Is Web-Hosted Software Safe for Compliance?

By Todd Wasserman

Renting software instead of buying it has obvious appeal for a CIO. It’s arguably cheaper, often doesn’t require hiring new IT personnel and entails fewer hassles than standard software.

Such Web-hosted applications, also known as Software as a Service (SaaS), have been around since the late 1990s and are already popular options for some functions like accounting and human resources. The next frontier for SaaS solutions will be in areas like risk management, financial governance and compliance solutions.

Liz Herbert, a senior analyst with Forrester Research, of Cambridge, Mass., considers SaaS in general to be in the “fairly early stages” of adoption, estimating that only 16% of companies are using SaaS.

Many expect the supply side of that equation to grow. Gartner, of Stamford, Conn., predicts by 2012 more than 33% of independent software vendors will offer some of their applications optionally or exclusively as SaaS. By 2009, 100% of tier 1 consulting firms will have an SaaS practice. Nevertheless, the majority of companies are not on board with SaaS.

Primary objections to SaaS include:

• Security Having a third party manage part of a company’s IT operations has obvious risks. The main issue is a lack of control over online security, theft and malevolent employees.
  
• Performance A lack of control could lead to performance issues such as increased downtime.
  
• Integration The software may not completely mesh with other in-house applications.
  
• Cost It may be cheaper in the long run to buy or create applications and run them in house than to “rent” them.

Benjamin Pring, vice president of research for Gartner, says all those concerns are valid. Yet Pring sees the rise of SaaS as inevitable.

“Large professional service firms are increasingly aware that SaaS is not a mere fad and is not going away,” he wrote in a recent report. “SaaS is growing in enterprise adoption, and in certain domain areas, will soon be the prominent approach to application development, deployment and management.”

In fact, the more providers adopt SaaS, the less weight such objections will have. Larger companies simply have too much riding on their SaaS applications to take chances. “If Salesforce had a major issue with its software, it could ruin the company,” Pring says.

This argument is particularly important in terms of an organization’s financial governance, risk management and compliance operations. Analysts caution that large organizations need to question SaaS vendors about the following before outsourcing functions that could lead to a financial restatement, a violation of regulations or increased risk for the organization:

• What are the security implications? Herbert acknowledges that CIOs are often queasy about having some part of their network out of their control. “When I ask [CIOs] ‘What are your main concerns?’ in a lot of cases they’re just uncomfortable about data being off site,” she says. In that case, Herbert recommends a physical audit. “Go to the site and make sure they have physical security in place,” she says. Of course, that’s not warranted in every case. “It depends on the size of the bet you’re placing,” Pring says. “If you’ve got a sales team of 10 people using it, that’s a bit over the top.” But Pring says if a firm is using a larger application, then “significant tire-kicking” is in order.
  
• Will performance measure up? Getting an accurate read on performance can be tricky, since third parties don’t generally track performance metrics, and companies pitching SaaS may be tempted to exaggerate their statistics. Yet Pring is comfortable saying that, for most mature SaaS players, “performance is not much of an issue.” That’s not to say that any SaaS system is 100% perfect. Salesforce, for instance, has experienced a few widely publicized service outages, including a six-hour outage in December 2005 caused by a database error. Nevertheless, smaller, pure-play firms are likely to have more performance issues than larger, established firms, Pring says. He adds that investigation of such smaller firms, or “checking under the hood,” is mandatory.
  
• What are the integration challenges? While it may be relatively easy for an SaaS provider to sweet-talk a potential customer out of the first two concerns, many CIOs are all too familiar with the pain of integration. Those who thought they were getting a good deal with SaaS soon found that they needed to spend more money and time integrating the new software. Indeed, Gartner estimates that such costs can add 30% to 50% to the overall expenditures on an SaaS application.

Such issues can be addressed with middleware or by purchasing pre-integrated suites by one vendor. Forrester’s Herbert acknowledges that integration is still a big issue with SaaS, but it’s “an area that’s been improving.” Herbert says the problem is often caused by business unit heads buying SaaS “under the radar” and then dumping it on the CIO. The best way for a CIO to avoid this situation is by continuing a dialogue with business unit leaders.

• What are the long-term costs? Just like leasing a car, paying for SaaS may make sense in the short term, but less so over the long haul. “The case is still unproven,” Pring says. “Certainly, the models we’re developing would support the argument that three, five, seven years into the deal it becomes more expensive. Vendors have done a bad job laying out the true cost of benefits.” Pring and others suggest taking all aspects of ownership costs into consideration and providing such models a few years out to get a more accurate picture of the true costs of SaaS.

Only after CIOs and other C-level executives receive satisfying answers to those questions should they consider outsourcing some of their organization’s operations -- such as financial governance, risk management and compliance -- to an SaaS vendor.

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently the editor of Brandweek magazine.