The SaaS Dilemma: “Et tu Vendor?”

For a man who died almost 2000 years ago, Julius Caesar still gets quite a few million hits on Google.

Julius is a man who came up with some of the greatest lines in history.

The most obvious is “Veni, vidi, vici” or “I came, I saw, I conquered“, the one so often misappropriated by many who have ever had too much to drink and wanted to make a grand entrance.

One of my favourites is definitely “Men willingly believe what they wish” as it is a perfect fit with how we often seem to be treating our adoption of cloud-based SaaS today.

In the blog post “SaaS – The “Cambrian Era” for Software” we discussed how the disruptive force of Cloud computing changed the environment, creating ideal conditions for thousands of SaaS companies to flourish, and making it inevitable that the SaaS model will dominate in enterprise applications. As organisations experience that shift towards SaaS, one significant implication is the changing nature of the relationship between SaaS vendors and consumers.

In business as in the rest of life, trust is critically important. Corporations understand the necessity for trust within and between teams, which is why so many training courses include ‘trust games’ where the organisation’s people can practice trusting one another in safe environments – even if it’s only being navigated blindfold through a maze by your colleagues.
It’s equally important that teams can trust the software that they use to support key business processes, which is why IT teams typically spend so much time evaluating and assessing major enterprise software ahead of procurement. But with SaaS applications, the opportunity to holistically assess every application is much reduced, and most likely happens after the application has already been acquired and deployed by the line of business team – and in a much shorter timeframe than non-SaaS enterprise software.

The nature of the relationship with SaaS vendors is different, which has a knock-on effect on the level of trust that is invested into every SaaS application.

With traditional enterprise software, the vendor supplies executable software that the customer can assess, trial and eventually deploy on customer hardware, managed directly by the customer’s own IT people. Only then is the organisation’s data combined with the software.

Conversely with SaaS, instead of bringing software in, the organisation’s data is moved out, away from direct control, to reside on Cloud infrastructure owned by the vendor. In effect, the SaaS customer hands their most sensitive data over to the SaaS vendor to process and manage, typically with no real control over how that vendor will look after their data. At the same time this creates an implicit dependency upon that vendor to support the organisation’s business processes on a day-to-day basis.

For SaaS, it is not sufficient to consider the application alone. Instead the vendor’s own “character” must be more deeply incorporated in any assessment process, since their infrastructure, people and processes have a more direct and critical impact upon their suitability to look after the organisation’s data and support key business processes.

The degree of trust involved is much more profound than with traditional software, and yet for most SaaS, the diligence applied in assessing the vendor is substantially less.

Our own experience shows that some organisations are blindly continuing along this path, choosing to believe that there is not a problem, or that its not a big problem. In the words of Julius – “Men willingly believe what they wish”.
With hundreds of disparate SaaS applications from as many vendors, and purchasing decisions being independently made by individuals across every department in the organisation, it is almost impossible to maintain an effective view of the risks that are accrued.

There are tens of thousands of SaaS vendors in existence, ranging in size from one or two people to some of the largest organisations, and headquartered in every jurisdiction across the globe. They are subject to widely varying legislative standards regarding financial openness, privacy, security and technical competence. It would seem unwise to place blind trust in every SaaS vendor that someone in the organisation may have just stumbled across, and yet being able to apply the level of governance required to ensure organisation standards are maintained seems impossibly large in the cold light of day.

After all, that is what Caesar did with Brutus – and look where that got him.

Many organisations follow standard approaches to risk and service management (such as ITIL), which provide guidance on maintaining a supplier management process. Yet, most of the pre-existing procedures written to follow this guidance are often too generic or too oriented towards traditional locally managed software. The net result is that where questions are asked at all, they are often the wrong questions, asked too late.

In the world of SaaS, a new approach is required – one that is comprehensive enough to maintain trust, yet agile enough to overcome the speed at which cloud based applications can be adopted by users.

And that brings us back to “Veni, vidi, vici”, or at least it will after our next instalment when we will discuss the key characteristics of this approach.