Due Diligence, Vendor Management Get Short Shrift with SaaS


Software-as-a-service vendors like to compare their solutions to traditional on-premise software, stressing how much easier and less expensive it is to deploy SaaS. And who can blame them? This is a reasonable approach to a point, and in at least some cases it's probably even true. But I worry that customers buy into these statements a little too eagerly, because of overly aggressive sales pitches, their own inflated expectations or some combination of the two.


I wrote about this back in October, encouraging companies not to let a "we'll throw the switch and everything will be great" mentality cause them to neglect the always-important issues of people and processes when implementing SaaS. I also mentioned it in November of 2007, in a post about how cost really shouldn't be the primary reason for using SaaS. In that post, I likened SaaS to outsourcing, noting a similar tendency for some customers to believe these services will somehow magically solve all of their business problems.


ZDNet blogger Phil Fersht makes some similar points in a recent post. Like Fersht, I've always considered SaaS to be a form of outsourcing, in which you offload at least some of your business functions to an outside provider. This is a concept that implies some pretty stringent due diligence, as well as ongoing relationship management. Yet for some reason, perhaps because of its relative newness, these areas seem to get neglected with SaaS.


The two specific areas Fersht mentions are data security and governance. He writes:

Outsourcing goes to great lengths to stipulate where data resides, how it is protected, who has access, which measures are in place to accomodate political or natural disasters, and how data management complies with regulations. In addition, outsourcing providers are SAS 70 compliant, but are all SaaS providers?

These kinds of questions should not only be included in due diligence but in most cases should be spelled out in contracts as well. (And with outsourcing agreements, they typically are.) SaaS vendors could allay customer concerns with transparency, clearly communicating to customers how they can extract their data if they want to leave and providing solid back-up arrangements, suggested Deal Architect blogger Vinnie Mirchandani earlier this year.


Such issues are of paramount importance in an area of the software industry so nascent that there are bound to be plenty of vendor shakeups in the years ahead. (Though outsourcing is more mature, it's not exactly immune to vendor shakeups.)


As for governance, Fersht adds:

Companies move into SaaS because it is cheap and easy, and often overlook the internal business transformation then need to go through to manage these processes effectively in an outsourced environment.

Again, even in outsourcing agreements, ongoing process management is sometimes neglected. But doesn't it seem even more likely to get superficial consideration in SaaS deals?