How MSPs Can Harness Shadow IT to Add Value for Clients
In this episode of Gone Phishing, Connor Swarm and John Harden discuss how Managed Service Providers (MSPs) can address the emerging challenge of shadow IT and shadow SaaS by leveraging their traditional expertise in software inventory management to add value for clients and manage unauthorized software and accounts that IT teams have not explicitly approved.
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing.
Connor Swarm:
Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin Security. I am joined once again by the senior product marketing manager of SaaS at Auvik, one of my great friends, John Harden.
Connor Swarm:
John, how are you doing today?
John Harden:
I'm good, Connor. Appreciate you having me on. It's a good time to come back. I enjoyed our last session. It was a really good show.
Connor Swarm:
Last time we talked on the podcast, we discussed what shadow IT is, what shadow SaaS is, why it's important today, and why people are using software, hardware, and accounts that their IT team hasn't explicitly given them access to. Today, I'd love to talk about what cybersecurity and IT teams should do in response to that. A key piece here is that I'm in the MSP industry serving MSPs, and you're in the MSP space as well. Where do MSPs fit into all this? They're managing shadow IT on behalf of potentially other IT teams at other companies. So where do MSPs fit into all this?
John Harden:
This is a tough part of the problem right now because shadow IT management and the SaaS management space for MSPs is really brand new. This is something they haven't been doing for 10-15 years. But what they have been doing for an eternity is software inventory. I always find it funny when I talk to folks who ask, "Why should I do SaaS management?" I ask, "What does your MSP master service agreement say with your customer? Does it say you're managing their software on their behalf?" They realize that they say they're doing this, but the times just haven't kept up, and it's not their fault.
With software management or SaaS management and shadow IT management, it's the same things they had to do with software inventory management. It's about managing the inventory of assets where data is at, building a repository list, making sure things are approved or unapproved, ensuring there aren't bad services in use, and that there aren't data risks inside those bad services. Just like you're watching for CVEs on the software installed on desktops, you're watching for bad actions inside SaaS tools or people logging in with personal accounts, sharing accounts, or if a vendor has been part of a breach which could open up a supply chain attack internally.
Fundamentally, MSPs have the same responsibility for SaaS as they do with desktop software: inventorying it, managing it, and working with the customer to ensure it's part of their conversation, so it's not happening out of the visibility of both the MSP and the end client. There are some tactics I can get into, but I'd be curious what your thoughts are on that, Connor.
Connor Swarm:
I think the most important thing, which we touched on briefly in the last episode, is that what matters most is visibility. Most employees using these accounts, devices, and software that aren't licensed or approved by the IT team are doing it out of convenience, to get their job done better. There's pressure from above to create outcomes, not only for the IT team but also for employees. So, don't view this completely as a bad thing. What's important is not that there is no shadow IT, but knowing what shadow IT exists, because then you get to decide what to do with it.
I was talking with a friend at a conference who used SaaS management and realized they had six productivity tools when they'd only bought Monday.com. They asked, "Why isn't everyone using it?" This opened up the opportunity to question whether the software and hardware being bought are the right move for the organization.
John Harden:
That's my favorite part of the whole thing. Shadow IT isn't inherently good or bad, but as an MSP, what a holy grail of opportunity. We've looked for a long time to be strategic with our customers. What a holy grail to go to your client and, instead of just sending questionnaires or spreadsheets asking what SaaS they use, replace the "what" question with a "why" question: "Why are you using this? Why do we have six productivity tools? Why is it better?"
I've seen a lot of success embedding shadow IT as a tracker in the quarterly business review (QBR). Once we started coaching our MSPs on bringing the top ten shadow IT SaaS down to their customers, it was a eureka moment. Partners have told us that their customers want to know about shadow IT. Because SaaS is both a business and IT problem, it's something the person on the other end of the QBR wants to talk about.
We coach our partners to not just ask if something is approved, but to ask one simple question for all ten shadow IT assets: "What business problem is this solving for you?" Then let the customer talk. You'll unlock more about their business and use of IT and SaaS in those QBRs than you ever have in a spreadsheet or questionnaire.
Connor Swarm:
That makes a ton of sense. If you show up to a QBR and your statements are, "Look how many backups I backed up, how many anti-spams I anti-spammed, and how many firewalls I firewalled," you're not telling the customer anything new. You're not helping transform their business. You're just saying you did your job, but not helping them move forward.
John Harden:
Exactly. That's a "C" job—average. Nobody's going to be impressed. The only way you don't get a C is by not doing what you just did. But being able to come in and be strategic during your QBR can turn you from a "CF" type of MSP to an "AC" type, meaning you come in strategically, wow them, get curious, learn about their business, and talk about how IT isn't a cost center but a productivity center. You can wow your customer and actually get an A, and they can thank you for what you're doing in IT. Flipping that script makes a massive difference.
Connor Swarm:
You go from someone giving a report to a trusted advisor helping them grow their business. For MSPs not tracking shadow IT, what are some of the risks they're unknowingly retaining by not having this level of visibility?
John Harden:
It goes down to the cybersecurity maturity curve. At the very front is "identify." I challenge businesses that have advanced defense mechanisms but no visibility into SaaS. The key risks are:
- 1.Data sprawl and accidental data exfiltration: Non-continuous data running around the business with no visibility. The first risk is for the client—the data you're building cybersecurity programs to protect, but you don't see any of this out here.
- 2.Contractual risk: If your master service agreement says you're doing software inventory, and something happens, you could be liable for not protecting what you said you would.
- 3.Inefficiency: Manually documenting this stuff is time-consuming and often inaccurate. Employee onboarding and offboarding become difficult when you don't know what they're using.
- 4.Falling behind: SaaS management is becoming a table stake. In a few years, every MSP will need to be doing it. Not doing it now means you'll be playing catch-up later.
So, inefficiency hurts your business now, and falling behind will hurt you later. If you want to be loved by your client, do this work and move from a "CF" to an "AC" MSP.
Connor Swarm:
The most important part is the story of transferring from CF to AC. In a world where it's hard to differentiate yourself from other MSPs, if you help clients transform their business by bringing things above and beyond, like tracking shadow IT, that's what will keep you working with those companies. Tying this back to cyber insurance, if you're responsible for it and a breach occurs, and your documentation says you'll manage their software and applications, but you abdicate that responsibility, it's going to come back to bite someone.
John Harden:
There's another layer inside that cyber insurance story. There's a box you have to check that says you're doing single sign-on (SSO). If one of those apps is outside that SSO threshold, you're putting yourself and your customer at risk with cyber insurance. For example, in the traveler's case, insurance was rejected because a user didn't have MFA. SaaS management can give you a list of main apps that need to be moved into that SSO threshold so a customer is more protected and adheres to their cyber insurance questionnaire. SSO and MFA are the next leg of SaaS management, but getting visibility is the most important thing to get started, and then you can mature from there.
Connor Swarm:
Once you've identified the software, hardware, and accounts, you can bring that into what you're already managing. For example, employees are logging into these tools—add them to the allow-listed stuff inside Microsoft and enforce SSO, instead of saying, "No, you can't use this at all." Now, you've made it secure and can give it the thumbs up.
John Harden:
Exactly. Being able to see what apps are out there that don't have SSO can be a whole project. Many partners build a list and work on five apps per quarter, protecting their customer and making the customer stickier as a result.
Connor Swarm:
It's about constantly helping your client and companies transform. That's what it's all about. If MSPs or companies want to learn more about SaaS management, where would you recommend they go?
John Harden:
If you want to chat, I'm always available on LinkedIn—John Harden. To learn more about what SaaS management can mean for an MSP or your business, go to auvik.com and click SaaS Management at the top. Try it for 14 days and see if it's good for you.
Connor Swarm:
That is auvik.com. We'll have links to John on LinkedIn and Auvik in the show notes. Maybe you've been avoiding figuring out what tools your companies are using because you know it's happening. All of us are using software that IT folks aren't aware of because it's convenient.
John Harden:
It's just convenient. But knowing is the battle—even if you don't solve it, you need to know about it.
Connor Swarm:
If you don't know you're on an airplane and you're not flying it, the second you do know, you can decide where you'd like to pilot.
John Harden:
It can manage your risk.
Connor Swarm:
Manage your risk.
John Harden:
Awesome.
Connor Swarm:
Thanks so much for joining, John. I had a blast chatting with you. For everyone listening, thanks so much for joining in and we'll see you on the next episode of the podcast.
Connor Swarm:
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns and how to launch them in ways that actually engage employees to change their habits, check us out at Phinsecurity at Phinsec IO. Thanks for phishing with me today and we'll see you next time.