SMEs rate security a barrier to SaaS adoption…

A new research paper from Fairfax Business Research has the following worrying statistics;

  • 79% of respondents gave security concerns as one reason to not sign up for a SaaS product
  • Almost 50% site concerns that data could be hacked or accessed in transmission
  • 32% state the data is too important to be held offsite
  • 35% site SaaS as a bottleneck given potential internet downtime

It’s a real issue that software vendors need to provide answers to, and preferably before the questions are asked. Looking at each of these issues in turn;

Security concerns 

This should be an easy one. There’s a few things that need to be done here;

  1. Vendors need to invest in absolute best practice technologies for encryption both in data centre and in transmission
  2. Vendors need to invest in independent security audits on a regular basis to ensure client data is sacrosanct
  3. Both vendor and client should work together to ensure security remains tight both onsite and offsite
  4. Vendors should provide real time reporting of security protocols front and centre to ensure clients data is safe
  5. Vendors should invest in independent research to prove to customers that data hosted offsite but in world class facilities, is more secure and robustly held than data stored onsite

The connection bottleneck

This is more difficult relying, as it does, on third party infrastructure. Much has been written by luminaries such as Rod regarding the poor state of broadband connectivity in New Zealand. It would be interesting to read his comments on the connectivity concerns regarding SaaS, especially so considering the fact that he is CEO of a SaaS vendor. Clearly Google gears and similar products will ease the connectivity concerns in terms of short and infrequent outages. Similarly good development will ensure that page loads are as quick as humanly possible.

Beyond these two strategies however it has to be agreed that connectivity is a potential issue and one which;

  1. individual customers need to assess given their own particular circumstances
  2. will only get better as infrastructure and technologies improve

Overall AI have to say that the majority of the concerns expressed in the survey are overstated at best and baseless at worst. Given time and increasing SaaS adoption, these concerns should dissipate.

11 Comments
  • As the US Transportation Security Administration can tell you, security is usually less about security than it is about the perception of security.

    With the exception of point #5, your security remedies are all about the actual security; what needs to change is client perception. I would suggest that SaaS companies need to invest in branding efforts, positioning, customer relationships, and marketing themselves individually and SaaS as a whole so that the general public (or business audience) comes to appreciate the cloud as a safe place to be.

    I recently signed up for SugarSync, a service that lets me back up and sync to the cloud. A gig of free space, simple interface — it all looked good, until it came time to hit the ‘Sync’ button. Suddenly I thought, ‘Who are these guys that I’m sending my files to?’ I didn’t hit the button.

    I’ve got no relationship with them, no history, no experience, no friends who’ve used them, no independent third-party corroboration other than the blog post that turned me onto them in the first place. They’ve never followed up to try to establish a relationship with me, provide me with more information, or walk me through their back-end.

    They could have all the independent security audits in the world, but if they don’t invest in my emotional comfort, they won’t get anywhere.

  • Valid point Kaila – I guess what went unsaid in my post, but which you highlighted, is all my points are deliverable hard actions that are needed to ensure security. Key is articulating that security exists and ensuring clients (and more importantly prospective clients) feel secure in this.

    It’s the reason that xero IPOd – public listing builds confidence in users

  • Once again Ben, the positioning of a lot of SaaS products in the marketplace seem to follow the traditional marketing approaches of legacy applications; functionality, performance, interoperability etc..

    SaaS needs SaaS marketing. How many SME owners will read blogs like these to find out more about SaaS? How much understanding will they have about the technical details, which will invariably lead to their perception of security, stability and quality.

    Successful marketing should be about focusing on the differentiation points of the product, and why it is of high value to the consumer. Functionality et. al. aren’t differentiation points of SaaS apps compared to desktop legacy apps.

    One needs to find these differentiation points and articulate it to the customer in a language they’ll understand.

  • Online banking, online broking, online pension/super fund management are SaaS services. You are a tenant in their stack, in their GL. All transact money, in theory higher risk than just the management of financial records or CRM information. Yet, they are widely adopted by the same people citing security as a concern. People will always rate a risk as concern. Vehicle safety is a clear example. People drive cars even though they know the high risk. Fairfax are asking the wrong survey questions to get to the bottom of it. Survey question hint for Fairfax: “Would your No1 concern stop you using an online service like online 1.banking y/n 2.accounting y/n or 3.broking y/n ?”. The problem is survey companies don’t understand people. Peoples actions (and underlying commitments) are extremely different to their stated position.

  • FB said…
    Functionality et. al. aren’t differentiation points of SaaS apps compared to desktop legacy apps.

    I disagree with you here FB to certain type of SaaS application. I believe that number-crunching on-demand type SaaS, where accuracy is paramount where the potential to loose or gain millions of dollars is based on functionality differentiation. An example from the financial market industry in the online broking services that Marc Lehmann, quoted in his previous message. If these online broking services don’t adopt the superior automated Algorithmic Trading, they will be forced out of business by emerging vendors who offer superior algorithms (ie, functionality), which can beat the market frequently. Investors are not looking for just an online broking services so that they do the trading online. They need one that crunch the market data in real-time and offer them what-if-scenarios strategies in order to be ahead of the market. These number-crunching SaaS type are not here yet (I mean that it is not available to just anyone on the internet), although some financial institutions are just offering these services to some of their wealthy clients who have been using such in-house services for some years. SaaS apps where numerical accuracy doesn’t matter, then I agree that functionality are’nt differentiation points.

    The following links are only some references to these number-crunching type SaaS apps I have highlighted here, where superior functionality counts:

    #1) Algorithmic trading :
    Ahead of the tape

    #2) How a Computer Knows What Many Managers Don’t

  • Nice post, but I don’t think you’ve covered all the aspect of security. Do we know what the questions were? Security has many meanings, including providing a “security blanket” (as Kaila alludes to) to make people feel safe.

    The experience with 1place should set the scene for one type of security; people were lucky to get their data out when they went down without warning. There is still no “export all my data” option from them either — although their competitors such as Cashboard do offer this. I’m just about to set my wife up on Cashboard instead of 1place even though 1place is a more appropriate product simply because of my assessment and experience of their “security”.

    Undefined XML export capability is not a perfect answer but at least it is something. The other other alternative I can propose is data escrow, as a parallel concept to code escrow, where a SaaS provider periodically sends their backups to an independent 3rd party who agrees to release it under certain failure conditions. Sounds like a market opportunity.

    It still doesn’t ensure that you can keep your business running, although it would be a golden opportunity for any competitor to build an import tool. In fact this may be the other protection against company failure as SaaS promotes lock-in and therefore customers are literally worth $$ to competitors. BTW did you know there was a SaaS GPL? http://www.gnu.org/licenses/agpl.html

    In other news, check out this post. http://mobileopportunity.blogspot.com/2008/02/mobile-applications-rip.html

    It parallels the SaaS on the desktop story, they don’t call their web-hosted apps SaaS explicitly but they are. It shows the even greater problems mobile devices have when compared with getting users to buy, install, upgrade, and support applications and how SaaS avoids most of them.

    Cheers,
    Bruce

  • To clarify, I don’t mean that things like functionality etc aren’t important to SaaS apps.

    SaaS apps, or any apps for that matter, must meet the users need in terms of software functionality, security, scalability etc.

    What I’m saying, is that these aren’t the things that differentiates a SaaS app from other legacy applications.

    They don’t, in themselves, create a strong value proposition for a user to adopt a fundamentally new model of application delivery, one that impacts on their architecture, their governance, their risk frameworks and their cost/capex bottom-line.

    To add to that, it is arguable on whether or not SaaS apps currently in the market place, can match their legacy counterparts in terms of full functionality. Also, it is not difficult for legacy providers to develop their offerings to match those of SaaS apps, should they ever be found to be losing out in the functionality race.

    Essentially, if you focus on functionality as your differentiation point, then you position your products among all software available in the market; SaaS, legacy and everything else.

    Functionality is specific to the software, and we keep saying that SaaS isn’t about the software, but the service.

    Marketing is about focusing on the differentiation, the niche that is of high value to the customer – and articulating that value to the customer.

    Essentially, the marketing proposition to the customer should be SaaS is different from your current installed app because of… service, delivery, management, radical change to cost structure…

    And not

    SaaS can do all these tasks better than your current installed app because… functionality, flexibility etc

    The former are differentiation points. The latter should be a given, with any app.

    In the current situation, the battle that SaaS vendors are facing is to acquire customers with legacy software and migrate them to a new delivery/subscription model.

    So firstly, SaaS vendors need to create a marketing proposition that distinctly differentiates them from legacy application providers.

    Then, SaaS vendors will need to differentiate amongst themselves.

  • @FB. I think it depends on how you compare. If you are looking at offline versus online as functionality then you can hold a view that it is clearly advantgeous. As an example one of our customers uses retail POS, sells in home parties, sell via ecommerce, sells via mail order and sells at trade fairs. Centralised and synchronised inventory management is critical. The platform is part of the functionality picture so its hard to separate them. Software doesn’t come close to cutting it in that world.

    @Falafulu. There’s lots of Algorithmic TP’s out there. Been around for a few years now. I’ve used/seen a few when I was running Principal Finance equity trading risk book for Deutsche, all of them were ASP or SaaS platforms. The Harvard quants that code them are definitely your Formula 1 team of investment banking – a mashup of big budgets and young smart heads. Usually you only get access if your a Fund Manager, Hedge Fund or High Net Worth client via Direct Market Access / Prime Broker accounts. They are only ever an access form away from giving use to retail.

  • @Marc,

    Agreed. Perhaps on my part it was too far of a stretch to generalise.

    Yes – if the difference between being offline and online is in itself, of functional value to the user, then functionality would be a differentiation factor from legacy apps as you proposed.

  • Marc said…
    Usually you only get access if your a Fund Manager, Hedge Fund or High Net Worth client via Direct Market Access / Prime Broker accounts.

    Marc, I am currently developing one. My aim is to make it available online to any users. The app is very numeric & memory intensive, this is why I am writing it as a Java applet-based app, since the applet mobile codes will do the crunching on the client’s site rather than on the server. The advantage I see here for my app, is that certain intensive calculations will not bring down the server (if it is not done on the client’s site) when many users are all doing that specific calculation on demand simultaneously (an unlikely scenario, but any app must anticipate such simultaneous function request).

    For example, the pricing of Vanilla or Exotic Options (both European & American types) using Monte-Carlo algorithm, is quite intensive which takes around 4 minutes on my PC to run and a typical iteration run is set to 20 millions (ie, 20,000,000) by default, which gives an accuracy of the price of up to a cent. Imagine if say 2,000 users are doing monte-carlo pricing all at once (very unlikely, but possible)? This will crash the server, no doubt about it.

    You can’t pre-built monte-carlo (and other related intensive numeric financial modeling function) with a fixed set of parameters and let everyone (all subscribed users) use it, since everyone will have different values for every parameters, such as start date, maturity date, current price, exercise price, volatility, risk-free rate, etc, etc… One user might have a start-date = ’1-Jan-2007′, maturity-date = ’21-March-2008′ , price = ‘$2′, strike = ‘$3-65′, volatility = ’13%’, iteration run = 20 millions, etc, for say, the asset=’Xero’ while another user might have start-date = ’13-July-2007′, maturity-date = ’4-May-2008′ , volatility = ’9%’, iteration runs = 30 millions (which will take longer than the 4 minute runs for the case of 20 millions) , the asset=’Pumpkin Patch’.

    This type of intensive SaaS on demand, you either use a cluster of computers, use a super-computer or otherwise dedicate the intensive calculation to the client’s site (via applet), which is the cheaper approach that I am taking, and thus avoid the expected frequent server crashes when a lot of users happen to be doing the same intensive calculation at once.

  • Here’s the kind of value-add SaaS feature that will blow the security argument out of the water: http://www.readwriteweb.com/archives/googlelookup_wow.php

Leave a Reply