This is part of our ongoing series, The Lost Art: How to Win Buy-in From Key Stakeholders.
Note: This guide concerns gaining buy-in for a SaaS Management Platform (SMP). But the principles apply to any major project! Check out these resources to learn more about SMPs and how they can transform your relationship with software and shadow IT.
- What is a SaaS Management Platform?
- Gartner® Magic Quadrant™ for SaaS Management Platforms
- What is Shadow IT?
“Security is not a product, but a process.” — Bruce Schneier
Security is a complex, evolving, difficult, and often thankless process. Unfortunately, most people forget that their security team exists until something breaks or they’re forced to undergo training.
However, security plays an essential role in defending your organization against bad actors and user error alike, and their success is IT’s success.
Security and IT often work together, though they emphasize different priorities. But, in this piece, we’ll explore how you can find common ground and mutual benefit with your Security peers. By building a bridge of trust and cooperation, both teams can benefit from more app visibility, risk management, data mapping, and user management with a SaaS Management Platform.
But before you can gain the attention of your colleagues, you need to understand what matters to them!
Security Professionals: The Guardians
What they care about: Data security, risk mitigation, and compliance.
Security professionals care about security. Seems obvious, but it’s an easy thing to forget. If you want to build a bridge of cooperation with these colleagues—remember what makes them tick. Maintaining data security, understanding risk throughout the organization, and staying compliant with industry regulations (more on that later).
If you plan to introduce the topic of a SaaS Management Platform, you will want to understand the security implications inside and out.
Talk Outcomes—Not Features
One of the most common pitfalls for IT in these buy-in conversations is to fixate on the “how” of a tool instead of the “who cares?” For technical buyers, the “how” validates the use case. The mechanism of success is evidence of success.
However, unless you can get them to care, the features simply don’t matter.
That’s why you need to talk about outcomes. More specifically, business outcomes that are relevant.
Finding the Outcomes that Matter
Another common error with a buy-in conversation is to focus on the wrong outcomes. Just because a tool or service has a positive outcome doesn’t mean it is worth the time or effort. After all, as any five-minute stroll through a tradeshow will show you, there are thousands of solutions with positive outcomes. The key is to find the outcomes that matter to your organization and are worth the work (because there will always be work).
The outcomes that typically matter most to Security are solving problems.
What Problems MUST You Solve?
While this might sound broad, it’s more narrow than you might think. Every company is full of problems. Some systemic problems undermine your company’s ability to thrive or even function. Other superficial problems are tolerable, at least for now.
It’s important to identify the systemic problems that must be addressed. These areas will drive interest and adoption from your security team.
Looking for Trouble
If you grew up in the 70s, 80s, or early 90s (RIP Zoomer’s independence), you probably heard your mother say something like, “Don’t go looking for trouble.”
Well, I’m here to tell you that in this case, you should go looking for trouble (and also, you should call your mom). The trouble you want to find is when a vulnerability or blindspot prevents the company from maintaining a sound security posture and adhering to relevant compliance standards for your industry.
Do you have a problem that is preventing or threatening compliance with an industry standard (think HIPPA, SOC2, ISO 27001, GDPR, etc.)? If so, that is a must-solve problem!
Note: One of the top issues organizations face is a full understanding of the flow and storage of their data. That’s why we created this guide on how to build a data map.
Similarly, if your company has completed a risk assessment (such as MIST or CIS), that can help you identify some of the gaping holes in your security posture. These problems will be at the forefront of security leadership’s mind. Below is an example of how to use this assessment result to talk to Seuciryt leadership about a SaaS Management Platform.
Example: Using CIS Results
One of the most popular Risk Assessments comes from The Center for Internet Security. Their RAM (Risk Assessment Method) focuses on helping companies implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices.
If your organization uses this assessment, a number of blind spots or vulnerabilities might emerge.
Inventory and Control of Enterprise Assets (CIS Control 1): For those familiar, outside of a SaaS Management Platform, CIZ Control 1 is virtually impossible to maintain due to decentralized app adoption.
Inventory and Control of Software Assets (CIS Control 2): Managing the lifecycle of SaaS applications, including license optimization and identifying unauthorized software, is essentially a full-time job without the aid of an SMP. Few companies can keep up with this work without an automated solution.
Data Protection (CIS Control 3): Your data is precious and difficult to monitor. SaaS Management makes it easier to create a Data Map to ensure that you know exactly where it’s stored, who has access, and if it’s actually secure.
Secure Configuration of Enterprise Assets and Software (CIS Control 5): Ensuring proper security settings for SaaS applications, such as disabling unnecessary features and configuring security policies correctly.
Account Management (CIS Control 6): SaaS Management Platforms often integrate with identity and access management systems to streamline onboarding, offboarding, and user permissions.
Other Ways a SaaS Management Platform Addresses Security Key Priorities:
- Data Security
- Start with visibility into shadow IT: Security teams hate shadow IT just as much as IT. It feels like fog of war, blinding them to the possible threats in everyone’s browser. Today, that threat is further amplified with shadow AI—a new wave of tools that ingest, train on, and leak sensitive IP like no one’s business.
You can only act on what you see: To get their buy-in, you must highlight how a SaaS management platform shines a light on all those unknown apps, helping them assess risk and control access. For example, at Torii, customers typically find approximately three times the number of apps that they expect.
- Use facts, not just emotions: Reinforce your message with real stats. You can pull these from our SaaS Benchmark Report:
- The average company has 600 apps in its ecosystem, with enterprise organizations having 1,174
- 7 of the top 9 shadow IT apps are AI tools
- 66% of your apps have been idle for the last 30 days
- Emphasize real-time monitoring: Nobody wants to feel behind, good SaaS Management Platforms allow you to stay on top of SaaS adoption in real-time. For example, with Torii, you get live updates whenever someone adopts a new app and even create workflows to send the user an information form to fill out so you don’t have to do deep digging later.
- Risk Mitigation
- Risk mitigation is broad: For the best success, it helps to know what risk factors keep your security team up at night. Is it managing access and permissions? Timely offboarding? Are they worried about unpatched vulnerabilities that could be exploited? Concerned with phishing attacks and social engineering targeting employees? Dissatisfied or negligent staff? Challenges with securing cloud environments or remote work setups? A SaaS Management Platform can’t help in every situation, but the more you understand your security team’s priorities, the better equipped you’ll be to have a thoughtful conversation they care about. Remember, they’re busy—don’t waste their time! Here are some of the risk-related use cases that you might mention.
- Risk from user access management: Managing permissions across many apps is tough without proper tools. An SMP automates user access, ensuring only the right people have appropriate permissions.
- Real-time offboarding: Delays in removing ex-employees’ access can lead to security risks. An SMP automates offboarding, instantly revoking access to all SaaS apps they use.
- View app risk levels: Torii lets your security team see app risk levels based on OAuth scopes—categorized as high, medium, or low risk—helping IT automate security workflows and make informed decisions.
- Block access to data for third-party apps: Torii blocks blacklisted third-party apps from accessing company data. When employees grant access via Google Workspace, Torii revokes permissions in real time, keeping your data safe.
- Process automation: An SMP automates frequent admin tasks, reducing errors and ensuring protocols are followed, which minimizes risks from incomplete or incorrect manual tasks.
- Integration with core tools: A SaaS Management platform enhances your existing tech stack without replacing it. For example, Torii improves SSO solutions such as Okta.
- Risk mitigation is broad: For the best success, it helps to know what risk factors keep your security team up at night. Is it managing access and permissions? Timely offboarding? Are they worried about unpatched vulnerabilities that could be exploited? Concerned with phishing attacks and social engineering targeting employees? Dissatisfied or negligent staff? Challenges with securing cloud environments or remote work setups? A SaaS Management Platform can’t help in every situation, but the more you understand your security team’s priorities, the better equipped you’ll be to have a thoughtful conversation they care about. Remember, they’re busy—don’t waste their time! Here are some of the risk-related use cases that you might mention.
- Compliance
- Regulatory compliance and reporting: Compliance is non-negotiable for security teams. They need to know that every SaaS app complies with the necessary regulations, whether GDPR or SOC 2. Show them things like Torii’s security page, which breaks down Torii’s security posture.
- Audit logs of all actions: A good SMP will keep a detailed record of every action taken from the platform. This gives you a detailed audit trail and a quick way to identify process errors.
- Automatically identify compliance certificates: One feature security pros love is Torii’s compliance certification tool—it automatically verifies whether an app has GDPR, SOC2, or ISO 27001 certifications. You can use this data as a branch in your app discovery workflows to take different actions based on the app’s compliance.
- Regulatory compliance and reporting: Compliance is non-negotiable for security teams. They need to know that every SaaS app complies with the necessary regulations, whether GDPR or SOC 2. Show them things like Torii’s security page, which breaks down Torii’s security posture.
Putting it all together—sample message:
Ok, you’re now equipped with a better understanding of your security team’s priorities and a list of relevant features to help them achieve their goals. But how do you start the conversation?
First, know your contact.
Figure out who has the authority to back up this initiative and who would benefit from it’s success. A great contact would be someone who sees this technology as a way to better align IT with Security’s GRC initiatives. Some example contacts would be the company’s Chief Information Security Officer (CISO), Director of IT Governance, Risk, and Compliance (GRC), VP of Information Security.
Existing rapport is best.
Your chances of success will improve the better your working relationship with this individual is. If you’ve shown a reputation for commitment to projects and reliability, you will have much more success when asking for support. After all, no one wants to back an erratic project owner.
Structure your message.
You’ve heard it before, but when you write a message to you teammate, you want to get to the point—fast. (They’re busy, remember). Use this template to structure your message:
Sample message
Hi [team/name],
[hook—why they should read on]
[state the shared problem or need]
[introduce your solution]
[provide relevant evidence or benefits]
[timeline or urgency]
[next steps]
[thanks]
Best,
[your name]
Now, let’s see how that looks in practice. You can use this message, but remember, a personalized message related to your team’s specifics will be much more effective!
Hi [Name],
I've been thinking about how our departments can collaborate to strengthen our organization's security posture.
With the increasing adoption of SaaS applications across the company, we share a challenge in maintaining data security, mitigating risks, and ensuring compliance.
I believe that by jointly mapping our SaaS landscape, we can gain better visibility into where our data resides, who has access to it, and how we can address any potential vulnerabilities.
This collaboration could help us meet critical controls outlined in frameworks like the CIS Controls, enhancing both our teams' effectiveness.
Given the rapid pace at which new apps are being adopted, it might be timely for us to address this soon.
Would you be open to meeting next week to discuss this further?
Thanks for considering, and I look forward to the possibility of working together on this.
Best,
Thank you,
[Your Name]
One piece of the puzzle
In addition to Security, you should have similar conversations with other stakeholders throughout the organization. In every instance, the conversation should be kept relevant to their needs while also making it clear that the tool is ultimately what IT requires for managing SaaS. You’re not trying to replace any other tool; you’re trying to enhance everyone’s daily work because everyone’s work involves SaaS!
Ultimately, it’s about helping them maintain control and stay ahead of potential threats.
Good luck!