined: How to Empower Employees and Maintain Security & Compliance

Eric Christopher: All right. Hello. Thanks for everyone for joining today. We're going to just take just a minute here and let folks trickle in right here. It's just one o'clock. We'll let folks settle in and then we'll get started. All right. I think we're ready to go. So, thanks to everyone for joining. Just want to say hello to everyone and appreciate the time this afternoon. Excited to dig in a little bit today. I've got a couple special guests that I want to introduce here in a few minutes, but I'm excited to talk about SaaS governance. I think it's an important topic of our times right now in software, especially, and I'm particularly excited to jump into a concept called freedom within a framework, which is a way to manage SaaS governance and excited to talk about that as well. Before we get started, just a few housekeeping items that we just want to hit on. First is, we love questions and I'm hoping you'll participate and submit some questions. So, we have a Ask Question Box in the software application we're using today. And so, please submit your question and we'll find some time for Q& A at the end. You can access this session as a following on at the registration link that was available to you and how you accessed today. And we'd love to get feedback at the end, so there's an exit survey and we'd really appreciate you spending some time and just letting us know how we did. And then that way, we can use that to inform our work for future sessions. Appreciate that. I'm delighted to introduce two guests that have joined me today. First is Jim Goldman. He's the CEO and co- founder, so fellow entrepreneur, building a company to help organizations manage really security and risk, which he can share a little bit about, and also has spent decades in managing security and governance for cloud companies and very progressive work there. So, excited to dig into that. And then also like to welcome Jose Martinez. Jose is the SVP and CIO of OneAmerica, which is a fast- growing holding company, financial insurance organization, and managing in a high- risk type of a industry and environment. So, excited to hear from him for a real life case use case of SaaS governance. And then for those of you that don't know me, my name's Eric Christopher, I'm the co- founder and CEO of Zylo, and we help companies manage SaaS. And so, we live and breathe every day how to help organizations manage the complexity of software that we're in today. So, what we're going to cover today, this will be, I think, a great discussion, first is we're going to talk a little bit about why SaaS governance is important. So, Jim's going to share some perspective on that. Second, I'd like to introduce how to take a practical approach to implementing a realistic governance program for software. Talk a little bit about what that looks like. And then, Jose's going to join me on the virtual stage to talk a little bit about how OneAmerica manages and thinks about governance today, so I have a real life example, and then we'll finish out with some Q& A. So, let's set the stage. So, why is SaaS governance so important? I'm going to ask Jim to join in. Before we do, I wanted to just poll the group to get a little feedback. If you'll participate with me here. First, I'd love to get your feedback on how you each feel about shadow IT. Shadow IT, let's, for today's purposes, think of it as employees buying or adopting software on their own without really running through approvals and things like that in the organization. So, is your organization, do you view it as no tolerance to it? Do you view it as just an inevitability, because that's just the way software is really being purchased in a distributed way? Or even, do you look at it as a positive, as a source of innovation? So, I'd love to hear from you. So, you should be able to just do a quick response right in the application here. And we'll look at results as these will come in. I think these might come in here towards the end. So, we'll do one more poll here is, how do you feel about the term governance? And the reason why I wanted to ask this question is, CIOs and just IT leaders, finance leaders, when we talk about governance, some love to describe their work exactly as it is, governing and putting in programs in place. Some CIOs and IT leaders I've spoken with really try to avoid words like governance, and they err to think like terms like empowerment and entrust, and really want to be a business partner. So, I'd love to hear if you view it as governance or you like to call it something else in your organization. We are having some technical difficulties with the poll. So, it's capturing the results, but I think we'll do a little follow on, on the results, after the webinar today. All right. Well, thanks for your submissions and we will follow up. So, let's dig into why SaaS is important. So, Jim, I first want to get started with little background, and if you want to add little perspective, please do. A background in Jim, he's led enterprise- wide security, governance, and compliance. Prior to him founding Trava, he spent time building the first GRC organization at Salesforce. And then also, he's spent time with the FBI in working on cyber crime, which I think is really fascinating, we want to spend time maybe learning about that as well. So, Jim, thanks for joining us today.

Jim Goldman: You're welcome, Eric. It's great to be here. I appreciate it.

Eric Christopher: Well, let's dig in. What's the worst thing you found in the FBI cyber crime work? No, I'm just joking. Why is-

Jim Goldman: I would tell you, but I'd have to kill you. Yeah.

Eric Christopher: That's what I figured, so I'm going to stay away from that. All right. So, let's start with, why is SaaS governance important? We'll start there.

Jim Goldman: So, SaaS governance is important, but it's a subset of a larger governance, right? IT governance, etcetera. And the best way to understand its importance is to look at, what does the absence of governance look like? I've always felt like the need for governance can be justified by looking at what happens in the absence of it. In the absence of governance, you have nothing but chaos, right? And what does chaos lead to? It leads to wasted resources, both in terms of people's time, human resources, and also money, financial resources. That's inevitable. And that can lead to employee burnout, degradation of morale, because nobody knows what the rules are. And also, it can potentially lead to financial ruin. Governance on the other hand leads to, as you I think brilliantly described it, freedom within a framework. So, that leads to predictability and predictability leads to trust and trust leads to increased speed of execution, regardless of the process involved. To shadow IT specifically, and this is near and dear to my heart, you're reducing risk, you're reducing cyber risk to the organization. Yes, there's financial advantages to SaaS governance, but from my perspective, the real benefit is the reduction of cyber risk that shadow IT poses.

Eric Christopher: That's great. What do you think about just software as a service, SaaS applications, as a subset of everything else? How is it different and how do you approach it differently and think about it versus other technology that you're implementing governance for, for a company?

Jim Goldman: So, the real challenge that SaaS applications present has largely to do, in my opinion, with the nature of the physical work environment, that is a reality these days, especially as a result of the pandemic with the remote working. Because people are not connected to a centralized corporate network behind firewalls, etcetera, etcetera, with centrally controlled and managed tools over what kind of software comes in, goes out, et cetera, et cetera. So, because large IT organizations have lost that centralized point of control, managing SaaS governance has become more and more of a challenge.

Eric Christopher: Yeah. That's great. I want to shift gears on just in general, when I think of security, we're talking about de- risking and I think there's some obvious inherent things that come with that, where you're making an organization safer and that's the job many times for security and governance employees, but how would you think about business value to something like this? You did mention employee morale and some of those kind of things, is that the direction you'd think where if you're reporting to a CEO as a CIO or a chief security officer, and you're thinking," How am I measuring my investment in you? And how is that benefiting the company?" How do you think about that and anything related to value versus the trade- offs of risks and implications of the business?

Jim Goldman: Yeah. I think you can measure the value in a couple of ways. Clearly, the most obvious is the financial, right? And that is, are we making the best use of the number of seats, the licenses that we bought? Et cetera, et cetera. That payback is obvious. I think the less obvious, but in at least some cases, more significant financial gain comes from just speed of execution. In other words, when your processes become more predictable, because you're working within this framework what happens is you have less exceptions, you have less anomalies, you have less what I sometimes call dumpster fires. Every time you have one of these unpredictable or unforeseen events that becomes an incident. In security nomenclature, every time there's an incident, we have to spin up an incident response team. That takes time. That takes resources. It's almost like, use the analogy of a fire department. Every time you call the fire department, that takes time, resources, etcetera, potentially some danger involved. It's not that different than every time you pull the alarm on a security incident in your company, because it turns out the root cause is some kind of shadow IT thing, that there was a vulnerable SaaS application that someone had installed, because of a lack of a governance program. Every time you call that incident response team, like every time you call the fire department, there's a cost involved in that. And it's not just the cost of the dollars, but perhaps more importantly, it's the cost of lost productivity.

Eric Christopher: Yeah. Yeah. That's great. When I think about the power of governance going beyond just risk and security and tying it to the business is so important. Speaking of, an interesting big business is Salesforce and your experience there. Salesforce is really known, even publicly, about being centered on trust. Trust is important. And I think you had some big shoes and responsibilities to really deliver on that promise. What were some of the learnings from that experience? I think people would die to know what it was like there, implementing programs under that type of expectation, and maybe, what are some learnings and challenges from that?

Jim Goldman: Yep. That's a really good question. So, you're absolutely right, Salesforce was all about the word trust rather than security. They saw security as a subset of trust. And that trust was multidirectional in that we wanted that mutual trust between our customers and Salesforce, but also within the teams at Salesforce. Right? And so, that was the whole point that we needed to get across with the governance, is that this is not some kind of onerous, top down, restrictive, tie your hands, eliminate your creativity kind of thing, eliminate your autonomy. We had to get over that fear, uncertainty and doubt when we established the security GRC organization there. And really it was, again, to your point, it was this freedom within a framework. What we had to put in place was the governance that said," Okay, this is going to be an equitable situation where we're all about driving down risk, and we all agree collectively that here are the risks that Salesforce faces in order to enable trust. And here's those prioritized risks. And that is the priority in which we're going to make our investments." So, it became what we called a risk portfolio management function. That's really what we were doing, is the risks were there for everyone to see. Part of the trust in the governance process is full disclosure, right? Transparency, if you will. There are no secrets. There are no backroom deals. There is no favoritism." Here's the rules. Here's what we're doing." It's for everyone to see, that type of thing.

Eric Christopher: Yeah. Here's maybe a question, just popped in my head, you may or may not be able to answer it, but a lot of people love to hear, when we talk about SaaS management space, we have a lot of data on departments, employees, what applications, and one of the questions is," Who's the bad actor or which ones are the biggest ones that are the biggest concerns, or departments or things like that?" Is there anything you could share on, at Salesforce maybe, or just in general, when you're working with departments, who would you work with most outside of IT when you think about governance? It could be a good story too, maybe departments that's done those effectively. Specifically, what departments would you mostly engage with when you're implementing and worried about governance? And then, were there any interesting stories, bad actor stories or things that might be interesting coming out of it?

Jim Goldman: Well, we hate to make generalizations, but I would say, let's put it this way, the toughest conversations I had to have were when people on the sales team failed their phishing tests and then did not engage in the remediation training. And we had a pretty strict policy. It's like, you had to do the remediation training within so much time, you'd get a warning, I'd let your manager know. And if nothing happened, we would disable your account. Well, I put my money where my mouth was and I disabled salesperson's accounts at the end of the quarter in order to get their attention, and believe me, it got their attention.

Eric Christopher: Yeah. Yeah. That's great. That's great. It's all about aligning the business. And I appreciate you going through some of these topics, Jim, and participating. Maybe one last question for you, what's Trava? What's it all about?

Jim Goldman: So, Trava comes from a passion from two experiences that I had, and you mentioned them both here. One was my time with the FBI when I was a task force officer, I was lead cyber investigator on both the criminal and the national security cyber squads. And on the criminal side, what I observed was that when a large enterprise had a major cyber incident, they'd take a hit on their reputation, but inevitably they were fine. And yet, when it was more small and medium- sized business, unfortunately, several times those businesses didn't recover and there was personal financial devastation of the principal or the business owner or something like that. And it always really bothered me and it stuck with me. And then after my experience, putting the governance in place at Salesforce, in terms of how to do risk management the right way, with a constant risk management portfolio management process, I thought," Boy, why don't we find a way to do that in an affordable manner for the average small and medium- sized business?" That's what Trava is, is we bring risk and vulnerability management in a easily to digest, easy to understand format for small and medium- sized business, and including cyber insurance. Because, what some people don't realize is cyber insurance is an integral part of any good cyber risk management process. And so again, to make it easier for the smaller businesses, it's a one- stop shop. We do it all. We do the cyber risk management, assessment, mitigation, and then risk transfer to cyber insurance.

Eric Christopher: That's great. All right. Thanks, Jim. I appreciate the time.

Jim Goldman: Thank you, Eric. It's been my pleasure.

Eric Christopher: I appreciate it.

Jim Goldman: Love talking about this stuff.

Eric Christopher: Yeah. Awesome. All right. Well, let's shift gears. The central part of the topic is, how do you implement a realistic governance program? And think of the keyword here being realistic, after we just talked about thinking about why governance is important and how businesses are working. The times that we're in now and I think forever going forward is, we're moving fast. We're all technology companies, we're all relying on software and tech to run the businesses. And it's more important than ever that you have SaaS governance in place, but there's a lot of conflicting interests that I'll get into, between IT and employee experience. When we think of goals of SaaS governance, we focus on these four key areas. We see reducing costs as an important part of governance. It's not just security, it's part of the value of the business and the amount of investment that has to go into technology, which is really important. We just talked about mitigating risk and risk reduction, very important. Consolidating redundancies. Particularly in SaaS, the number of vendors that a company is using is typically in the hundreds, if not thousands, in big enterprises. And it's important to look at redundancies. Cost issues, but also where data's going, where employees are spending a lot of time and resources working between applications and context switching. So, there's a lot of reasons why governance is important for employee effectiveness. And then also, license optimization in provisioning. And it's thinking about taking a software asset management approach to licensing and really applying that out to managing hundreds of vendors that all have different pricing and licensing options and things like that, that are generally pretty complex. We're going to skip over this poll today, just the technical issue. But I want to just jump in and talk a little bit about centralized and decentralized. Generally, when I'll sit down with an IT leader, we'll talk about governance, and usually the question is," Do you have governance or not?" A way also, you can think of it is, is it centralized governance and then maybe a decentralized approach? And most organizations, when they say governance, they start to describe a centralized environment where you're really trying to prevent software purchasing from happening from multiple points. You try to find ways to make sure that every application or new technology that comes in, gets vetted and goes through security steps and things like that. Which is the absolute right thing to reduce risks and protect a company, but it's really in conflict with the speed at which businesses need to run. And it also sometimes holds back innovation on how software can be selected, where in a decentralized environment, how we describe that is, think of an example of a very fast growing company, that's growing, maybe doubling their employees every year. There's companies that are in that. But also for companies that have been through the pandemic, all of us, we had to empower our employee workforce very quickly with new technology. And it was really more about get software in the hands of our people quickly, so we can connect. It had less to do with, let's vet and control in every step along the way, to prevent that from happening. And so the downside of that, and I think a lot of companies are experiencing that, is they have a lot of software, a lot of unused licenses, where they have a lot of different applications, where now there's risks that are surfacing, and sometimes ones they don't even know exist, because there's just not visibility into it. As we've learned over the last five- plus years with enterprises, we're finding that the right philosophy for most organizations is to think about implementing a framework so you can get the best of both world and have freedom within that. So, we call it freedom within a framework, and really it's setting up some centralized processes and getting visibility to the right people, but really enabling employees with good education and good options and good ways to buy software from within. And we're finding that's a good way to approach software as we go forward with how fast things are moving. So, I want to just talk about three basic steps. Certainly, there's some complexity and some things that have to be done in an organization and some change management, but these are three things that we believe all organizations can take on with getting alignment with the business and drive this through the leadership of IT in particular. So, first is identifying and monitoring SaaS inventory. So, I'll dig into a little bit of what that means. Second is establishing process and review. So, as software comes in, making sure that proper review and organization happens and then ultimately, optimizing that environment. And the third is really empowering employees, which is my favorite part, because as an employee myself, getting access to technology is important to do my job. And I think there's a lot of really great innovation that's happening and a lot of great opportunities for companies to really enable a great software experience for employees today. Time's never been better for it. So, let's start with identifying and monitoring your SaaS inventory. Typically, most organizations have a challenge with identifying software in the organization and mainly it's because there's so many buyers, it's really difficult to stay ahead of that. And we really encourage companies to analyze all the data that they have, which is typically disparate. So, you'll look at things like what you're paying for, so looking at employee expenses as an example. What's being paid out through AP, but also how our employees are accessing software directly through Okta or through the applications themselves. But it's really integrating a lot of systems to get one view. And that's possible today to do. Most organizations though, typically don't know this problem exists, because the visibility isn't there. And usually, it takes some big moment, some unexpected cost from a bill from one of the applications that comes in, or employee leaves and doesn't have their access shut off or things like that, and that causes issues. And that's usually when the audit happens. And the problem is, is that if you're not doing it ongoing in real- time and have an effort around it, your information is always out- of- date. So, it's really, really important that you set up a discovery process and then ultimately, a monitoring process, through the data that you have and make sure a team is able to drive that forward and really monitor that in a close way. Then it's all about continually monitoring the existing portfolio. And so, it's not just new software, it's now looking and reviewing some of the software that's already there. And that's all about the second step, which is building process for review and optimization. So, once you've found everything and you've categorized it by function and by department and you have your ongoing system of record, now you can really start to make some progress on intake. One of the things that all organizations can do without any technology is establish some type of review board. It could be lightweight, but you want to get some key stakeholders. Typically, that's finance, IT, HR and legal, that's a good operational team. And then, start to look across the business into stakeholders that are going to be appropriate to manage the software and the budgets within the department. So, sales is a good example, typically there's a rev operations or sales operations group. Even the marketing has always been a big driver of the marketing stack. We've all seen the infographics of how large the marketing application inventory is. So, getting key stakeholders involved with that's really important. And that's where you can put in things like expectations on the types of software, what kind of guidelines should be put place from a security standpoint and those sorts of things. Certainly, I would encourage you to look for automation. Right now, there's so many vendors and there's so many new applications being added every day in most organizations, investing in automation tools, which they're available and there's different types, but making sure you do that to be at scale and to keep up with the amount of applications that are coming into the organization. One key area, we publish a report as a company, typically it comes out once a year. We also have the data more real- time throughout the year as we monitor SaaS trends within enterprises. So, out of an analysis of about$ 25 billion of SaaS subscription data through enterprises, we see some key areas of redundancy. And I mentioned earlier, one of the ways you can implement a good SaaS governance and reduce risk is through, is really reviewing redundancies. And we see categories like online training, digital assets, team collaboration is a key one that many of us see every day, project management, recruiting software, web conferencing, and file storage and sharing. Those are the top categories of software that we see organizations buying the most number of applications and have the most employees accessing different systems, to sometimes do some of the same functions in a company. And so, it's really important that you understand what you have and where those are. And then start to review those and begin to make sure that you have a good strategy around that. The third step is really about empowerment of employees. It's all about giving employees a great software experience. One of the biggest reasons why governance is so difficult is because the purchasing of the organizations is out within the business with employees. That's what creates the challenge. One of the ways that you can start to change the shift, is change the mindset of your employees and make your company the best place to find software. And the way to do that is once you've established your system of record and your inventory, you can take steps of having accurate license counts and what's available, is then publishing that catalog to your employee base so they can find software. And why this is so important, is this is really the important step within enabling freedom within a framework. You've started to put controls in place for guidelines, reviews to happen. But now you should have, these could be 100- plus applications or more, now categorized and have data on them on how they're being used in the organization. Now you can push those out to employees for access, and you can do this in a variety of ways. There's companies that build homegrown systems. There's actually platforms that do this themselves. We certainly are in this business of helping drive this type of effort, but really it's just all about setting up these processes and doing that now, and then you can pick the right technology solutions to implement. It's so important, such an important step. I like to describe it as, the new challenge for IT is we're now competing with consumer expectations. We have employees that have the app stores on their phone, through their iPhone or through an Android phone, and that's how you access and you find software. The bar is, you have to make it as appealing as to go and search and Google and try to find applications, make it easy to have that same search process and request process, to find software, and make it easy to provision and give access and those sorts of things. So, those are the three steps. And if you can follow and begin starting this process, you accomplished a lot of the business value that we were talking to Jim about earlier. You have a complete ongoing visibility in your SaaS portfolio, important for so many reasons, especially to drive governance and reduce risk. You've got a software catalog being utilized by employees. One of the worst things that you have is shelfware, which is an old terminology, but any application going unused. You want to make sure that you're maximizing that. Improving your security posture, more important every day, especially as your business gets bigger, it becomes more important. Improving software utilization and adoption across the business, and really making employees happier with a great software experience, so they can be more effective. So, those are some great ways to think of what success looks like when this is implemented. So, hopefully some of those best practices... And we'll share, we have a white paper that goes a bit deeper, that we'll follow on with, that you could access as well. All right, next up, we're going to hit on our last part of the big discussion, and this is going to be a last but not least type of discussion. And so, I'd like to welcome Jose up to the virtual stage with me, Jose Martinez. So, thanks again, for joining me, Jose.

Jose Martinez: Absolutely. Absolutely. Thank you for the invite and it's my pleasure to be here.

Eric Christopher: Awesome. Well, let's talk about your background. I'll tee it up. I'd love for you to add any background with your experience. We've had a chance to meet several times and talk about SaaS. And you've been in the IT world for 20- plus years, and you've got a big responsibility in a highly regulated industry, being in insurance and finances, and you're managing really all of IT and cyber security now. So, any additional things you'd like to add on your background would be great. Maybe start there.

Jose Martinez: Yeah, no problem. My background started in infrastructure, which is heavily invested in, asset management, inventories, cybersecurity, and the like. So, I've always been very front and center with all the tools and technology needed to essentially enable not only IT, but the business, because of that underlying layer. Obviously, I'm CIO now, but I've had that background experience, as well as the pain that came along with it, until you get it organized and governed, like you eloquently pointed.

Eric Christopher: Yeah, that's great. All right. Well, thanks. So, let's dig into a few questions, I think will be fun to serve up to you and see what you think. First one is, what's your personal take? I talked a little bit earlier about centralized versus either decentralized or not at all, or this, we call it the Goldilocks, right in the middle. How do you personally view the idea of SaaS governance?

Jose Martinez: Yeah, great question. So, it's definitely a balance. But before I answer that question directly, let me first start with some additional context. I think it's important. So, as technology and the adoption of technology matures, and to move the business faster, as Jim noted earlier, the savviness of technology, we need to shift it left into the business more and more. The days of IT being the sole technology expert in the enterprise, it's over. So, all aspects of the business have to be enabled to move faster, move more efficiently and not necessarily always need IT. So, that partnership between IT and the other aspects of the enterprise are key to shift the culture in the direction. So, it isn't necessarily what we hear often, which is" IT and the business." Rather just running the business with technology being a key component of this. So, I say all this, because the concept of centralization or decentralization of governance comes into play here. So, yes, we need to manage our finances. We need a team that manages the overall architecture and the standards. We need to ensure we purchase what is appropriate for the enterprise. And we need to ensure we look at solutions from an integrated enterprise approach, as much as possible, rather than a siloed need approach. So, speaking with SaaS specifically, you need to gain visibility into all aspects of SaaS needs, funding, approvals, integrations, et cetera. But you can do this in a model where you have the appropriate governance between different aspects of the enterprise, business functions and lines of business, rather than having all decisions being centralized within IT. So, we've made these centralization decisions over time, because of the shadow IT occurrences we spoke of earlier, right? And we're all really familiar with that, and it's been built up over time. But as you shift your partnership approach to the other areas of the enterprise, as you become a trusted component of the overall business model, and you provide more technology self- help capabilities, like you mentioned, to the business partners, such as low- code as well, right? Then an advanced grade maturity governance model is accepted, and you can still have the visibility into all these things we need to in order to manage SaaS, but you could decentralize certain components so that people can move faster and be more efficient, with less hurdles in their way. So, it can be a balance.

Eric Christopher: Yeah. That's great. I mean, when you think now, your role at OneAmerica, when you think about your approach to software governance, can you just share a little bit about your thinking there? Is it really just in line with that. Or, given that you're in a highly regulated industry, do you have to think a little bit differently? How does OneAmerica approach it?

Jose Martinez: Yeah. Great question again. So, we've definitely shifted over time. So, many years ago, we realized we were out of control in this specific area. We didn't have a good grasp on our overall SaaS spend. Our approval process was weak. I mean, we had employees just buying solutions on the fly. And in addition, enterprise architecture and integrated solutions, they weren't under serious consideration or priority. So, about five to seven years ago, we made a conscious decision and we centralized the approval process and model to solve all those issues I spoke of. We implemented software to give us the visibility. We incorporated solution review boards, software review boards, and better process to govern overall. This was a big component, we did shift the funding models into the IT operational budget. That allowed us to manage end- to- end for the enterprise and have clear visibility and holistic understanding of all our SaaS spend that we had as an enterprise. That's where we're at today. And it's been really positive, but we are right now looking to shift and improve further, to continuously improve. So, let me speak a little about that, of where we're going. So, all that sounds positive, but there is one aspect that is taken away and that's the essence of accountability from department heads when the spend isn't hitting their own operational budgets, regardless if we do a chargeback or showback model, that accountability is gone. So, while we have strong governance and architecture review boards and the like, we're looking to decentralize now the budget ownership aspect, to drive that accountability at all levels of the organization, not just within technology. At OneAmerica, we heavily speak of empowerment with accountability. So, use that word empowerment, I'm going to tag the accountability aspect afterwards, because I think they go hand in hand, right? And so, we look for governance that fits into this mold of empowerment with accountability. So, it can't be, can IT afford more licenses? Or can IT do more, fill in the blank. It's, should we afford it? Should we invest in it? Is this our priority? It changes the mindset to ensure we have proper investment and reduced of waste, potential waste. And it also allows autonomy of decisions and priorities in a way.

Eric Christopher: That's awesome. Maybe just a quick hit follow up. Did you have a holy cow moment, when you identified it was out of control, when you first started tackling this?

Jose Martinez: Yeah. When you start looking at the budgets at an enterprise and you have no idea that you have service SaaS product in the mix. And as a CIO, you have to secure it. All right? You got to manage to it and we're an integrator. So, as we start shifting IT from more buy versus build, and I have people buying things that I don't know of, that's a problem.

Eric Christopher: Yeah. That's great. What do you think, how do you define success for governance?

Jose Martinez: Yeah. Yeah. So, I would say, incredible sustained visibility, sustained is an important word there, into the financial inaudible, utilization rates, operational measurements, and being able to integrate all these SaaS solutions and products into a holistic solution. Solution's got to be resilient and it's got to be easy, right? At OneAmerica, we have over 400 SaaS products. And we have to manage this holistically, because we've got to understand if they're up or down, we have to understand our spend. And we have to be" the protectors" of this. We want to know when there's a problem before our end users call us and say," Houston, we've got a problem." No, we've got to get in front of it, we've got to be proactive. So, I would say measurement of success is really that sustained visibility and it's got to be resilient, scalable and resilient.

Eric Christopher: Yep. Yep. I like that. I mean, sustaining and ongoing is the themes of... We were talking really about ongoing, constant monitoring of a situation that's ever changing. So, that's great. One last question for you. I mean, with all, maybe the challenges or roadblocks that you've maybe faced, what kind of advice would you give someone to strike a balance and implement something that's realistic in most companies?

Jose Martinez: Yeah. I would say, before you just jump into governance, start asking yourself," What's the problem we're trying to solve?" Truly deep dive. Is it just financial spend analysis or is there something deeper? Normally, it's something deeper. Sometimes it's integrated, stronger partnerships at the enterprise level. Maybe it's better operational measurements. Maybe it's up, down, organized budgets. So, start with the problem at hand and spend time deep diving, before you just jump into governance, because if you just jump into governance topic for the sake of it, you can create yourself a Frankenstein, which just devalues and takes away from what you're trying to accomplish.

Eric Christopher: Yeah. That's great. Well, Jose, thanks so much for the time and joining us, that was awesome to get a little bit of a real life perspective right now on the topic. So, appreciate it. Have a good day.

Jose Martinez: Absolutely. Thank you, Eric. You as well.

Eric Christopher: All right. All right. Well, let's close out. We've got a couple minutes here for Q& A. So, if you've got a question, please submit it in the Q& A chat and we'll try to cover it here as we wrap up. Thanks for joining today. Really appreciate the time. From a recap standpoint, governance, it's extremely important and it's important to have a framework. Governance, it's important, but it can't come at the expense of innovation and speed. And so, if you'd like to learn more about freedom within a framework, and actually look at how it's been implemented with specific companies, learnings from different companies that have implemented this type of approach, we have an ebook that you can download as a follow- up. So, to learn more, just go to our website or reach out. And I'm at @ echristopher on Twitter, if you want to reach out to me there too, and happy to give you a little personal assist to get access to that. Really appreciate your time today. So, for Q& A, if you've got something, I've got a couple questions that did come in and we'll wrap up with any more that come in as well. One question is," How do you de- risk vendor SaaS selection?" One of the points I made today, just to hit that, since we covered it, is really making sure that you have that review board type of setup, where you've got some cross- functional security, IT and financial checks as applications come into the business. That will help identify some obvious risks that sometimes come from software purchasing. From the employee base, it's really a lot of education and training that needs to happen. If you have a freedom within a framework approach, you're generally putting out some guidelines of the type of software that you would expect employees to look for, maybe entice them to come into an app catalog, to vet some of the applications that have already been vetted, but give them good options that changes that behavior a little bit. And then also, make it really easy and frictionless to reach out to someone internally to ask questions about software, as it comes on board. There are many different vendors as well that have application data on risk and different metadata and things like that about applications, about what type of data they're storing and what types of policies each vendor has in place, and what type of risk as well. And so, that's another option that you can implement as well. Another is that," A small business that works with larger corporations, how can we incorporate an enterprise mindset into governance as we future- proof our tech stack?" I think it's actually a great point. If you're a small company and you've got tens or thirties, or under 100 applications, and you've got an opportunity really to set the right behavior out of the gate. Our company at Zylo, obviously, ironically we're a SaaS management company, so we do use our own stuff. And one of the things that we think about is making sure that we're looking inside applications. We implement a lot of things, we're recommending where when we buy software, we put it up into what we call our Zybrary, which is our system of record, and compare and make sure how many applications we already have. And can we remove something if we add something and implement it? And so, I think just beginning early on with this kind of mindset early on, it prevents a lot of the challenges that a lot of enterprises are struggling with, because they didn't explore it when it was something invisible that you couldn't see. So, just a really good opportunity to start early. So, I know we're a little over here. If there's no additional questions, it looks like we're closing out. So, thanks again, everyone. Have a wonderful rest of your day and week. And check us out at zylo. com. And thanks again for the time. Thanks.