What does discovery software actually do?
EUC discovery software is a type of risk management software that scans for or “discovers” end user computing applications. Simple enough, right?
In reality, we should make a subtle, but important change to this definition. Discovery software is designed to “discover files that are highly likely to be EUCs.”
Why is this distinction necessary? Because organizations do not define end user applications purely by their complexity. Just because a spreadsheet, for example, has macros and many formulas, does not mean it should be classified as an EUC.
Instead, most organizations take a nuanced and smarter approach to include qualitative components like financial, regulatory, and reputational impacts. This provides a more comprehensive view of risk. It means that a file must be complex AND have a material impact on the organization to be considered an EUC.
Importantly, these impact factors rely on working knowledge of the file by the employees who use them on a consistent basis. In other words, engagement from business users is critical to building a successful EUC inventory.
Complexity tells us how likely it is that something goes wrong.
Impact or materiality tells us what the consequences are if something goes wrong.
How should we reframe our thinking around discovery software?
When viewed through this lens, we believe discovery solutions should serve three primary goals. The first two are well-known, though not always adopted. The third, however, has long been a gap from risk management software providers.
Goal 1: Reduce discovery scan results
- Reducing noise is critical to ensuring user engagement.
- Saves a great deal of time for end-users and compliance teams.
- Provides a defensible, consistent approach to regulators & audit teams.
…pre-filtering discovery scans removes upwards of 80% – 90% of files.
- Old files that are not consistently updated.
- Flat files that do not process data.
- File types outside the scope of the EUC program (e.g., .pptx).
From Apparity’s experience, pre-filtering discovery scans removes upwards of 80% – 90% of files.
Goal 2: Simplify EUC triage
The second goal is to simplify EUC triage for end users. This is accomplished through detailed file analysis that draws attention to files that have the highest-likelihood of being EUCs. Simplifying EUC triage is important because:
- End user attention is focused on files most likely to be EUCs.
- Circumvents initial review of simple, low complexity files.
- Utilizes file content analysis and data connections or data lineage to quickly identify files that pull from sensitive data sources.
- Ensures efficient file review process by not forcing triage of file copies and versions.
You can simplify EUC triage in these easily achievable steps:
- Identification of heavy-processing components like VBA, many lines of code and higher-risk formulas.
- Usage metrics to understand if the file is used frequently or by many different individuals.
- Custom, organizational-specific criteria to identify files that pull data from financial systems or files that contain sensitive data.
- Grouping file copies and versions together so they are reviewed in aggregate instead of multiple, individual reviews.
The first two goals serve to systematically identify EUCs and ensure they are prioritized for review.
However, most companies, particularly complex financial institutions, have incredibly large volumes of data. To complicate things, this data sits within highly distributed user groups across the globe.
A major challenge we’ve encountered is organizations struggling to engage these large user groups for scoping and impact assessments. It is for this reason the third goal is so paramount to the success of the end user application discovery process.
Goal 3: Engaging users
The final goal is to engage users in a simple, intelligent way to gather qualitative data. This qualitative data helps classify files as in or out of scope of the EUC program.
Engaging users is important because:
- Relying on file complexity alone results in too many files being in scope of the EUC program.
- User engagement is the most overlooked aspect of EUC identification. Companies often run discovery scans resulting in large volumes of files returned. They then struggle to engage users to perform impact assessments.
- Smart engagement drives adoption by meeting users where they are.
Here’s how you can better engage users:
- During discovery scan setup, assign results to users, departments, or Active Directory (AD) groups. This means individuals and teams see only the relevant files to their function.
- Using a tool like Apparity’s Active Capture alerts users that action is required while they are working in their application.
- Apparity’s Discovery tool gathers usage data related to user files to identify frequency of use, common modifiers, and open frequency.
In Summary
EUC discovery solutions must expand their focus to include smarter, more efficient ways to engage end users for qualitative inputs. This is especially important as these inputs carry significant weight in assessing the overall scope and risk of an EUC.
Apparity is the industry leader in this area. Our innovative EUC discovery solution surfaces end user applications at scale, while automating user engagement without burdening central teams.
Join us for an upcoming webinar to learn more about the evolution of EUC discovery.
EUC Discovery Webinar
This webinar has concluded. Sign-up to be notified for future webinars.