Learn

Guide

When the COO Is Also the IT Department: How Operations Leaders Keep Google Workspace Secure Without a Sysadmin

When the COO Is Also the IT Department: How Operations Leaders Keep Google Workspace Secure Without a Sysadmin

When the COO Is Also the IT Department: How Operations Leaders Keep Google Workspace Secure Without a Sysadmin

At lean companies, Google Workspace security lands on the COO or founder. The four IT jobs that need doing, and how to cover them without a sysadmin.

At lean companies, Google Workspace security lands on the COO or founder. The four IT jobs that need doing, and how to cover them without a sysadmin.

Julien Monguillot

Julien Monguillot

Julien Monguillot

Co-Founder

Co-Founder

Co-Founder

Created:

Created:

Created:

Learn

If you are a COO, founder or operations lead who also happens to own your company’s IT, you are not alone. At small and growing companies, Google Workspace security and user management often land on whoever is willing to own them. This article explains what that actually means in practice, what the real risks are and how purpose-built tooling lets you do this job properly without hiring a sysadmin or stitching together a tangle of disconnected software.

TL;DR

  • COOs routinely absorb IT responsibilities at companies without dedicated IT staff, and the operational and security stakes are real.

  • The four jobs that need doing are provisioning and access, SaaS spend management, app-permission visibility and incident response. Each one is a gap by default.

  • Shadow IT, dormant accounts and unreviewed third-party app permissions are the most common and least visible risks.

  • Tooling made specifically for Google Workspace can cover all four jobs from a single login, with setup measured in minutes rather than months.

  • Security at this level does not require a big budget or an IT team.

About the Author: ShiftControl was founded by former ExpressVPN operators who personally scaled IT from 100 to over 700 employees across 7 global offices. The company builds exclusively for Google Workspace environments and serves operators who own IT alongside their other responsibilities.

Why Does the COO End Up Running IT?

Operations leaders own the problem because nobody else is available to own it. At small and mid-sized businesses, the COO role already spans cross-department alignment, process accountability and operational continuity techcxo.comvoltagecontrol.com. IT governance rarely appears in a COO’s job description, yet access management, SaaS subscriptions and security controls are operational problems at their core: they affect how people work, how money is spent and what happens when something goes wrong.

The COO role is increasingly shaped by technology execution demands. Finance leaders are absorbing operational and technology responsibilities alongside their core duties journalofaccountancy.com, and COO mandates are being shaped around specific execution challenges rather than fixed functional boundaries interimcsuiteservices.com. IT, in small companies, is exactly that kind of challenge: urgent, specific and unlikely to be owned by anyone else.

The result is that operations leaders end up managing Google Workspace identity, chasing down app renewals and handling the fallout from a departing employee’s account, all without formal IT training and usually without dedicated support.

What Are the Actual Security Risks When There Is No IT Team?

The risks that accumulate without dedicated IT oversight are often quiet and gradual.

Dormant accounts: When an employee leaves and offboarding is handled manually, accounts and app access often survive the person. Former employees with active credentials represent a genuine exposure point that is easy to overlook when nobody owns the process.

Shadow IT discovery gaps: Teams adopt apps independently to solve immediate problems. Without a shadow IT discovery tool, operations leaders have no visibility into what is connected to their Google Workspace environment, what data those apps can access or what they cost.

Third-party app permissions: Google Workspace allows third-party apps to request broad permissions over email, calendar and Drive data. Without a systematic review process, these permissions accumulate. Many are granted by individual employees, not administrators.

Weak credential practices: Without a password manager for teams, employees create their own solutions: shared spreadsheets, reused passwords or personal password managers that the company cannot manage or audit.

No incident response plan: When a security incident happens, the question of who to call and what to do first is not one you want to answer in the moment. Without a plan in place, response time and containment quality are compromised.

What Does Google Workspace Identity Management Actually Require?

Google Workspace identity management means controlling who has access to what, ensuring that access is right-sized for each role and making sure it changes automatically when someone joins, moves or leaves. Manual identity management is time-consuming, error-prone and creates gaps in access control. A proper identity program requires:

  • Automated provisioning and de-provisioning tied to HR records

  • Role-based access control that reflects actual job functions

  • MFA enforcement across accounts

  • SSO enablement so that app access is governed centrally, not app by app

  • Regular review of what third-party apps are connected and what permissions they hold

Each of these is a job on its own. Collectively, they describe an identity program. For a COO without IT staff, the only practical way to run this program is with software that does the heavy lifting.

How Do You Manage SaaS Spend Without a Finance-IT Overlap?

SaaS subscription management software and SaaS spend management software address a problem that sits awkwardly between operations and finance. Subscriptions are approved by department heads, billed to company cards and often renewed automatically. Without central visibility, spend grows in ways that nobody has formally authorized.

The practical consequence is redundant tools, unused licenses and renewals that nobody catches in time to cancel or renegotiate. COOs who own this problem need a centralized view: spend by team, by person and by app, with renewal dates surfaced before they become a surprise.

Automated employee onboarding software also directly affects SaaS spend. When a new hire is provisioned with exactly the apps their role requires and nothing more, license waste is reduced from the start. When an employee leaves and de-provisioning runs automatically, paid seats are released rather than sitting idle.

Can One Platform Actually Handle All Four Jobs?

This is where the “one platform instead of four tools” question becomes practical. The four jobs are:

Job

What it covers

Provisioning and access

Onboarding, offboarding, role-based access, SSO, MFA

SaaS spend management

Subscription visibility, renewal tracking, license optimization

App-permission visibility

Third-party app review, scope analysis, shadow IT discovery

Incident response

24/7 expert access, containment, forensics

Most small businesses handle these across a mix of manual processes and disconnected tools, with gaps between each. ShiftControl is purpose-built for Google Workspace and covers all four from a single platform. Setup connects via a Google Workspace login in around ten minutes, with no implementation project required. This matters for operators: an IT deployment that requires weeks of configuration is not a realistic option when IT is a side responsibility.

The platform was designed by operators who ran IT at ExpressVPN as the company scaled from 100 to over 700 employees. That background shaped decisions about what an operations leader actually needs versus what an enterprise IT team can absorb.

Incident response is included in the subscription via a partnership with Blackpanda, covering 24/7 expert access, containment support and an annual incident response credit. It is not an add-on and does not require a separate procurement process.

Frequently Asked Questions

Do I need IT experience to manage Google Workspace security effectively?

Practical experience matters, but purpose-built tooling closes most of the gap. Platforms designed for operators rather than IT teams present controls in operational terms and automate the technical steps.

What is shadow IT and why does it matter for Google Workspace?

Shadow IT refers to apps and services adopted by employees without formal IT approval. In a Google Workspace environment, these apps often request access to email, calendar and file data. Without a shadow IT discovery tool, these connections are invisible to administrators.

Is automated employee onboarding software worth it at small headcount?

The value is less about scale and more about consistency. Manual provisioning creates gaps at any headcount: missed app assignments, forgotten offboarding steps and access that outlives employment.

How does a password manager for teams differ from individual password managers?

A team password manager allows centralized management of credentials, shared access to non-SSO apps and audit visibility. Individual password managers give the employee control but leave the organization without oversight or recovery options.

What does cyber incident response included in a subscription actually mean?

In ShiftControl’s case, it means 24/7 access to expert responders, one annual incident credit covering the full organization, containment and initial investigation support and attack surface management scans. This is not a help desk.

Does ShiftControl work if we already have a partial IT setup?

Yes. It integrates with existing identity providers including JumpCloud, and supports SCIM and non-SCIM apps. It is additive rather than requiring a full replacement of existing tools.

What is the difference between standard pricing and the startup tier?

ShiftControl publishes transparent pricing with a per-user standard rate. A separate discounted startup tier is available for qualifying companies. The two tiers are distinct and serve different stages of company growth.

About ShiftControl

ShiftControl is an IT operations and SaaS management platform made for Google Workspace, built by operators who scaled IT at ExpressVPN from 100 to over 700 employees. The platform gives small and growing businesses the same capabilities a large enterprise IT team provides, covering provisioning and access, SaaS spend management, app-permission visibility and cyber incident response, without requiring a dedicated IT hire or a lengthy implementation. ShiftControl has signed the CISA Secure by Design Pledge and is SOC 2 compliant and ISO-aligned, with transparent public pricing and a free trial available. The company’s position is straightforward: security is a basic right, and the tools to deliver it should be accessible to every business, not just those with enterprise budgets.

If you are the person in your company who owns IT by default, ShiftControl was built for you. See how it works at shiftcontrol.io.

References

  1. The Ultimate Guide to the Chief Operating Officer (COO) (techcxo.com)

  2. Chief of Staff vs Chief Operating Officer: Key Differences & … (voltagecontrol.com)

  3. What it takes for a CFO to lead operations and tech (journalofaccountancy.com)

  4. The New Role of the COO in 2026 – IEC (interimcsuiteservices.com)

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.