Music distributor tracks SaaS usage to boost security, satisfaction

Originally an online CD store, CD Baby now primarily deals in “music as a service,” serving 700,000 independent music artists by managing the distribution of over 10 million unique tracks through download platforms and streaming services such as Spotify. In parallel, its IT team manages the consequences of software’s move to an as-a-service model.

It’s not just the way CD Baby ships product that has changed since VP of IT Tom Beohm (pronounced “beam”) joined the company in 2010 as a lead systems engineer. “My role has evolved dramatically in those 12 years,” he says. “I’ve seen two complete revolutions of our technology stack and infrastructure.”

The first of those revolutions was the move to virtual servers and centralized storage. Now he’s moving to a hybrid cloud model and further consolidating storage infrastructure.

Beohm’s team of nine IT staff provides operations, engineering and database administration support for around 200 employees at CD Baby. And support for SaaS applications — including an ongoing move to a cloud-based ERP platform — comes within that too.

SaaS spending is growing

CD Baby isn’t the only company consuming more software as a service: While Gartner is less optimistic about SaaS spending growth than it was at the start of the year, it still expects global SaaS spend to increase 16.8% to reach $195 billion in 2023.

Behind that increase, though, lie some challenges because IT departments don’t always manage, or even know about, all of the increased SaaS usage.

“I view software-as-a-service as the current extension of shadow IT,” says Beohm. That really made itself felt on the help desk: “We started to see requests coming from our user community, saying ‘Hey, I need help with product X,’ and my help desk team has no idea, which raises all kind of red flags.”

Some of those requests were driven by the expansion of CD Baby’s parent company Downtown Music Holdings: as the group grows, CD Baby employees find themselves working with colleagues in other divisions and needing to use their SaaS tools. “There are other things going on in our ecosystem besides what IT knows about,” he says.

Beohm’s initial approach to filling in those knowledge gaps — both his own and those of the users calling the help desk — was to ask staff who knew they needed a particular tool to talk about it with IT so they could help with adoption.

“The level of success we’ve had with that has been mixed because it’s an on-your-honor system. What we found is that we don’t get the visibility we really need to be successful,” he says.

That led Beohm to start looking for a SaaS management platform (SMP) that could help. At around the same time, he says, his boss suggested something similar. “IT being offered resources and money is very rare, so I jumped on the opportunity,” he says. Beohm researched a number of options and proposed one to the rest of the leadership team, which accepted.

Application discoverability

“The number-one driver for me was application discoverability. It’s the unknown unknowns, what you can’t see, that I was the most interested in knowing more about. In our evaluation of the SMP space, the only product that filled the gap for our use case was Torii,” he says.

Some SMPs gather data from the ERP system, looking at what services the enterprise is paying for, whether through IT department purchase orders or credit-card charges from marketing, but Beohm wanted to see what employees were actually using.

“The piece that really made the difference was a browser extension that was cross-platform, that I can install on PCs, on Macs, in multiple browsers, and it has a comprehensive view into what’s being used in our environment,” he says.

The extension, rolled out through CD Baby’s mobile device management platform, needed some explanation.

“One of the challenges we initially had with our user community was, ‘Hey, are you rolling out spyware? Are you monitoring my keystrokes? Are you monitoring my productivity?’ It was a big topic for folks, especially in the pandemic era,” Beohm says. Torii provided documentation for CD Baby staff explaining that it was simply gathering anonymized data about applications in use in the company environment. “I also hosted open office hours to answer individual questions. There were some concerns initially, but I think we were able to address those pretty successfully,” he adds.

As soon as the browser extensions were installed, they started generating data — and then came the real challenge. “It was less in the data gathering and the rollout process, and more the ‘Now what?’ question when you discover there’re several hundred applications being used in our environment that we had no idea were there,” he says.

Beohm has been leaning on Torii’s workflow automation capabilities to tame that barrage of alerts. Now, if someone tries out a new tool, he can tell Torii to note it — but then take further action until other users start to try it out too. “That’s really helped us manage the proliferation of the one-time-use scenario and not burn a lot of staff hours in evaluating things that don’t need to be evaluated,” he says.

Preparing for contract renewal

Other workflows automatically flag SaaS contracts coming up for renewal, warning IT via the ticketing system, and application owners and executive sponsors via Slack. “It gives us that runway for either a tool switch or to properly negotiate what the terms of that next contract renewal are going to look like,” he says.

While reducing costs wasn’t Beohm’s primary goal, it is happening: “When we have new hires, we have a suite of internal IT applications we issue. We’d just go buy seats. Now we can say, ‘Do we need to buy seats, or are there seats already available in the services that we can just reuse?’ We’ve been able to save thousands of dollars — north of $8,000 in Microsoft licensing alone — by having the visibility into seats that are available so we don’t have to purchase.”

Security has improved too. “One of our teams was using a tool, and we saw it in Torii, but we saw other individuals on other teams using it too,” says Beohm. He recommended to the owning team that the company consolidate the vendor contract to include all users: “We’ve been able to reduce our complexity, provide a more secure interaction with the SaaS service by putting MFA and SSO in front of it, and continue to allow the users to have the tool with the governance of IT.”

Once a quarter, Beohm takes what he learns from Torii to the other C-suite executives and discusses who’s using what, and what to do about it. “It’s been a great conversation, because it’s been empowered by data,” he says. “It’s been really positive so far.” Beohm encourages other CIOs to look into SaaS management platforms to learn what’s going on their networks. The purpose must be communicated to colleagues carefully, though: “We’re not trying to be SaaS police,” he says. “We’re trying to help you be as successful as possible, using this tool to benefit you and the company from a security, usability and cost perspective.”

ERP Systems, SaaS, Security