Monday, July 04, 2011

The CIO's Dilemma – Adopting SaaS as a Strategy

“Luke, you're going to find that many of the truths we cling to depend greatly on our own point of view” (Obi-Wan, Star Wars, episode VI)

'IT-Avoidance' Mechanism
SaaS adoption has become an outstanding success, not in the only SMB which it targeted originally, but at the business-unit level in the larger corporations. SaaS became the ultimate IT-avoidance mechanism for the business department heads that were tired of waiting for many months (or years) for their IT needs, weary of investing huge budgets just to find out that the software did not deliver what was expected, or was outdated by the time it was implemented. With SaaS, they could start a free trial immediately and gain value of the solution with minutes, hours or days. IT managers sometimes found out that their internal customers were using SaaS software many months after it was a done deal.

It’s All About Control
This paradigm shift from transitional on-premise to SaaS (which is somewhat reminiscent of the PC revolution that empowered the end users and removed some of the dependency they had on IT), was not looked upon favorably by IT managers.

I believe that the main reason for IT's resentment towards SaaS, is the loss of control partly based on real problems caused by IT-Avoidance and partly is based on an emotional response to the notion of various business units not “needing” IT as much as before.

My premise is that CIO’s must adopt SaaS – it delivers the goods and it is happening anyway – but for the adoption to be successful, they must regain control of the situation.

IT usually brings up the ‘security’ excuse to kill SaaS deals, but I believe that many times the ‘security’ they are talking about is their 'job security', afraid to let go of assets that everyone is dependent on.

So let’s examine the real security issue. As I have mentioned in numerous talks and presentations, Cloud companies, as a rule, will do a much better job at data security and privacy than a hospital or a car manufacturer (or a bank, credit card company or NASA judging by the publications on the subject).
Still, there is a major issue regarding SaaS accounts when they are not controlled by IT. Any business manager can swipe a credit card, and order 40 seats for her staff to start using an HR app. The manager knows nothing of security, nor does she bother much with it - the point is to get productivity up. The users are provisioned, not by IT, but by the business unit. When an employee leaves the company to work for the competition, IT is supposed to disconnect that employee from all the assets in the company. But how can they de-provision the employee if they have no access (or knowledge) of the various SaaS applications that person was using? Who can guarantee that this employee will not access company data from home or from the new employer’s premises?...

Lack of Visibility
Not only does the IT manager have incomplete knowledge of who is using what, even if they know that an employee has a SaaS account, there is no way to know if that user is accessing the software, how it is being used and what, if any problems are there. There is no visibility into performance issues. IT also has no knowledge of what part of the organizations’ data is stored where. And could it be that some of the same data is residing at different SaaS providers, and could it be that information at one provider is inconsistent with some information at another provider?

Vendor Selection
One of the areas of expertise of IT is the ability to select software solutions and evaluate the vendors. The business units do not have that ability, and frankly, they don’t give a damn. They want quick solutions within their monthly budgets and all other topics regarding security, integration, service continuity, financial viability, and SLAs are stuff that IT traditionally dealt with (and hence took forever to make a decision). So, IT is not involved in the solution/vendor selection process exposing the enterpise to bad choices and their consequences.

Lack of Efficiency
It is not uncommon in large, distributed companies, that different departments are consuming the service from the same SaaS vendor (or different departments are using similar solutions from different vendors) with multiple contracts in place, and perhaps different integration schemes. Of course this reduces the chances for bulk discounts and is inefficient in all aspects of organizational learning and business intelligence.
Another aspect of control is the lack of ability to access, backup and analyze the company’s data or to impose regulatory constraints on the user.

Lack of Strategic Planning
The fact that each department is an independent SaaS consumer and that IT is not driving and controlling the company’s solution is a great impediment to multiyear strategic planning. The individual business units do not have a high-level view of the company’s needs and strategy.

The lack of strategic planning reduces the company’s ability to ensure security and to employ cross company data analysis (the data is distributed across multiple vendors) and may cause compliance and regulatory issues in the future.

What to do, what to do?
A following article will outline strategies to employ in order to get hold the SaaS situation. But it will suffice to say that IT needs to restore control and bring itself to the forefront. This means that, first and foremost, the CIO has to embrace SaaS and not fear it. Start by defining the strategic goals of Cloud computing in the organization. Understand who is consuming what in the organization. Review your upcoming upgrades and begin a process of considering SaaS to replace your on-premise solutions.

SaaS is not a threat but a wonderful opportunity for the enterprise and the IT organization. Don’t play a defensive game; rather, become a leader in this area for your company.


Sharon Vardi said...


Great post. You are getting it exactly right. CIO's need to get a profound understanding of why their careers depend on the move to Cloud and SaaS solutions and how this transformation is going to be a career maker for them. They need to get in charge of this change and leverage on this opportunity to further align they personal goals with the business objectives of their employers.

All excuses aside, the values being presented today with SaaS solution are so obvious that it has become very apparent that anyone saying no is hurting their business at the end of the day.

When CIO's come to make their next strategic IT investment decision then SaaS/Cloud just have to be there whether as a "testing the waters" kind of thing or for the more mature ones an all out transformation that will lead their organizations to the next level of maturity.


Dani Shomron said...

How true, Sharon.
Let me quote Vivek Kundra, Obama's CIO till a couple of weeks ago: "I look at my lifestyle, and I want access to information wherever I am. I am killing projects that don't investigate SaaS first.”

Arthur Spirling said...

This particular CIO, i.e. me, is sure SaaS will be very important in the future and we will all use it. However current SaaS suppliers will not address those two issues that matter most to my customers. They are unscheduled service interruptions and end user response times. Most SaaS providers offer, and achieve, 99.5%, or higher, availability per quarter and that is all they offer in their SLAs. Whilst meeting the 99.5% there could be one or two complete systems failures for a couple of minutes every afternoon per quarter, and very poor end user response all the time.
SaaS providers must start to understand that a CIO will want guarantees of mean time between failures and of sub 2 or 3 second response times for simple commands. Let us not hear the tired old arguments about having no control over network latency across the 2,500 mile fibre or knowing what else is running on the desk top. Of course they don't, so let's use a bit of imagination. I am prepared to trust the SaaS supplier to measure both items at head office and then report to me every quarter. Are SaaS suppliers bold enough to do it and put it in thier SLA?

Dani Shomron said...

How True, Arthur.
The SLAs in the industry are pitiful.
99.5 is a joke; it is equivalent to two full days of downtime a year.
The industry is slowly maturing and CIOs should start demanding SLAs which cover a lot more than uptime, and that will be binding (similar to what I have published in some of my posts).
CIOs should also have the tools to check on their providers and not be totally reliant on the goodwill of the SaaS companies.

us vpn said...

Great article it made me think about getting a SaaS. Thanks.