Security, Risk, and Business Continuity with SaaS
This is the final installment of our 5-part blog series on the different benefits you can expect from transitioning to the cloud in general and SaaS in particular. In our first installment, we introduced the different deployment options available today and concluded that while cloud delivers benefits, SaaS delivers more. In the next three, we went on to describe benefits of reduced costs, more and faster innovation and SaaS as a key enabler of growth. We wrap up here talking about the implications on security, risk and business continuity.
Start with Security
We start with security because cyber security threats and breaches are in the news on a regular basis. This is an especially sensitive topic when it comes to the software that runs your business. It’s one thing to put your sales contacts in the cloud, but quite another to put your system of record someplace where you can’t see it or control it yourself.
For many years, long before cloud and SaaS became a commonly accepted form of deployment, our Mint Jutras Enterprise Solution Studies consistently found security to be the number one concern over SaaS. During that time period the percentage of survey respondents expressing this fear hovered between 53% and 58% and then with a series of widely publicized data breaches, in 2016 it jumped to 70%. While fears have settled back down since then, we agree: Everyone should be concerned over security. But we would also contend they should be concerned regardless of deployment option.
Don’t make the mistake of thinking an on-premise implementation is necessarily any more secure than SaaS. That is unless your data center is completely contained with no possibility of access from outside the four walls of your building. That means no VPN access. It means no external consultant or guest ever connects their laptop to your network. It means no laptop ever leaves the building to be potentially connected to any other network, then brought back and connected to yours. There aren’t too many installations, if any, like this in the world today.
In fact, if you are a small to medium size company, without a dedicated IT security expert on board, chances are you assume more risk than you would in a SaaS environment, particularly one that has successfully completed an annual SAS 70 Type II audit. While many of our survey respondents expressed concerns over security, others admitted that part of the appeal of SaaS was the comfort of leaving security and other IT issues to the experts. A security breach does pose a risk, and you want to put yourself in the best possible position to protect yourself from that risk, as well as others.
Assess Your Risk
You should be constantly assessing all your risks. Do you have risks today in terms of existing software and its ability to help you manage your business? We live in disruptive times and the sheer pace of change is accelerating. Does your current solution contribute to those risks or mitigate them? What new risk does new software add or eliminate?
Risk in Growth
In our last post, we addressed some of the risks associated with growth today. Global expansion is all about seizing opportunity. To capitalize on any opportunity requires you to take some chances and be willing to fail. That in and of itself, is the very definition of risk. Under these circumstances, it’s all about speed. You might be willing to take the risk of failing, but you will want to fail (or succeed) fast in order to move on to the next opportunity. And especially if you are expanding internationally, you often have no time to build out infrastructure, and you simply can’t afford to take years to implement solutions to run the local business.
This is where SaaS solutions can help. No capital expenditure required; no need to build out a data center, or even put hardware or a huge information technology (IT) staff in country. And Mint Jutras research shows that solutions delivered as software as a service (SaaS) reach their first go-live milestone faster than in traditional, on-premise deployments.
Risk in (Not) Overextending Yourself
Less capital expenditure and not having to build out a data center can indeed lower your risk. Generally, all SaaS solutions are paid for through subscriptions, giving you the alternative of treating the cost as an operating expense (OpEx). Whether this is a requirement or even a preference is a question you must answer along with your accountants.
However, the ability to treat the purchase as an operating expense is often associated with lowering the risk. Lower risk and “pay as you go” subscription pricing however should not be confused with “Let’s just do it and if it doesn’t work, we can just walk away.” Make no mistake, the implementation of any solution instrumental in running your business, SaaS or otherwise, is a major undertaking. You might want to take advantage of a “try before you buy” offer for a pilot. There is a definite advantage in putting your own hands on the software. People that make a living demonstrating software can make anything look easy to use – even if it’s not. But any decision you make to place your fiscal system of record in the hands of the solution provider should be made with the understanding that this is for the long haul. So, perform all the necessary due diligence.
There is one risk that SaaS might seem to introduce – that of downtime and unpredictable performance. But this is just another example where due diligence is required. Ask for historical performance including outages and down-time and consider asking for guarantees, albeit with the appropriate caveats for natural or even man-made disasters. However, expect a higher level of commitment than you yourself could make to your own constituents. SaaS solution providers’ very livelihood depends on this and as a result they build in redundancies that you as an individual company could probably never afford.
While reliable Internet service is taken for granted in many parts of the world, there still remain locations where the service from the Internet service provider is unreliable. This is perhaps the single best reason for not considering a SaaS deployment, at least until reliability is at an acceptable level. But as dependent as we all are today on connectivity, this should be a well-known factor even prior to launching your evaluation.
This brings us to our last consideration: business continuity. What kind of contingency plans do you have in the event of a natural or man-made disaster? Many companies think they have this covered with a simple backup. Do you have built-in redundancy? Do you have automatic roll-over in the event of a power outage… or worse? And where is your backup stored? If it is stored at your own facility, or even across town or nearby, does that protect you from a regional disaster like those we’ve seen in the not-so-distant past? Would it have helped victims of Hurricane Katrina, flooding in Houston, or the most recent tornados in Nashville? Companies that have experienced any one of a number of natural disasters can attest to the value of alternative plans for business continuity provided by SaaS solutions.
One such company running a SaaS ERP solution in Louisiana lost the roof of its facility during Hurricane Katrina but were able to securely access all systems the day after the winds and rain subsided, even while its manufacturing capabilities were shut down.
As we wrap up our series on cloud and SaaS, we’d like to reiterate how we began. Today the majority of businesses have some sort of cloud strategy and the shift to the cloud and SaaS has begun in earnest. When cloud was far less popular, decision-makers worked hard at analyzing the pros and cons and understanding all their options. Now with all the media and vendor hype, it appears to simply be a given. Like the tide, the surge towards cloud seems to be unstoppable. And as people and companies accept the inevitable, they stop looking at the different options with a critical and questioning eye.
Look carefully at the different possibilities for cost reductions. Explore the avenues to more and faster innovation. Consider SaaS as an enabler of growth. And finally assess your risks. Do you have risks today in terms of existing software and its ability to help you manage your business? What new risks does new software add or eliminate?
Assess your current level of security. When considering SaaS solutions, look for data centers that have passed a SAS 70 Type II audit and ask yourself if you yourself could pass such an audit today. Less capital expenditure and not having to build out a data center can indeed lower your risk. And SaaS can deliver the peace of mind that comes with a good business continuity plan, with built-in redundancy and automatic roll-over in the case of anything from a simple power outage to a full-blown natural disaster.
The depth and breadth of choice between solutions and deployment options have never been greater. Look for these choices to continue to expand. But with more choice comes the requirement for better due diligence and good decisions. Don’t be held back by pre-conceived notions and misperceptions about technology that is rapidly advancing. Not all SaaS solutions were created equal; don’t treat them as a commodity. Make a careful choice that is right for your business.
Cindy Jutras is a widely recognized expert in analyzing the impact of enterprise applications on business performance. Utilizing over 45 years of corporate experience and specific expertise in manufacturing, supply chain, customer service and business performance management, Cindy has spent the past 14 years benchmarking the performance of software solutions in the context of the business benefits of technology. In 2011 Cindy founded Mint Jutras (www.mintjutras.com), specializing in analyzing and communicating the business value enterprise applications bring to the enterprise.
- Thought leadership
- Customer Story
- Company News
- Product Focused
- CFO Focus
- #COVID-19 crisis
- Professional Services
- Technology Innovation
- Financial Services
- Industry Insight
- Wholesale Distribution
- Workforce Experiences