Would you trust your data to Oracle CEO Larry Ellison? When the Software-as-a-Service model (SaaS) was bandied around in one of its earlier incarnations in the 1990s, that was one of the most frequently asked questions from sceptics. Fast-forward to the mid-noughties and you can replace Ellison’s name with that of Salesforce.com’s Marc Benioff, NetSuite’s Zach Nelson or RightNow Technologies’ Greg Gianforte but the principle remains the same. Are CIOs – used to ‘growing your own’ IT – ready to hand over their precious corporate data to a third-party and then access it as paid for service?

Whatever form the question took, it was always a fairly facetious one and now increasingly irrelevant, as the number of enterprise SaaS deployments increases. A more interesting question might be to ask whether CIOs are happy entrusting their data to someone who is effectively a ‘virtual CIO’ for their organisation?

Retaining responsibility

SaaS is not like outsourcing. In an outsourcing relationship, you hand over responsibility for the running and management of your IT systems to a third-party such as EDS or Accenture.

With SaaS, you are still responsible on a day-to-day basis for managing and manipulating your own data. It is just that in order to do so you are tapping into a third-party’s IT infrastructure via a desktop browser. So you need to be damn confident that the infrastructure is up to scratch and well-managed. That means having confidence in your own third-party counterpart – the CIO at the SaaS provider, a person who not only has to answer to the demands of his own business but also those of thousands of customers who are reliant on the IT infrastructure for which he is responsible.

“I definitely feel that I’m a ‘virtual CIO’ for some of our smaller customers, although larger ones like Merrill Lynch obviously have huge IT organisations of their own so in those cases we work more as a partner to their own CIO,” says Parker Harris, co-founder and executive vice-president of technology at Salesforce.com. “The only marked difference between my role and that of an end user CIO is the scale and the sheer variety of customers that I have to deal with. You’re serving all of the company’s customer base as well as the internal organisation. That’s not to say that the CIO of Shell is not dealing with issues on a huge scale but there is a different order of magnitude. That’s why our IT infrastructure is architected the way it is. Scale is extremely important for us.”

Universal challenges

But SaaS CIOs are human too and face all the same challenges other CIOs do. They are relied upon by the business to deliver the enabling technologies that will generate bottom-line growth; they are constantly expected to ramp up performance levels; they are somehow supposed to do more with less; and they have to wrestle with ensuring security. “I have never really had a need for something that we weren’t able to get,” admits Harris. “Budget is not really an issue from that point of view. I can go to [CEO] Marc [Benioff] and get what we need. We are trying to grow our business and technology investment is part of that. But if I’m not efficient about the way in which I run things and deliver our service, then I would face questions. So I have some similar pressures, although because of the way we are architected we’ve been able to gain the efficiencies we were looking for.”

Security priority

As to where the money goes, there are no surprises there. “Security is always top of the list of thing to spend budget on but that’s never about doing more with less,” says Harris.

“The other big area around our infrastructure is reducing the cost of the database server platform and database storage, which are our two biggest areas of spending.” The defined responsibilities of a CIO inside a SaaS firm inevitably overlap with those of a CIO at a customer company, although surprisingly the CIO title is often not used. Harris has CIO responsibility but not the title; it is the same at NetSuite.
Over at RightNow, there is a CIO but it is a role that was only created this year. “RightNow hadn’t previously had a CIO,” says Laef Olsen, recently appointed to that position. “Previously technology had been managed in different areas of the organisation. Various different parts of the organisation were reporting into different areas of responsibility, such as security reporting into legal and compliance,” he says.

“There was a lot of discussion internally and over time they formulated an idea of what a CIO at a SaaS firm would be and would do. My role inside RightNow is to build a world-class production organisation.”

Two sets of users

“My responsibilities start with what we do inside the company, the sort of things that every CIO is dealing with, such as compliance, personalisation, vendor relationships and open source platforms,” says Olsen. “The key difference is that while I need to do that internally I also need to package those services for external consumption. So I need to be concerned with managing code changes. I need to be able to wrap the entire customer base into that process. I am also responsible for capacity management and this is a greater challenge for us than for many CIOs as we’re not just forecasting our own consumption but also that of our customers. The history of RightNow has been stellar with the overall availability of systems very good. Security is also very high on my list of responsibilities. We are very buttoned up on security.”

Over at NetSuite, the ‘CIO’ argues that he is not really a CIO at all. “I am not so much the CIO as perhaps our finance department is,” argues Dave Lipscomb, NetSuite’s senior vice-president, engineering and operations.

Walking the walk

“We run our own software, almost every system comes from NetSuite. So the management of the different functional systems is handled out of different departments throughout the company,” says Lipscomb. “Individuals act as their own CIOs in that respect. In a traditional firm, a lot of what CIOs have to manage is not only the systems but also the administration, the users and the system configuration. We make those things simple so we don’t need super-techies to handle them.

“What I am responsible for is the uptime and performance of the systems. We have an uptime guarantee of 99.5 per cent in any given month. What we offer is unlike the SLAs that I have with our own providers. If we miss our uptime commitments, we give customers back a whole month’s money, not a percentage in the way that vendors usually do.”

Spreading your bets

Lipscomb is quick to point out that NetSuite has not had to pay out as a result of downtime to any great extent to date. “In infrastructure terms, we believe in small iron, not big iron. All the leading SaaS vendors have a three-tier architecture with three levels of servers – a web machine, an application logic machine and a database server where all the data is stored,” he says.

Salesforce.com has a few giant databases whereas NetSuite has hundreds of small databases. Lipscomb claims that this prevents his company suffering the sort of service outage problems, Salesforce.com had when its database system failed. “If a single database fails for us, then we only have one per cent of the customers down, not the entire system,” says Lipscomb.

Data downtime

Harris concedes that the Salesforce.com approach differs markedly and still shudders at the memory of the downtime crisis of Christmas 2005.

“We certainly learned a few lessons there,” he says. “We moved the entire customer base from one datacentre to another. If you talk to any CIO, he would say don’t do a wholesale change and that’s now ingrained in our thinking.

“We are also going from large complex systems to more commodity technologies. We started at a polar opposite to NetSuite. They said ‘we’ll have a ton of different systems’; we said ‘we’re only going to have a couple’. I’d say Netsuite had too many instances, we had too few. There’s a happy medium and that’s what we’re aiming at. If I had a thousand different machines running, then there’s a lot of intellectual capital that would have to go into running that and that’s not really adding much value to the customer.”

Lipscomb reckons that long term the SaaS model will change the definition and role of the CIO. “You will no longer need to be as technical in order to carry out CIO work,” he says. “You will need to be able to set up an internet connection but you will also have to be more customer-friendly. The IT guy at most firms is a guy you fear, someone who tells you why you have to conform, what you can and cannot have in terms of technology. SaaS will change that by giving the CIO’s power out to others in the organisation.

“That’s a good thing. SaaS allows CIOs to focus more on what their customer want and to deliver against that. The CIO role will be less about dealing with what customers expect and more about giving what they want. What they expect are things like uptime and patches to keep the organisation going; what they want are more integrated business applications and reports in the formats that meet their needs. That’s a good role,” says Lipscomb.

Suite success

As SaaS steadily builds a real-world track record, more midsize enterprises entrust the technology with not one but multiple core business tasks. Olympus NDT, a manufacturer of testing equipment, uses NetSuite, a fully integrated suite of services, for accounting, CRM and e-commerce. Data integration was NetSuite’s biggest drawing card, says Fabrice Cancre, Olympus NDT’s chief operating officer, who oversees the enterprise’s IT operations.
“The sales reps, the accountants, the inside salespeople taking the orders, the customer services reps – everybody is entering data into the same database,” he says.
While every ERP package offers data integration, SaaS gave Olympus NDT the ability to obtain ERP benefits without the complex hardware and maintenance infrastructure that usually accompanies on-premises ERP packages. “The entire system is managed by NetSuite,” says Cancre. “We don’t have any need for (ERP) servers, backup systems and the other things that add up to a very big cost for a midsized business.”
Scalability also attracted Olympus NDT to SaaS. The rapidly growing company is expanding both domestically and internationally. “We have six locations in the US, and we’re also using the system in Germany, France, England and Japan,” says Cancre. Adding users in new locations requires little more than logging them in to the web-based system.
While Olympus NDT has handed over all of its customer-facing interactions to NetSuite, it still relies on traditional software, Infor Visual Manufacturing, to support another core business process, production operations. The onsite software tracks parts, coordinates ships and handles various other manufacturing-oriented tasks. “NetSuite is definitely not able to do that,” says Cancre.
On the other hand, NetSuite does exchange key business data with the manufacturing ERP software. “We’ve set up our systems so that we consider our factories as a vendor, at least from the NetSuite point of view,” he says.
“NetSuite then trades with the ‘customer.’” Cancre says midsize enterprises need to view software in the same light as other essential business services. “I mean, we could have our own lawyers too,” he says. “But we don’t have them – we hire them as we need them.”

The public face

There is of course an external facing role for the SaaS CIOs – as advocates of their own technology model they can help to assuage concerns of CIOs in end user organisations who still harbour doubts about the SaaS approach and might think the old ‘would you trust your data too…?’ question is original thinking.

“The other hat that I wear as well as working internally is being part of the sales cycle,” says Olsen. “As the ‘virtual CIO’ it is important that CIOs at customer companies should understand who and what they are dealing with. It’s the case though that CIOs aren’t really worrying about who’s managing the systems. They need to understand that it is being managed and have confidence in that. When I sit across from a CIO at a customer organisation, my first thought should be ‘how do I do that in my own organisation?’

Peer trust

“Certainly talking to another CIO can make CIOs more comfortable,” says Lipscomb. “I don’t tend to enter into the conversation at the early stage of a sales negotiation. By the time they get round to me, they are at the stage of looking for someone who can talk about the technical detail and security concerns and so on.
“I have gotten into some very heavy discussions with CIOs but what I like about most CIOs is that they tend to be very rational and reasoned engineering people. They want to know exactly what the risk equation is. When you’re honest with them, then they are fine.”

Harris concurs with this and argues that he – and the wider Salesforce.com culture – is the best ‘proof of concept’ of the SaaS model.
“Ideally we will use everything in the portfolio before our customers ever do,” he says. “In the planning documents for IT that we put together every year, you can see increasing evidence that we’re eating our own dog food,” he says

“I do get involved talking CIO to CIO with our larger prospects, where we are talking to both the business and the IT side of the organisation. We’re delivering a business solution to the business side but we’re talking technology to the IT guys.

“I tell them about how we run our service and how we use SaaS. It’s useful for me as well as there are a lot of CIOs out there who can teach us a lot about how to run and manage business-focused IT,” says Harris.

Taking precautions

  • SaaS still requires front-end work. Despite cost and operational benefits, SaaS software still must satisfy its end users. “As with any tool, adoption is the key to success. So spending time on the front-end, building up your plan and creating a communications strategy will all help garner adoption,” says Anthony King, CIO, Ventana Medical Systems.
  • Consider the state of your own data. How much work will be required to feed it to the SaaS application neatly? Trex, a decking and railing manufacturer, found that Centive’s Compel application worked well – once Trex’s IT team exported the necessary data from an ageing JD Edwards ERP engine that put up a longer-than-expected struggle. “Don’t underestimate the complexity of making sure system mergers can be handled,” says Mitch Cox, vice-president of sales, Trex.
  • Do not get optimistic on time frame. SaaS has a reputation for rapid deployment, but perhaps not as rapid as you may think. Set a realistic schedule. “I really thought we would be able to do this within a quarter, and that may have been just too aggressive,” says Cox.
  • Examine your business processes. Some SaaS applications are difficult to customise, so make sure your business processes match the software’s design. “It’s a good opportunity to simplify the processes and to make your business more efficient,” says Fabrice Cancre, COO, Olympus NDT