Cyber Security and Your SaaS Ecosystem—Part 2
Deconstructing a Complex SaaS Marketplace
With more and more companies turning to SaaS Application Services to deliver critical business functions, it is paramount that cyber security teams, third-party and enterprise risk teams, legal teams, procurement, and business teams work together to define a shared understanding about how SaaS Application Services are vetted and qualified for use, and how risk is monitored and managed over time.
In part one of our three-part blog series on the complexity of SaaS vendor evaluation for enterprise firms, we introduced the use of a context framework for initial evaluation of SaaS vendors. In part two we dive into how to evaluate the business prospects of the SaaS firm.
As shown in the notional context map above, if we expect a SaaS application will only handle public information in our use case, we may only need to do a limited assessment of the business prospects and data security practices for Vendor A and Vendor B. If we had created another context map for effort of integration and impact of SaaS business provider failure, and concluded it was low effort and low impact if the provider failed, our conclusion would likely be this could be an interchangeable SaaS platform and evaluate the purchase almost solely on function, fit, and other traditional procurement selection criteria. However, when dealing with higher-stakes decisions, more attention should be paid to factors such as profitability, market share, whether the firm is public, burn rate and funding, etc. Due diligence can be expensive, so it is incumbent on the business buyer to be clear-eyed on the risks and business criticality of the application selection. The business owner will also have a difficult decision and should seek input from various functional experts in the evaluation.
The SaaS market space is crowded and dynamic. Although there are a handful of “household” names such as Salesforce.com that have operated for decades, there are many new entrants. According to CrunchBase, late stage venture capital investment really blossomed in 2015, so there are many young SaaS companies hoping to scale quickly.
Figure 1 Late Stage Deals and Dollar Volume Investments
This data clearly indicates that the SaaS marketplace is immature and emerging. For enterprise buyers considering security and operating dimensions, you also need to consider what SaaS vendor qualities are important. For example;
- Is growth and market share more important to you than profitability?
- For pre-profit firms, do you need to evaluate cash flow and venture burn rates more closely?
- What does it mean when a firm you are evaluating has negative growth?
- What is the quality and experience of investors and founders?
- How much influence will your firm have on the firm’s roadmap?
There are no simple guidelines in this emerging marketplace and buyers who make broad assumptions about SaaS services may turn a blind eye to hidden weaknesses.
Examples of SaaS Business Context Evaluation
SaaS Market Leaders
Let us examine a potential application service decision for Human Capital Management (HCM) software and look at a couple of business dimensions for the providers. As a result of a request for proposal, a Fortune 500 firm that wants to replace its current on-premise human capital management software implementation, has short listed three very different firms for final consideration; Workday (NASDAQ:WDAY), Oracle Humane Capital Management (NYSE:ORCL), and Ultimate Software (NASDAQ:ULTI). All are considered by Forrester Research to be leaders in the marketplace.
One can immediately see the complexity in evaluating these three businesses.
- Oracle is a large software house that chooses not to break out its cloud earnings starting in 2018 but had previously reported over a billion dollars in SaaS revenue.
- Workday is a long-standing competitor in the SaaS HCM space and has over $2B in revenue but is unprofitable and growing rapidly so it may be buying market share, which could result in competitive pricing for our hypothetical Fortune 500 firm.
- Ultimate Software is smaller with almost a billion dollars in income and has been nominally profitable over the past four quarters.
Even in a core and relatively mature sector of SaaS, where market leaders are large and publicly held, the business buyer is faced with a firm who doesn’t break out its SaaS revenues, another with an impressive client list including Fortune 50 firms but is unprofitable, and a smaller firm compared to the others that is starting to be profitable. Who can say which of these firms is well-suited to survive a significant economic event like the Dot Bomb or Crash of 2007/2008? That said, this analysis could be used to inform contractual considerations.
- These HCM systems tend to be highly integrated in firms’ workflows so transition costs are high. Extra care should be placed on transition out terms and access to service in case of business bankruptcy.
- Additional time might be spent on due diligence evaluating the firms' service roadmap and business strategy, as well as how much effort and cost will be required to integrate and de-integrate the service. Are there ways to minimize future friction if the service needs to be replaced?
- These systems tend to accumulate data, which must be maintained over time, so considerations to exporting to new platforms in the case of transition might be a focus.
Boutique Software Houses
This first example is relatively easy. It is an application sector where the offerings are more mature, and the firms are public. However, many of the most interesting and attractive application services are more emergent among smaller, early phase boutique software houses that are simultaneously trying to define the market space while scaling customer counts to continue growth toward a sustainable business model. Or in other cases, you may have firms who have long-running niche applications that have been delivered as licensed applications to be operated on-premise by customers who are migrating toward a SaaS model. Because of this wide variance, we have seen vendors try to over-simplify their terminology to business buyers and present SaaS as a silver bullet where security is delegated to the provider, and hence a low risk decision.
If the firm is transitioning to SaaS from a traditional on-premise licensing model, consider:
- What is the mix between their legacy business revenue and their SaaS revenue?
- How quickly does their SaaS revenue need to grow to replace and exceed their legacy revenue?
- Are they maintaining legacy and SaaS roadmaps and code bases?
- Has their SaaS offering been rearchitected and developed for SaaS?
- How is their platform been architected for multi-tenancy and security?
- How long have they been operating their SaaS environment?
We have seen packaged software providers brand their offering as SaaS when in fact it is their legacy product simply hosted with a cloud provider one customer at a time. These companies convince business buyers there are inherent protections by simply being on a cloud platform that somehow magically imbue security and operational benefits. We have also seen business buyer confusion because the subject is somewhat nuanced and they rely too heavily on third-party security reviews to “inoculate” the business from risks that are not per se security risks. As overarching advice, business buyers should be aware there is a significant learning curve and should not assume that because your vendor reliably provided niche software to run on-premise, that the vendor has the skills and capabilities to operate and secure that application as an application service hosted on the public cloud.
Born in the Cloud
Another common cluster of firms we see is born in the cloud, pure play SaaS offerings focused on high-value vertical functionality to an industry segment. These firms are often evaluated based on revenue and customer functionality, generate much excitement with business buyers, and often offer a compelling value proposition. It is not unusual for there to be two or three relatively young SaaS firms competing for the business. They are often at various phases of growth where the attractive functionality is their core business and singular focus.
We also see firms extending an already established SaaS offering with an additional “module.” Procurement or third-party risk functions are often ill-prepared to see subtle differences between a $15MM annual revenue SaaS provider that is heavily backed by Tier 1 investors and a $5MM startup that is organically growing with founder investment and sweat equity. As a firm places trust in these smaller firms for confidential or restricted data, it has additional fiduciary responsibility to consider and decide these risks prudently for its stakeholders.
If the firm is a small SaaS provider handling confidential or restricted data, consider:
- How many customers does the firm have that are similar ours and is my use case core to their roadmap?
- What is the founders or investors exit strategy?
- What are the firm’s financial resources and, if pre-profit, what is its burn rate plan?
- Are security and privacy strategic to the firm? What is their security strategy?
- What, if any, influence will our firm have on roadmap and added functionality?
- How do they protect customers against business disruption if their business plans do not come to fruition?
The Net Net
The dynamic business context of an emerging and young marketplace means buyers and business owners need to carefully consider if a SaaS firm is the right fit for the organization. There are many different types of SaaS market entrants ranging from born in the cloud niche providers to large software houses with long running business models built on traditional licensing of on-premise enterprise software that are transitioning to SaaS. Offering applications hosted individually for customers (versus a multi-tenant SaaS application) is not SaaS and has a very difficult time scaling. No matter how attractive the option, organizations evaluating SaaS offerings need to take a thoughtful approach and consider potential exit strategies should a SaaS firm fail.
Part three of this series will consider situations where SaaS applications are handling regulated, sensitive, or high value privacy data; how to seek additional contractual protection from the SaaS provider; and how to complete additional security due diligence for the provider.
Revolutionary Security provides a range of advisory services that help our clients in the domains of security assessments, enterprise security testing, and strategic consulting.
Contact us today to schedule a meeting with our SaaS security specialists.
About the Author
John Gilda is an Executive Cyber Security Consultant for Revolutionary Security. He is responsible for advanced service delivery directly to key clients, including leading large complex programs and direct executive advisory services. John holds undergraduate degrees in computer science and marketing from Northampton Community College and De Sales University and a Master of Science in Technology Management from the University of Maryland University College.