Gürkan Berkan: Protecting the Business from SaaS Risks at Coupa

These days, it’s common for business units and even individual employees to purchase their own SaaS solutions without involving IT or procurement. Each unapproved app introduces risk to the business. In our latest episode of SaaSMe Unfiltered, Gürkan Berkan, Director of IT Compliance at Coupa Software, shares how his company leverages a SaaS management tool to gain visibility to SaaS risks and ultimately, protect the business. 

Episode Summary

In the past few years, we’ve seen the growth of SaaS explode. This growth has largely been fueled by business units and individuals purchasing their own SaaS solutions. 

“There has been an increasing demand from end users to onboard new systems, new tools,” said Gürkan Berkan, Director of IT Compliance at Coupa Software. “And with these tools being as easily accessible to a browser, it just opened the opportunities to onboard lots of tools in a very fast manner. Very soon, things started to get out of control.” 

The fact that SaaS is easy to purchase isn’t necessarily a bad thing. When employees have easy access to the tools they need, it can make them more effective – and improve their experience with the company. 

“We like to enable our end users to have the freedom of choice when it comes to the applications they want to use on a day-to-day basis for them to do their jobs,” said Gürkan. “But there’s always a thin line between giving freedom versus reaching that uncontrolled chaos.” 

Each unvetted app that’s brought into the organization introduces risk. Organizations must make it a priority to shed light on all SaaS – regardless of who purchased it and how it was purchased. This visibility is key to ensuring compliance and mitigating risk.

“If we don’t have visibility into our technology, we expose ourselves,” said Gürkan. “For that reason, having that visibility… in a very easily digestible manner that you can access very quickly is very critical. If you don’t have that then you’re really missing the picture. And if you’re missing the picture, you don’t know what you don’t know when you’re exposed.”

Guest Spotlight

Name: Gürkan Berkan
What he does: Director, IT Compliance at Coupa Software
Connect with Gürkan online: LinkedIn

Episode Highlights

A Lack of Visibility Into The SaaS Landscape Leaves Your Organization Open to Risks

“If we don’t have visibility into our technology, we expose ourselves. And for that reason, having that visibility….in a very easily digestible manner that you can access very quickly is very critical. If you don’t have that then you’re really missing the picture. And if you’re missing the picture, you don’t know what you don’t know when you’re exposed.”

A SaaS Management Platform Fuels Informed Decisions

“Zylo really gave us a good baseline of, at least for the technology side of it, being able to see and predict all the SaaS. Again, being able to understand, what is being used where? How much money is being spent? And what has been approved? What has not been approved? And how many users are there? All of that. From there, once you have that as a tool to support you, then from there you can build very effective monitoring programs and make more informed decisions about your technology acquisitions.”

There’s a Fine Line Between Employee Choice and Uncontrolled Chaos

“We like to enable our end users to have the freedom of choice when it comes to the applications they want to use on a day-to-day basis for them to do their jobs. But there’s always a thin line between giving freedom versus reaching that uncontrolled chaos. Finding the right balance is where that governance comes into the picture. More often than not, we still have lots of applications that the end users are trying to bring in. And yes, there are duplicates. They already exist. Or maybe it’s not a solution that we want to support because it doesn’t meet our security standards. But when we have the governance, at least we’re able to have a dialogue about these things. And with dialogs, we’re able to make those informed decisions. That’s really what it all comes down to, being able to have that dialog and figure out what’s best for the organization. And while doing that, if we can also increase the efficiency and effectiveness of the way that our end users are working, then that’s a win for all of us.” 

Spend Management is Increasingly Important in Today’s Economic Climate

“We are encouraged to be more detail-oriented. We’re encouraged to take a look at our spend a little bit more carefully. And we’re encouraged to also look at our technology stack better. Because maybe there are some outdated systems there or maybe there are some systems that we don’t really need. We’re definitely looking at these things and trying to slim down. We’re slimming down as necessary.”

It Takes a Village to Manage and Measure Risk Compliance Internally

“It takes a village. These task solutions have gotten so complex. And they all have their own unique delivery models where risks are always changing. And really being able to understand what the risks are for any given SaaS and being able to come up with ways to address those risks is a full-time effort. In Coupa, we do that by teaming up with professionals from other departments. Because we have engineers. We have GRC. We have privacy. We have information security. And we have legal. Usually, it’s a combination of some representatives from all these groups coming together and figuring out, ‘Okay. Well, here are the risks related to this SaaS solution. And what do we have to address these risks? Do we need to do something different or can we leverage what we already have for us?’ And then we’ll take action accordingly.” 

Shadow IT is a Key Metric

“Shadow IT is something that we monitor closely. We don’t really care about the number of shadow IT applications found or new internal IT applications that’s coming. But we care more about what’s being managed, and what is being closed, what is being tracked down and what actions are being taken. That’s something that we’re monitoring and that’s something that we’re measuring as a metric.”

Visibility is Critical During Mergers and Acquisitions

“M&A is a very, very tricky thing to navigate. Being able to quickly discover the SaaS portfolio of that M&A prospect is extremely crucial. Typically, everything is very accelerated in an M&A process. And the M&A teams, they don’t always have the time to do the full, complete due diligence to get a complete picture of what the technology SACs look like. Again, having a powerful tool such as Zylo to be able to give the M&A team that complete picture comes in the very end. And it will definitely help the team to save time and be ahead of the game. Because when you have the full picture, then you can strategize. And you can go and take a look at, ‘Okay, what fits in my organization?’ or, ‘What doesn’t fit in my organization?’ or, ‘What can maybe, in the future, fit in my organization?’ But through reviewing all of that and coming up with decisions to keep, or some things maybe you don’t want to keep, is extremely valuable.”

Top Quotes

7:56 – “If we don’t have visibility into our technology, we expose ourselves.” 

12:57 – “But there’s always a thin line between giving freedom versus reaching that uncontrolled chaos. Finding the right balance is where that governance comes into the picture.”

13:30 – “That’s really what it all comes down to, being able to have that dialog and figure out what’s best for the organization.” 

18:32 – “It takes a village. It’s not one person sitting at a desk and looking at risk and compliance.”

24:18 – “When you have the full picture, then you can strategize.”