This article “Ten Questions to ask your SaaS vendor” has been co-authored by AJ Witt, The ITAM Review and Dusan Omercevic, CEO & Founder of Cleanshelf
SaaS spending is growing rapidly. By 2020, it will overtake spending on on-premises, perpetually-licensed software. SaaS is mainstream and here to stay. This poses ten key questions you should ask a SaaS vendor to ensure your company receives the full benefits of your investment in software subscriptions.
SaaS expenditure has been growing for the last 20 years. Salesforce, 20 years old in 2019, generates almost $11 billion in annual sales. They’ve posted annual revenue growth in excess of 20% every year for the last ten years, bar 2009.
The market is expected to grow annually by 20% for the next five years, with total spend approaching $113bn by 2021 and $185bn by 2023. Alongside this market growth, productivity is expected to double by 2024, driven by automation, AI, and machine learning.
This growth is reflected in the average spend per employee. Cleanshelf have seen SaaS spending per employee grow by 164% in the last four years. This represents a fundamental shift in the cost of doing business compared to perpetually-licensed software.
The SaaS Market is fragmented in comparison to the market for perpetually-licensed software. Whilst the players are similar the key is that almost half the market is made up from smaller players – this indicates the relative immaturity of SaaS as a delivery mechanism for enterprise applications. Microsoft, the largest player, had 18% market share in 2017 compared to 42% held by vendors outside the top ten. What hasn’t changed is that most enterprises will still be dealing with the same vendors – the top 5 are Microsoft, Salesforce, Adobe, Oracle, and SAP. Of the remainder, only Zoho & Workday have disrupted the status quo. If we’re dealing with more or less the same mega-publishers, what’s different about buying SaaS?
Whilst the objective is the same (getting the right tools for your employees to do their jobs), the way we get there with SaaS differs compared to perpetual licensing.
First and foremost, we’re buying subscriptions and this means SaaS subscriptions are rarely treated as assets from an accounting perspective. They’re not depreciated, and we can’t “sweat” them. If we don’t pay the monthly or annual charge, we lose access to them. We don’t own anything beyond the right to access the service for the duration of the contract. For this reason, SaaS subscriptions are usually treated as Operating Expenses (Opex), not Capex.
This has a trickle-down impact in a number of areas.
Firstly, your budgeting needs to account for the shift in expenditure. Secondly, your forecasts, particularly for new projects, need to take into account multi-year costs in order to accurately calculate Total Cost of Ownership (TCO).
SaaS applications are continually updated, and with nothing to install, new features and fixes are made immediately available. But you no longer have the choice to cease annual maintenance coverage as you did with perpetually-licensed software. You also lose a degree of leverage with the supplier, as you no longer have that maintenance renewal card to play in contract/renewal negotiations.
SaaS differs in that generally there is nothing installed on your users’ devices. This makes asset discovery problematic, particularly as much SaaS expenditure takes place outside the traditional IT procurement process, existing as Shadow IT on departmental budgets and expense accounts. With nothing to install and only an internet connection required to access the service, there is a loss of governance with SaaS deployments. With ever increasing legal, regulatory, and compliance requirements this increases your organisation’s risk of non-compliance.
With the above points in mind, what do we need to consider when sourcing applications from a SaaS vendor? This section groups some key requirements into areas of Security, Service, & Cost.
Security should take precedence over all other considerations. You’re putting critical business processes and data into a publicly accessible network. If you were running a factory, you wouldn’t leave it unlocked or allow anyone to use the production line. SaaS is now the means of production and value creation and needs the same locks and keys as your physical assets.
SaaS applications remove many of the physical security barriers that protect on-premises software and data. Application Security should be at the forefront of your decision-making process. Key capabilities to look for include the ability to integrate with Single Sign On (SSO) providers such as Okta or OneLogin. And, with almost 90% of former employees retaining access to some cloud accounts after leaving, the service should enable automated onboarding and offboarding of accounts. Finally, at a minimum, the service should offer multi-factor authentication to protect against common cyber-attack methods such as password-spraying.
Where is your data being stored? Does your supplier provide this information? Do they meet the regulatory standards required by your organisation? For example, SOC2 compliance, or HIPAA, or GDPR? It is vital to establish this before you start using the service.
It is common for SaaS solutions to make use of open source code, also referred to as libraries or dependencies. Ask the SaaS provider to declare whether their product contains open source code and research the quality of those libraries – this is known as Open Source Code Hygiene. For an idea of what can go wrong see our articles on data privacy breaches at Ticketmaster and British Airways. BA are currently appealing against a £183m fine for their data security breach in August 2018.
The final “S” in SaaS is Service. You’re putting trust in a vendor to provide you with a service that’s fit-for-purpose. These are the things you need to consider from a service delivery perspective.
SaaS is usually hosted online with no locally installed components. Your access to the service is contingent on a number of factors, any of which can make the service unavailable. Critically, more of these factors are outside your control in comparison to a service installed in your local datacentre. Ask your SaaS provider for information on uptime and resilience, particularly for critical business services. Furthermore, work with your Business Continuity Planning team to map out the impact of downtime of a SaaS service and research alternative solutions. Ensure that you agree a Service Level Agreement along with an uptime guarantee for critical services delivered via SaaS.
The SaaS market is characterised by rapid innovation and a dash to acquire sufficient subscribers before funding runs out. Assessments of vendor viability are important, particularly if they provide a niche capability not readily available elsewhere in the market, or if you are basing a critical business process on a SaaS service.
Failures and acquisitions are commonplace. Acquisitions often result in services being terminated, sometimes at short notice. For example, Twitter acquired content filtering service Smyte in 2018 and immediately shut it down, leaving a number of customers with existing contracts without a service. Microsoft, IBM, and Google have also done this when acquiring services, and all have a track record of sunsetting their own services with limited notice. In October 2019, Adobe Creative Cloud subscribers in Venezuela lost access to that service due to Adobe’s interpretation of a US Presidential Executive Order.
Will the service you are relying on be in business for the duration of your contract?
SaaS lends itself to stitching together multiple applications to provide a service. For example, you may use Google Calendar, Calendly, and Zoom to provide a web conferencing service. Build a Service Catalog, highlight the interdependencies of the business objectives enabled by your SaaS environments, and categorise them by criticality, just as you would for on-premises software. Whilst this is more of an internal question asking your SaaS vendor what their roadmap is for their product may help you plan for future synergies.
For all organisations it is important that services provide value for money, and cost control is a key part of this. Here are some aspects of SaaS you should consider from a cost perspective.
Cost control starts with not spending money on things you already own, or on things you don’t need. Before you start asking questions of SaaS vendors, start by discovering what your colleagues are using to get their jobs done. Equally, find out where there are service and capability duplications – for example where different user groups are using different web conferencing services. Talking to SaaS vendors about standardisation can unlock preferential license terms and pricing – more on those below.
Whilst much SaaS software is licensed on a per-user basis, there are a wide range of metrics used to calculate usage. Make sure you understand the impact of changes in these metrics and that they meet your use case. Be particularly wary of metrics that push you into higher price bands as you grow. Economies of Scale do not always apply to SaaS – in fact in many cases the reverse is true. A small team may be able to use a Basic subscription but as that team grows they may be required to upgrade to a more expensive Pro or Enterprise subscription.
Pay attention to pricing tiers and the features enabled at each tier. Be mindful that SaaS contracts are often short-term, and feature migration between tiers is outside your control and may result in the need to purchase a higher-cost tier in the future. If you intend to use a service long-term, pursue price and feature holds with your SaaS vendor to mitigate this risk. For more on techniques in this area, please see this article.
SaaS potentially enables tools and solutions to be more closely aligned with business requirements in comparison to on-premises IT. For example, procurement may use a SaaS service for managing bids. This enables analysis of the value of a solution to the business – it may improve productivity and accuracy and result in cost savings. Dedicated or niche solutions may appear expensive on the surface but yield considerable value for your organisation.
SaaS has been changing the rules of IT provisioning for the last 20 years. Until recently, it may not have received the attention that would be given to investments in perpetually-licensed technology. As we move towards becoming SaaS-first organisations with the majority of our spending on subscriptions this presents an opportunity for IT Asset Managers to deliver greater value. Far from being the “death of ITAM”, it makes the core competencies of our teams – working with software publishers, understanding our IT estate, getting the right deal for our organisations – even more relevant. We have the opportunity to act strategically and deliver considerable expertise to our colleagues in IT Security, Procurement, and Finance.
With Digital Transformation seemingly driving business investment in IT for the foreseeable future, we have the opportunity to ensure that journey is one of safety, cost-effectiveness, and value generation.
To help all stakeholders evaluate the suitability of a SaaS vendor or service Cleanshelf have produced a SaaS Vendor Evaluation workbook, available via this link.
For guidelines on SaaS Security see the NCSC framework at https://www.ncsc.gov.uk/collection/cloud-security
The ITAM Review will continue to research this topic. Our content collection is here https://itassetmanagement.net/saas-management/
SaaS Vendor Negotiations and how understanding pricing will help you: https://www.cleanshelf.com/resources/2018/03/20/saas-negotiations-and-how-understanding-pricing-will-help-you/
SaaS Vendor Evaluation Workbook: https://www.cleanshelf.com/resources/2019/11/14/saas-vendor-evaluation/