“We’re a 100 percent fully remote company in a very heavily regulated industry. As a background check company, we deal with a lot of PII. So security is extremely important to us,” says Chris Tuley, IT Specialist at KarmaCheck.
To shore up security, Chris and his IT team began conducting quarterly audits of all SaaS services in a spreadsheet—a manual, tedious process that took one to two weeks for two employees to complete. As they continued to uncover more shadow SaaS, they realized the looming challenge of managing this project, especially given the company's rapid pace of growth.
“We have a lot of sensitive data coming in and out of a lot of the SaaS apps we use,” Chris explains. “We want to be certain that we’re offboarding people securely and capturing every app that they have access to. That was our biggest driver.”
Though KarmaCheck evaluated a number of possible solutions, Nudge Security quickly emerged as the winner. Key features like ease of access reviews, offboarding automation, and spend management resonated strongly with the team.
Nudge's platform discovered 10x more apps than KarmaCheck was tracking via their manual process, giving them an accurate, complete SaaS inventory on Day One.
“Nudge Security’s SaaS discovery approach is one of the things that really wowed us," says Chris. "The other tools we looked at worked via browser extension and IdP integration, but weren't as complete or immediate in their discovery as Nudge. A couple of the vendors used API integrations, but they only had a limited library of apps that they monitor or support. We weren't really sold on that. That was a big downside for us.”
Compared to alternatives, Nudge Security provided both faster time to value and more comprehensive visibility of KarmaCheck’s SaaS estate.
As Chris explains, "Other providers expected us to manually configure dozens of individual app integrations before we could start seeing value, which is a lot of manual work. When I signed up for a trial with Nudge, we were up and running within an hour just by connecting to our IdP. We were seeing insights immediately. Then we can go into those deeper integrations afterwards—which is awesome and helpful, but that provides an extra layer, not a starting point. By starting with discovery first, Nudge provides a holistic 360 approach."
Nudge Security automatically discovers and inventories up to two years of SaaS spend data from invoices found in email, including PDF attachments. KarmaCheck’s IT department quickly teamed up with colleagues in Finance to look for opportunities to manage SaaS spend by eliminating SaaS overlap and unused seats.
“First we found SaaS services that had really expensive per-seat license costs,” Chris recounts. "Then we nudged all of the users for those services to ask, ‘are you still using this?’ Doing that alone was hugely insightful because so many people don't even realize that they have accounts. Maybe they got access when they onboarded because they thought it was required for their role and have never touched it. We freed up quite a bit of SaaS savings from that outreach. And then we also found some overlapping SaaS services that we were able to deduplicate.”
KarmaCheck’s Finance teams have been thrilled with the results, as well as the product experience overall. When Chris first introduced these teams to Nudge, he recalls, it made an immediate impact. “Seeing the spend dashboard within Nudge Security has been really eye-opening for a lot of people, especially when you look at an estimated cost per user breakdown and what your anticipated future spend is. When it's all laid out in a very clear and concise way like this, with charts by category or department, it’s more impactful than just seeing receipts come through.”
From the IT side, Chris’s team has seen its own set of benefits. “We used to get more ad-hoc questions about renewal increases coming into IT. Prior to Nudge, as a SaaS service administrator, I would have to sign in to each app, see how many active users we have, at what tier, go look at the billing, see how they charge per user, and then I have to go look at the previous bill and break it down and figure out what changed. Having spend, renewal dates, cost per user, and invoice details all in one place in Nudge makes life so much simpler. We don’t get as many reactive requests now.”
“Within the first six months alone, we’ve recouped 150 percent of the annual cost of Nudge by chipping away at runaway SaaS use.”
As a background check company that processes PII, KarmaCheck is subject to stringent compliance standards. To meet the requirements for these audits, the KarmaCheck IT team needs to perform quarterly user access reviews for applications that process sensitive data.
Before finding Nudge, performing SOC 2 access reviews for 40 in-scope apps required over 100 hours of manual effort each quarter. Now, the same access reviews that once took two employees 1-2 weeks can be completed by one employee in just 1-3 days using Nudge's automated capabilities—while auditing more than double the number of in-scope apps.
“Nudge makes these audits significantly easier and saves us tons of time," says Chris. "Now I'm finishing the quarterly audits in one to three days by myself, instead of one to two weeks with a colleague. I don’t need to spend hours chasing down answers anymore because Nudge gives me instant visibility of everything in our environment.”
The team has even earned kudos from auditors.
As an IT leader, Chris particularly appreciates Nudge Security’s automated employee offboarding playbook, visibility of shadow SaaS accounts, and just-in-time nudge interventions.
“One of the biggest benefits has been insight into what people are using through OAuth or username and password signup. We’re then able to reach out to them with Nudge to get clarification on the use or directly shut down the accounts if necessary. We also have auto-triggers that send notifications to our users when discovering new services moving forward. These remind them of our policies, ask them to submit a ticket for review, etc.”
Most of all, though, he values the opportunities it surfaces for his team to be proactive.
“A lot of people think of IT as firefighters: We go and put the fire out and then we’re done. In reality, you want to be proactive and eliminate as many problems as possible beforehand so the fires don't happen as often. Having a tool like Nudge is foundational in that effort because it catches so many issues and helps remediate so many of them prior to becoming a problem.”
One feature that particularly stands out came as a surprise to Chris.
“Every morning when I come into work, I check the app health feature on the main overview dashboard to see if any of the tools in our stack are having outages or issues. This is just such a simple thing, but I've never had a tool that has it all in one place. It's so crucial. I keep that outage information in the back of my mind throughout the day as I'm answering help desk tickets so I already have context if someone is having problems with a tool.”
Chris also finds value in the connected apps offered by Nudge which provide deeper insights into user roles, app configuration, integrations and other app-specific security details.
“The security posture findings call out important risk factors, whether that means a group email account signing up for services or specific users that have the highest risk accounts. Nudge helps show us where to focus our remediation efforts.”
So far, Chris and his team are using connected apps to monitor and proactively improve the security posture of core business apps like Slack, Notion, Zoom, and GitHub. Given the business critical information stored and shared via these applications, the security posture management capabilities provided by Nudge gives the KarmaCheck greater peace of mind knowing that they're staying on top of security best practices for these applications.
“Those apps are our lifeblood. They’re how we communicate, they have all sorts of files flowing through them, they’re full of proprietary information about how we run our company—everything. Connecting them to Nudge gives that insight that we've got things configured correctly, that there aren’t any gaps that we're missing as far as our users.”
As Nudge continues to expand its library of connected apps, the KarmaCheck team plans to take advantage. Chris says, “We'll connect any service that we use to Nudge for that extra bit of security to make sure that we don't have anything misconfigured. This is our business data and it's also our customers' data that are housed in these tools, so we're going to do everything we possibly can to make sure they're as safe as possible.”
For KarmaCheck’s security team, Nudge Security’s attack surface dashboard has provided new frontier of visibility.
“Our security officer absolutely lost his mind over the attack surface section. He said, ‘I've had this before but I've had it spread out over 12 different tools. Having it all in one pane of glass that I can see it and constantly monitor it, but then also capture it so that I can then share it with auditors or internal stakeholders is a game-changer for me.’”
This level of visibility allows for quick action and remediation, with no need to chase down more details or context.
The security team has also benefitted from the thousands of security profiles Nudge supplies to accelerate vendor risk assessments.
Chris reports, “Our security team loves the features for reviewing threat vectors, breach info, and being able to get a single view of all available security, certification, and app stack info when doing potential vendor reviews.”
In particular, Nudge has helped KarmaCheck’s security officer manage an influx of security review requests resulting from the push for businesses to take advantage of new AI tools and their potential productivity benefits.
“With AI being all the rage right now, it seems like every team wants to incorporate AI somehow,” Chris explains. “Our security officer has been inundated with requests to review new AI tools. Before, he had to look up every tool’s compliance certifications and other security information manually. Now it’s all right there in Nudge, which saves him so much time. He can screenshot the security profile and add it to his file for reporting.”
Overall, Nudge Security has been able to complement KarmaCheck’s security ethos by providing unparalleled visibility while empowering KarmaCheck employees and making them part of the solution.
“It's not about Big Brother or anything like that," says Chris. “It's about the safety and security of our people—so that our customers can have the security they deserve, so that we can operate confidently as a company and empower our workers to do the best job. We're not trying to restrict anyone from having fun or being innovative. In highly regulated industries, there are complex laws and rules to protect user data. We've got to be as secure as possible. Having a tool like Nudge makes it so much easier to do that.”
“Nudge is a Swiss army knife of utility for us. Each team feels like Nudge is worth its weight in gold. It's not just IT, it's not just security, your finance team is going to love it. They’re going to save more than the cost of the license just by signing up for Nudge.”
