Give me Freedom – Give me SaaS

“You can have peace. Or you can have freedom. Don't ever count on having both at once” - Robert A. Heinlein


I really like LinkedIn. 

[ I dabbled with Facebook for a little while, but truth be told, I gave it up. Even though I know that every company that respects itself has a presence there, it still feels a little silly to share my professional views on a social network where my kids exchange juvenile videos, girlfriend status or tomatoes on Farmville.]


The professional groups on LinkedIn can generate very lively discussions on things that matter to their members. Recently, I participated in a comment-war-of-attrition (over 50 extensive comments) on one of the larger CIO groups on LinkedIn. The origin of the discussion was a simple question of how to evaluate SaaS vendors, but the discussion quickly shifted to the concept of SaaS and then to the idea that SaaS limits the freedom of the CIO.

Lack of Freedom?
One of the participants was especially passionate against SaaS and kept talking about the idea that SaaS takes away your freedom because of vendor lock-in, because there is no control over the servers and the application and because there was no option to customize the software. Another point was that SaaS was totally dependent on the Internet to function (my refrigerator is totally dependent on the electric grid; is that a reason not to buy one? I find it hard to believe that any modern business is NOT dependent on the internet whether it has SaaS or not).


It’s not about IT and it’s not about the CIO
Let’s examine the kinds of freedom that this CIO is talking about. Owning and maintaining your own hardware. Wow! You have the freedom to research, negotiate, purchase, rack, stack, connect, test, maintain and upgrade. Yea! Are your users in HR thrilled about that? Are they applauding the efforts and wonderful results? Does all that effort get them closer to a solution or is it a justification for the IT budget?

IT has the freedom to research, purchase, install, test, integrate, maintain and upgrade the software package. Yea again! It did take nine months to get here, but guess what? we have our own software!
 
The Sales department might ask you why couldn’t we have done that nine months ago, using a SaaS solution, but' heck, what do they understand about IT’s needs. Oh yes, forget about the new versions that came out since – now we have the freedom NOT to upgrade (actually, we are scared s**tless about touching production after finally stabilizing the system).


I believe that the freedom the CIO was talking about was mostly about the freedom to stay in charge and have the business units dependent on IT.

[I do agree that in some cases, maintaining control of on-premise software has merit or it is governed by regulations; but that should be the exception, not the rule.]


Freedom to Customize
But, aha, IT will say, we have the freedom to customize the application to our heart's content. We own it! We can do whatever we want with it. But do we really want to customize the application? Is our hospital so different than thousands of other hospitals that our WFM software must be customized to our specific needs? Would customizing the Travel Expenses software give our bank the market edge?

SaaS applications embody the best practices of hundreds or thousands of robust businesses that share 90% of the business processes.  Most solid SaaS applications provide a level of configuration that should take care of an extra 5% of specific business processes.
On any day, nine out of ten business managers will prefer to have a working solution today that does 95% of the work, rather than wait twelve months for characterizing, prioritizing, designing, coding, testing and installing a solution that provides the 100%.


Real Freedom
SaaS gives IT and the business:

• Freedom from hardware purchases
• Freedom from racking, stacking, configuring, installing.
• Freedom from the endless maintenance and firefighting
• Freedom from the upgrade nightmares
• Freedom to choose – SaaS almost always gives you free trials to play with before you make the heavy commitment
• Freedom to change your mind  - if you are not happy, you can switch (yes, I know it is not simple, but at least in early stages you can do it with minimal damage while with on-premise software you are stuck with your decision for years) 
• And that means freedom from long-term, substantial, financial commitments
• And finally, Freedom to say NO to the business units that absolutely insist on that extra feature that will be forgotten by the time it is implemented

I am surprised that in 2012 we are still having these discussions, but apparently the veteran CIOs are still around fighting to maintain the old world order (see my previous post on Democratization of IT).

Occupy the Server Room! – The Cloud and Democratization of IT

“The best argument against democracy is a five-minute conversation with the average voter" -Winston Churchill

(Based on a presentation I gave last week at the annual IASEI conference. The presentation was a segue to a CIO panel that I moderated in which the CIOs  discussed how they are dealing with the changes in IT)

I have been following with awe the events this past year from Tahrir Square in Cairo to downtown Manhattan and other Arab and Western capitals across the world. The message is clear – there is too much power for too long in the hands of too few. The masses want to decide what’s good for them and not let a small group of (revolutionary generals / self-appointed businessmen / grand ayatollahs) have control over various aspects of their lives.

It seemed obvious to me that the same phenomena is happening in the corporate world. I am not sure we will soon see the employees storming the CIO’s office with torches and pitchforks, but the distribution of control from IT to the business units and to the individual workers is a trend that cannot be reversed.  It is a result (and driver)  of three other trends that have been as relentless:

• Consumerization of IT
• Commoditization of IT
• Democratization of Information

The Great Democtator

Like benevolent rulers that know what is good for their subjects, IT managers decided what was good for the organization, what technologies would serve the people and have traditionally held all the cards close to the chest. The more complicated the world of information became, the more dependent  the business units and employees were on information technology, the more power IT had and the bigger the budget.
And like any society ruled by a single central power, dissent is inevitable and, with time, the more you try to control the elements, the more people will try to break from your hold.

IT as a Technology Broker
Not so long ago, an employee needed the IT department to do almost anything that touched technology in one way or another.  IT was a broker of hardware, of solutions and of information.
Remember the Wang 1200? It was a big machine that needed its own office space and an operator to run. What did it do? Word Processing! Imagine that you needed IT's help to write a document.

• You needed a phone? IT would pull a land line to your desk and install the connection, then bring the device (which took them months of research and testing to decide on what model  is right for you) configure the phone and configure the setting in the PBX.  Nowadays you just use your mobile phone and ask IT to pick up the bill.

• You needed a CRM to support your business process? IT would spend months researching and testing different packages and negotiating a price. Then IT would need to purchase and install the servers (sometimes the DB licenses as well) and that could have taken months as well.  Then IT would spend time on installation and testing and perhaps customizing and integration. All this means that you could not have done it without IT’s crucial role.  These days you would subscribe to a SaaS CRM and try a free trial.

• Your hard drive got fried? IT will try to revive it. If a few days later they are unsuccessful, you will be issued another disk and IT will install it on your desktop and reconstruct from the backup tapes (they’re in Nebraska) at least some of the files so you could get back to work within a few days.Today, you open your Smartphone and pull up those files from DropBox.

The point being that Cloud has eroded a large part of the need for IT to act as a technology broker. Many of the resources they used to control in the past are now a mouse click away.
 
Reversed Trends
Once upon a time, most of the technological breakthroughs and innovation would come out of the defense industries, the military and NASA. Years later they would make their way into the major corporations until finally, we mortals would see the expensive gadgets in the store. Remember the Casio digital watches, the TI calculators and early GPS systems?
Well, the trend has clearly been reversed. Most of the new innovations are directed at the end user – the consumer:  Instant messaging, search engines,  blogging, Wiki, web search, polling, social networks and twitter. All these technologies made their way into the corporate world after becoming popular and useful for the general consumer population.

A Historical Perspective

Switch from 2nd to 3rd Gen Languages
It is common to think that the revolution began with the PC, but I believe that the seeds were planted when the third generation programming languages became available (FORTRAN, COBOL, BASIC, C). This enabled tens of thousands, then hundreds of Ks, of geeks around the world to join the exclusive club of perhaps a few thousand programmers that controlled the tech world thus far, and with the advent of the PC, they could do it outside the stranglehold of the large corporations. I think of it as the Magna Carta of the IT Democratization process.

Personal Computers
First there were the PCs that marked the beginning of democratization. Heavens forbid, people could actually play solitaire at work without IT doing anything about it! And then, when the affordable PCs at home offered them more freedom, they started installing all kinds of software on their work desk tops using those damned floppies to get stuff around. PCs meant that geeks could sit at home and develop cool stuff without the monstrous budgets needed till then.

Internet
Then came the internet and with it so many possibilities. Do you still remember the days when IT blocked internet access or limited it to only a few pre-defined sites? Heck, there are many financial institutions that still today do not issue email accounts to their employees; if you really need something done the employees have to use their private Gmail or Yahoo mail accounts.

The internet also enabled the Democratization of information:
WikiThis, WikiThat, how-to sites; the internet enabled crowd-sourcing, so that you no longer needed in-house developers or testers to do the work, and there is less need for  IT experts to help you out.
Social networks and evaluation sites let everyone ‘like’ or ‘dislike’ your products and services, so one cannot hide behind the great firewall any longer. No longer are you dependent on IT to get the technical information. The fact that IT would probably do a better job and will be able to sift through the information more intelligently is irrelevant. The business managers have access to the information and it gives them a sense of freedom they never had before; “Power to the People!”
And, of course, Open Source software which would have been impossible without the Web. Isn't that the ultimate manifestation of Democracy?

 
Mobile Computing
Anytime – Anywhere – Anyhow. As much as IT tried to resist it at first, PDAs, Blackberries and then Smartphone and Pads became the standard and every CIO had to deal with implications. What apps should be installed on the mobile devices, what kind of access do you allow from the device to the corporate systems, how do you synchronize and protect the data?

Cloud


And then along came Cloud, which is a big nail in the IT Control coffin. 
The Cloud became a catalyst of all the above trends. Everything shifted to Fast-Forward.

The Cloud drove the Commoditization of IT – for most purposes a server is a server is a server. And with virtualization, no one knows and, frankly, no one cares.  Gimme computing power, storage and bandwidth, and let the geeks fight the acronym battles amongst themselves.
On the one hand, anybody in the organization could go out and consume IT services without the CIO being involved. Be it a server, storage, backup, development environment or a full enterprise application, it was only a credit card swipe away – and half the stuff out there is free anyway, or available as a free trial.
On the other hand, any three guys and a goldfish with a great idea, (even if they reside in a third world country) can easily get a full development or production environment up and running and sell their services to the world.
 
Impact on the CIO?
There are good sides to this trend, even from the perspective of the CIO.
Cloud liberates the IT group from a lot of the menial work they are engaged with – wiring, installing, testing, maintaining, upgrading… Imagine all this disappearing overnight. IT can switch from firefighting mode to strategic planning, from a cost center to a value center. The CIO can metaphorically crawl out from under the desk, where he was busy connecting wires, and join the executives’ strategic discussion over the desk.

But the democratization of IT is introducing many headaches to those in charge of technology in the enterprise:

• Lack of visibility – who is using what, when, from where and how long?  All that information is now in the hands of the service provider.
• Utilization of the Cloud resources – while moving to the Cloud many have been a substantial cost saving, it may end up being expensive if you do not know what resources are being utilized in the Cloud.
• Lack of uniformity – each department or individual employee can access resources without the intervention of IT.
• No control over performance or SLA adherence
• Support of multiple mobile platforms that is very dynamic:
• •  
  • Unknown patched state
  • Unknown application vendors
  • Unknown application compatibility
  • Complexity to access corporate data

• Security (Access  Management, Theft ,Privacy)
• Corporate and government regulatory compliance
• Intellectual property protection
• Integration with legacy and with Cloud application
• Subscription utilization – ROI

What to do!?

Bring Down the Wall
IT has enough issues to deal with just maintaining the on-premise IT resources. Faced with the enormity of the challenges, the initial instinct is to shut down all access from the outside world. Think of the last days of a dictator hiding in his castle, living in denial. But the reality is that the CIO has to embrace the trend, not fight it. Democracy is here to stay since there is so much for the employees (and therefore the enterprise) to lose if we rewind and return to where we were a decade ago.

Implementing SaaS Solutions Reduces Security Concerns

"The user's going to pick dancing pigs over security every time" - Bruce Schneier"

In this post I am publishing an article by a guest contributor - Rashed Khan (rash799@hotmail.com) who points out interesting study results...

Software as a service (SaaS) for application delivery is a hot topic when it comes to questions of security. Adding SaaS components in any form is something that seems to generate acute anxiety in anyone who takes the time to consider it. Fears about the loss of privacy and other related security issues top the list of current concerns.

On the other hand, those who are already using SaaS solutions or have added elements of SaaS to their systems are considerably more confident about security issues than non-users. When it comes right down to it, SaaS appears to be something that one must experience in order to trust.

Forrester Research has recently completed a study that supports this premise. In companies where SaaS was already in use, having replaced a complete solution, concerns over security are noticeably lessened. This is also true in companies where the decision to replace a complete solution with SaaS had already been made and was about to be implemented.

By contrast, companies that were only contemplating or planning to augment their solutions with SaaS, or in companies that were using just a few SaaS components, anxieties over safety were still running high.

Miroslaw Lisserman, analyst at Forrester Research, believes this to be a strong validation of the future of SaaS technology. Lisserman had this to say about the findings: “To me, this means the following: SaaS solutions are more secure than perceived by many, since once SaaS applications are deployed and used, the security concerns decrease.” Apparently, SaaS technology performs so well that it has to be experienced to be believed.

Analyst Krishnan Subramanian, an independent researcher, feels that the security concerns related to the SaaS technology itself have been overworked. He said that the real issue related to this application has more to do with people. Regarding these concerns, Subramanian had this to say: “It is the responsibility of the SaaS vendors to educate users about their people-centric security practices. It is the responsibility of the SaaS users to get to know these details from the vendors.”

Moving away from concerns about the security of SaaS technology and turning attention instead to security concerns related to the technology's providers and users is a measure of the maturing of this technology. It's a sign that SaaS is ultimately coming into its own.

The growth of the sector itself testifies to this belief. There has been rapid expansion of SaaS solutions with Enterprise Resource Planning (ERP) software functions. Additionally, there is growing use of the ERP system by both small and mid-sized manufacturers. The manufacturing software is also used more frequently by industry distributors and in job shops.

Small companies who are part of large supply chains, along with the supply chain members they deal with, are all discovering significant benefits and greater functionality in SaaS-based ERP when employed as a comprehensive manufacturing software solution. Home-grown and standalone applications fall short by comparison, making SaaS both the wave of the future and an increasingly intelligent choice.

The Black Swan Event in SaaS Operations

 "I find that the harder I work the more luck I seem to have."  - Thomas Jefferson

Nassim Taleb’s eye-opening books 'Black Swan' and (to a lesser extent) 'Fooled by Randomness' discuss the rare, unexpected and almost impossible to predict events that have a major impact (and usually tend to be disastrous). He calls these events Black Swan events, and gives samples such as World War I, stock market crashes,  the PC, the Internet, and 9/11.
Interestingly enough, all the Black Swan events are easily rationalized after the event, by hindsight.

The Black Swan analogy is borrowed from the notion that while one can induce a hypothesis from observational data - e.g. all swans are white - one cannot prove that hypothesis, since after observing numerous white swans, it takes only a single black swan to refute it. Karl Popper, the science philosopher, made that notion popular in his discussion of the Scientific Method (The Logic of Scientific Discovery).

SaaS and the Black Swan
Have you ever lost your database only to find out that the backup files were deleted the previous day? Have you ever hit a major problem with a component in the system, only to find out that the support contract expired last month?

My own experience and the experience of the numerous companies I have worked with, have taught me that the next Black Swan is just around the corner, lurking in the dark and will hit you when you least expect it to. Heck, that’s the nature of a Black Swan.

The systems we deal with are so complex and interdependent that one could never analyze (let alone predict) the interconnections that govern the behavior of the services we offer. Luckily, statistics are on our side, so that most SaaS applications are stable most of the time and on average, we can predict the behavior over time. But that is just what creates a Black Swan – we observe a certain behavior for so long, that we tend to accept it as a scientific fact; until it bites us in the behind.

Running a complex SaaS operation with dozens (or hundreds) of servers, network boxes, configuration files, erratic software and all the dependencies we have on our infrastructure providers (power, internet, hardware, communications) is like driving a high speed car on a congested highway, blindfolded. We have no appreciation of how much Lady Luck is involved.

Keep in mind that the longer good things happen, the harder is the effect of the Black Swan event - remember the dot.com and the real-estate bubbles; most of us are still licking the wounds.

The Butterfly Effect
All it takes is an overflowing log file, that incapacitates the disk, that will bring the system down. Or a minor, forgotten gadget installed on one of the servers whose license has expired. A pipeline of requests starts filling up and there goes the system.
How about setting up an image of a new VM, whose IP and the DNS IP were reversed by mistake. Put it in production and slowly the wrong DNS IP starts propagating in the system. After a while the servers are not communicating with each other and the system freezes.
These tend to be catastrophic events, since they are so hard to detect and resolve. Many times, restarting the whole system is the chosen quick solution, praying that the problem will resolve itself. But in these cases, the system will behave just as badly, and by the time one realizes what is happening, major damage to the customers and your brand has been done.

Words of Wisdom
Do not despair. I am not suggesting that since a Black Swan event is unpredictable, there’s nothing you can do about it. The opposite is true.
The first step is to internalize the fact that it will occur, as the famous quote goes “s**t happens”.

“Prepare for Failure” is my motto. Take into account that at any given moment something might break.

A number of practices should be implemented early on:
Change Management: To ensure that the events are indeed rare and that one may recover quickly with the knowledge of what went wrong.

Event Management: To be able to detect early on, what is hitting the fan, and respond to it.

Availability Management: Analyze your Single Points of Failure and impact of component failure. Build your backups, your DRP and practice recovery.

Incident Management: Make sure you cover these practices: Detection, Recording, Classification, Notification, Escalation, Investigation, Diagnosis, Restoration and Closure.


The Wise and the Smart ones
I was approached by a few (emphasis on few) CEOs and COOs that felt uncomfortable about the fact everything was going smoothly. Some were on the verge of fast growth and wanted to assure themselves that they were better prepared to hit the highway. Others had a feeling in their bones that “too good for too long” was a recipe for disaster, even if they did not read Nasssim Taleb’s book.

But many potential customers I spoke with assured me that they really do not need my services since they are doing very well, thank you. Some are still doing very well and others had a large hat to eat and many letters of regret to write their customers.

CAC, LTV, MRR - Translating SaaS Financials into Actions

“If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.”  - John Louis von Neumann

I’m sure that most of you have seen the various metrics floating around with CMRR, CLTV, Churn Rate and ASC starring in equations that sometimes cause one to cringe while sipping the day’s first coffee.

Let’s look at one of the basic formulas for SaaS Financials:
CAC < CLTV

This simply says that if you want to become profitable one day, you must make sure that your Customer Acquisition Costs should be less than your Customer Lifetime Value. In other words, the total amount of revenue you will generate from a customer, throughout the years or months that they derive value from your SaaS offering, should be more than the cash you spend on acquiring that customer.

Simple? It almost doesn’t pass the DUH Test. But in this article we'll look more carefully at the implications.

Acquisition vs. Retention
There is a notion in the industry that the costs to acquire a new customer are 5 to 7 times more expensive than the costs to retain an existing customer. Whether one agrees with the numbers or not, it is widely accepted that acquisition is more expensive than retention, yet most SaaS companies will spend far more resources and executive attention on growth through new customers than keeping the current customers satisfied, or in other words, reducing the Churn and up-selling to the current base. In fact, in every company I have consulted, the issues of Churn Management and Operational Excellence were far down on the priority list.

I guess hunting is far more exciting than farming.

Therefore, we will examine on how to grow the right hand side of the equation - the CLTV, not on how to lower the left side - the CAC.

Breaking down the CLTV


CLTV = Lifetime * ARPU * Gross Margin.

I hope I am not losing you here. Take another sip from your Latte. It is not complicated – sixth grade math.  Stick with me, the actionable items will follow shortly.

ARPU means the ‘Average Revenue Per User’ for the time period defined as Lifetime. So if you count by months, Lifetime would be the number of months the customer remains loyal, and the ARPU would be the average that the customer would pay per month. If your value is calculated by years (lucky bastard!) then Lifetime would be how many years you retain the customer and the ARPU is average revenue per year from the customer.

Gross Margin is the ratio of total Revenue to the Costs Of Goods Sold (COGS) – how much does it cost you to give service to your customer.

For the Gross Margin to grow, the COGS should shrink, or at least stay stable as your revenue grows. So the lower the COGS are, the more you retain for your Christmas party.
As a simple example, let’s assume that your average customer sticks around for 19 months, that the average monthly payment from a  customer is $430 and that your gross margins are 72%, then the CLTV = 19 * $430 * 0.72 = $5882.4.
Just imagine that with a little effort you could cause the Lifetime to grow to 21, or the ARPU to $460 and multiply the new CLTV by the number of customers...

What can we do about it?
Without going into details of how the various numbers are calculated we can still learn much about these equations and derive actions from them.
The bottom line is that you want to have the highest CLTV value possible. Looking at the equation, it means that your Lifetime, Gross Margin and ARPU values should grow.

Needless to say that for each of these three values, books could be written. Nevertheless, the paragraphs below cover the main points and map the actions one can take, and their direct impact on the equation’s variables.

Lifetime 
In order for this value to grow, a SaaS provider should invest managerial attention into customer retention, or lower Churn. That means improving your customer service and responsiveness. Meassure and monitor the support KPIs. Run a weekly Customer Success meeting with Support, Operations, Sales and PS.  Build a community and best practices around your product to enhance loyalty.
Be as transparent with your service levels as you can. Award loyalty with small gifts. Document  your Churn data and analyze it – understand the reasons customers leave you and determine the trends.
Provide meaningful SLAs and act on them.

Average Revenue Per User
Translate ARPU into: “up-selling you service”. This means a strong group of farmers in your sales team. Use software to monitor user behavior. Think of value-added services that you could sell for a fraction of the recurring cost. Identify and keep in touch with your champion inside the customer’s organization and seek opportunities to sell more services or branch out to new groups within the organization.

Gross Margin
Lowering COGS means an effective and efficient Service Operations. This starts with a good team of dedicated professionals, a rigorous set of practices such as Change Mgmt, Incident Mgmt, Event Mgmt, etc. and a robust monitoring and alerts infrastructure.
Automation and Delegation  - maximize what silicon and your customers can do instead of having people on your end doing it. That means create as much automation as possible around manual processes. Provide self-help, self-registration and self-configuration for your customers to run.
Understand the financials of the hosting services you are using. Don’t stick to the current solution just because you have been doing it for a long time. Circumstances would have changed, new solutions are offered every month, and a fresh look might save a lot of recurring costs.

In conclusion, we looked at one of the equations that every venture capitalist (i.e. your board members) tells you to watch, and transformed it into actionable items that your company should deal with. To pass that threshold of profitability, it probably won’t happen with that “major deal we’re about to sign”, but with improvements across the board in every aspect that tilts the right side of the equation.

For some good readings on SaaS Financials there are Bessemer’s 5 Cs, and Joel York’s excellent articles on the financials of SaaS.

SaaS and SLA - State of the Art

"You can get assent to almost any proposition so long as you are not going to do anything about it." (Chapman, John Jay)

Lately, I have been approached by a number of frustrated CIOs, asking me about what can be expected from a typical SLA in the industry and which provider offers an SLA with some beef.

A Typical SLA
Let’s see what a basic SaaS SLA should look like:
• Service Availability 
• System Response Time 
• Customer Service Response Time 
• Customer Service Availability 
• Service Outage Resolution Time 
• Failover Window For Disaster Recovery 
• Reclaiming Customer Data 
• Maintenance Notification 
• Proactive Service Outage Notification 
• RFO (Reason for Outage) 

Nice. Now let’s see what a typical SLA in the SaaS industry looks like:
• Service Availability 

Is that it? Yeah, that’s about it.  (Sometimes you may find Customer Support response time as well, the Lord be praised). The standard SLA in the industry only discusses ‘uptime’ and even that is usually very iffy, with mostly zero or negligible penalties.

Recently I have been meeting with CXOs of successful SaaS companies and asking them what their SLAs offer. Not surprisingly, their answers were reflective of the typical SLA above. Some did not even offer an SLA and one said, half jokingly, that they (the customers) should  say ‘thank you’ for even having the service available.  When asked about the future of SLA in the industry, the collective answer was that nothing will probably change, customers will not demand better SLOs (Service Level Objectives) and that the whole issue was quite irrelevant. One CEO suggested that the only concern of the CIO is ease of integration.

Is that so? Or are these guys burying their heads in the sand? When I asked about how many dealt with CIOs (as compared to business units), only one said that he did, and that it was an unpleasant experience.

How would you explain this discrepancy between what CIOs want and what SaaS CXOs would offer? And why is the state of SLAs in the industry is so pitiful?

A Quick Historical Review
I think the answers lie in the history of SaaS and how it penetrated the market. Around 12 years ago we started seeing the first SaaS applications (although no one came up with the name until a few years later).  SaaS mostly targeted the SMBs who had no access to the enterprise software that was available to the larger companies. Either from a cost, or complexity or support point of view, the on-premise applications were out of reach for the smaller companies. When they started becoming available over the Web, the SMB were so delighted to even have a solution they were not going to bitch about the service levels being offered in the contracts. They were just happy that the apps were available. So, SaaS companies offered a 99% uptime which seemed pretty good (except that it translated into four days of downtime!).  Nobody could talk about performance, as the dependency on the customers’ own network and on their ISPs allowed the providers an easy escape from accountability.

The Corporate Business Unit
Even though SaaS initially targeted the SMB, the big breakthrough came from the business units that found freedom in circumventing IT and getting their needs answered quickly (and in the process, flipping a bird to IT). The heads of the business units were mostly concerned with features and did not care much about SLAs. Even if they did, they did not have the experience and knowledge, that IT has accumulated over the years, on what to demand, how to verify that their service levels are met, etc.

The New IT Manager
More than ten years have passed with SaaS slowly establishing itself as mainstream, and conquering more and more territories. Old habits die hard and the sad state of SLAs remained where it had been a decade ago. Now, SaaS is finally entering the enterprise through the front door. There is a new generation of CIOs that are not threatened by SaaS and understand the freedom it offers them. They want to get back into the driver’s seat, clean up the mess that a decentralized SaaS policy created and control what is entering their domain.

As for the CIOs with the old-timer’s attitude, the Cloud hype has forced them to pay attention. When the CEOs caught on (hey, we can save a lot of money here) the pressure was on the CIOs to start acquiring Cloud Applications – SaaS. And, like it or not, there are numerous integration issues that demand that IT be in the picture.

Slowly, we are seeing a shift in the market. More and more CIOs and IT managers are in the picture. And when they see the lack of real certification or the famished SLAs offered by the vendors, they are probably baffled, at best, if not furious.

I believe that gradually, as more CIOs enter the picture, the SaaS providers will have to prove themselves as more mature, attentive and accountable vendors.  I think that the IT customers will step-up the pressure and changes will occur. SaaS providers will succumb to provide a serious document with real numbers and repercussions.

In short, the differentiator is no longer the fact that a vendor offers SaaS, nor the feature set, nor the pricing. To distinguish oneself, a SaaS vendor will have to excel in every aspect of the service and provide the assurances for the service levels that CIOs are expecting.

The CIO's Dilemma – Adopting SaaS as a Strategy

“Luke, you're going to find that many of the truths we cling to depend greatly on our own point of view” (Obi-Wan, Star Wars, episode VI)

'IT-Avoidance' Mechanism
SaaS adoption has become an outstanding success, not in the only SMB which it targeted originally, but at the business-unit level in the larger corporations. SaaS became the ultimate IT-avoidance mechanism for the business department heads that were tired of waiting for many months (or years) for their IT needs, weary of investing huge budgets just to find out that the software did not deliver what was expected, or was outdated by the time it was implemented. With SaaS, they could start a free trial immediately and gain value of the solution with minutes, hours or days. IT managers sometimes found out that their internal customers were using SaaS software many months after it was a done deal.

It’s All About Control
This paradigm shift from transitional on-premise to SaaS (which is somewhat reminiscent of the PC revolution that empowered the end users and removed some of the dependency they had on IT), was not looked upon favorably by IT managers.

I believe that the main reason for IT's resentment towards SaaS, is the loss of control partly based on real problems caused by IT-Avoidance and partly is based on an emotional response to the notion of various business units not “needing” IT as much as before.

My premise is that CIO’s must adopt SaaS – it delivers the goods and it is happening anyway – but for the adoption to be successful, they must regain control of the situation.

Security
IT usually brings up the ‘security’ excuse to kill SaaS deals, but I believe that many times the ‘security’ they are talking about is their 'job security', afraid to let go of assets that everyone is dependent on.

So let’s examine the real security issue. As I have mentioned in numerous talks and presentations, Cloud companies, as a rule, will do a much better job at data security and privacy than a hospital or a car manufacturer (or a bank, credit card company or NASA judging by the publications on the subject).
Still, there is a major issue regarding SaaS accounts when they are not controlled by IT. Any business manager can swipe a credit card, and order 40 seats for her staff to start using an HR app. The manager knows nothing of security, nor does she bother much with it - the point is to get productivity up. The users are provisioned, not by IT, but by the business unit. When an employee leaves the company to work for the competition, IT is supposed to disconnect that employee from all the assets in the company. But how can they de-provision the employee if they have no access (or knowledge) of the various SaaS applications that person was using? Who can guarantee that this employee will not access company data from home or from the new employer’s premises?...

Lack of Visibility
Not only does the IT manager have incomplete knowledge of who is using what, even if they know that an employee has a SaaS account, there is no way to know if that user is accessing the software, how it is being used and what, if any problems are there. There is no visibility into performance issues. IT also has no knowledge of what part of the organizations’ data is stored where. And could it be that some of the same data is residing at different SaaS providers, and could it be that information at one provider is inconsistent with some information at another provider?

Vendor Selection
One of the areas of expertise of IT is the ability to select software solutions and evaluate the vendors. The business units do not have that ability, and frankly, they don’t give a damn. They want quick solutions within their monthly budgets and all other topics regarding security, integration, service continuity, financial viability, and SLAs are stuff that IT traditionally dealt with (and hence took forever to make a decision). So, IT is not involved in the solution/vendor selection process exposing the enterpise to bad choices and their consequences.

Lack of Efficiency
It is not uncommon in large, distributed companies, that different departments are consuming the service from the same SaaS vendor (or different departments are using similar solutions from different vendors) with multiple contracts in place, and perhaps different integration schemes. Of course this reduces the chances for bulk discounts and is inefficient in all aspects of organizational learning and business intelligence.
Another aspect of control is the lack of ability to access, backup and analyze the company’s data or to impose regulatory constraints on the user.

Lack of Strategic Planning
The fact that each department is an independent SaaS consumer and that IT is not driving and controlling the company’s solution is a great impediment to multiyear strategic planning. The individual business units do not have a high-level view of the company’s needs and strategy.

The lack of strategic planning reduces the company’s ability to ensure security and to employ cross company data analysis (the data is distributed across multiple vendors) and may cause compliance and regulatory issues in the future.

What to do, what to do?
A following article will outline strategies to employ in order to get hold the SaaS situation. But it will suffice to say that IT needs to restore control and bring itself to the forefront. This means that, first and foremost, the CIO has to embrace SaaS and not fear it. Start by defining the strategic goals of Cloud computing in the organization. Understand who is consuming what in the organization. Review your upcoming upgrades and begin a process of considering SaaS to replace your on-premise solutions.

SaaS is not a threat but a wonderful opportunity for the enterprise and the IT organization. Don’t play a defensive game; rather, become a leader in this area for your company.