Securing Executive Buy-In for SaaS Management in the Enterprise with Siroui Mushegian (Barracuda Networks)

Securing buy-in from your executive team is the most important ingredient for a successful SaaS Management program. No one knows this better than Siroui Mushegian, CIO at Barracuda Networks. In this episode, discover Mushegian’s approach to securing executive buy-in for SaaS Management, and how it’s helping drive application rationalization, security, and innovation in the enterprise.

Episode Summary

Whether you’re trying to save money, increase efficiency, or make the enterprise more secure, you must start with getting your executive team on board.

For Siroui Mushegian, CIO at Barracuda Networks, developing a good rapport and providing transparency into KPIs was critical. 

“I developed a single slide with nine boxes on it, and I put in every box an interesting metric that’s going to be attention-grabbing,” shared Mushegian.

Those data points helped executives understand the problem and monitor progress on the solution. Mushegian regularly reported on those nine metrics to maintain executive support. 

“We would get healthier by the quarter,” explained Mushegian. “I was able to show the value of this initiative almost immediately.”

Buy-in on SaaS Management goes beyond the C-Suite. It’s a critical lever within the business to help consolidate the applications in your software stack and ensure employees are compliant with governance policies.

Guest Spotlight

Name: Siroui Mushegian
What she does: CIO at Barracuda Networks
Connect with Siroui online: LinkedIn 

Episode Highlights

Build Rapport & Use Data to Secure Executive Buy-In for SaaS Management

“How do we get this in front of our executives and make this a really important corporate objective that we need everybody’s eyes on? What I did was I developed a great rapport with the executive team, and they knew that when I joined the executive leadership team meetings, I was going to be bringing something interesting to them, a problem that I needed them to be aware of. And I developed a single slide that’s got nine boxes on it, and I put in every box some interesting metric that’s going to be an attention-grabbing metric. One metric will be the number of SaaS applications in the enterprise. I’ll be able to tell them the exact to the dollar amount that we’re spending across all tools in the enterprise. I’m able to tell them how much in cloud spend, how much we spend in expensed applications, and a whole bunch of other things that I’m able to surface that grabs their attention. If they see that we have hundreds of SaaS applications, they’re wondering, how is that even a thing? If we’re spending tens of millions of dollars on SaaS applications, that’s confounding. They don’t get it. So this leads them to wonder, why are we talking about this? You must have some reason why we’re talking about this. And of course the reason is I want us to be more efficient, I want us to save some money and I want us to be able to scale as a result of that. And then there are also some security gains. So yes, that’s the way that I got everybody’s attention.”

Regular Reporting Is Critical to Showing Progress and Value

“They were fascinated by that and I would come back every quarter or so and show them the first set of nine boxes, the new set of nine boxes and where we stood, because we would get healthier by the quarter. I was able to show the value of this initiative almost immediately.”

It’s Difficult to Have Visibility Without A Tool to Help You

“The difficult part is that people roll their own, so to speak. They’re going to be expensing applications. They’re going to be doing things themselves. It’s not just going to be a matter of what they’re using in the tool chest that you provide them through the enterprise agreements that you’ve got through Google and Microsoft and Salesforce and so on and so forth. They’ve decided that they want to create their own suite of tools that is what is their productivity set. You don’t know what that is. And so it’s hard to mine the systems for that information. I have access to our ERP, so I can pull information from that and then maybe I have access to Concur or other tools that are going to give me access to what people are expensing, but it might be difficult to kind of slice and dice that information. I’m not going to get it very easily, and I’m going to get it in terms of the spreadsheet. Then I might have to sort it and it won’t be clean at all, and I’m certain that I’ll be double-dipping in certain spaces. It will just not present accurate information that I’ll be able to trust, that I’ll be able to take back to the business with real accuracy. So that is why it’s difficult to do without a tool that is automating the process for you.”

Get Buy-In by Helping the Business Understand ‘What’s In It for Me’

“It’s always the ‘what’s in it for me’ scenario. Every story is different for every leader. In the go-to-market space, they always have the most tools in their toolbox. They’ve got people from all walks of life coming together, bringing with them their favorite tools of choice and they’ve got the most that we’ve got to kind of chip away at. And so the story that we’re working on with them is about how we can streamline things so that they have more that they can reinvest into. Maybe they need more headcount in a certain area that they don’t have. That’s sort of the ‘what’s in it for me’ story for that group of people. Moving over to the information security team and cloud operations, those people like to work hand in hand with each other. If I take the same ‘what’s in it for me’ storytelling to that crowd, I say, ‘Hey team, I’ve got this full portfolio of tools that you guys are using, and by the way, you probably didn’t realize that half of them have not gone through security review. Because I didn’t know about them, I wasn’t able to secure them. And so when some of your team offboards, since I don’t know about them, I can’t shut down their accounts and that’s a scary place to be.’ And immediately, the light bulbs go off.”

Stakeholder Interviews Are Non-Negotiable for Application Rationalization

“Part of the journey of application rationalization is the stakeholder interview portion of the program. It is really a very personal pursuit that people go into when they come with their favorite tool of choice. The marketing team is going to have a project management tool de jour, and they’re going to love it and it’s going to serve very particular use cases for that team. I’m going to have to learn why. What does it do? How important is it to this group? And it will tug at all my heartstrings, and I’ll have to figure out what is it about this tool that makes it so important for this group? And then I’ll have to do the exact same thing for every other group that has their own project management tool and also with my team, have to figure out how I’m going to rationalize all of the PM tools down from where we are to a smaller set of them taking into consideration the things that people need in order to do the jobs that they’re doing. Because stopping business is not what this is about. Helping us scale and grow and simplify is what this is about.”

“Usually if you bring people along in the process, they are more apt to understand the why of what is happening. They feel like they’re invested in helping get through all of it because they understand the point of it. In some cases though, it is a difficult decision to make. Generally speaking though, the more you communicate, the more they understand. Going in and just ripping things away from people is not the idea that would not go well.”

Don’t Leave A Stone Unturned When It Comes to Security

“A small inexpensive application could mean that you are opening yourself up to an incredible amount of risk, and it doesn’t matter that it’s inexpensive. But it matters that it could be putting your whole enterprise at risk. $20 just to give somebody a little bit of convenience and then putting your entire enterprise at risk. You think about an attack surface, every little molecule that you add adds to your attack surface. So putting another way of ingress into your enterprise where you don’t understand or know the way that a security posture is being baked into the engineering of a particular tool that somebody is using, you haven’t done just the requisite amount of due diligence to be comfortable with the way that this tool is constructed or you understand the business model of this particular company, you’re putting yourself at risk. There are certain things you can do in order to just put some check marks so that you can feel comfortable saying, yes, I feel comfortable with you using this inexpensive tool. I have done enough due diligence to know that it’ll be fine. But if you don’t do that, you’re really leaving the door open. You do need to look at everything.”

Top Quotes

5:58 – “We would get healthier by the quarter. I was able to show the value of this initiative almost immediately.”

6:27 – “The difficult part is that people roll their own.”

8:45 – “It’s always the ‘what’s in it for me’ scenario. Every story is different for every leader.”

16:06 – “Stopping business is not what this is about. Helping us scale and grow and simplify is what this is about.”

24:29 – “A small inexpensive application could mean that you are opening yourself up to an incredible amount of risk.”

Check out other episodes here, Apple Podcasts, Spotify, or wherever you listen to podcasts.