Chief information officers and IT managers have said software as a service has helped their businesses speed the take up of new technology.

But security and downtime concerns remained a genuine worry to them, they admitted, speaking at CIO magazine's Executive Forum, Saas and the CIO. The forum, sponsored by Oracle, was held in London yesterday and delegates heard users and vendors explore the benefits and challenges of SaaS.

A major advantage was that SaaS meant software could be more easily tested and set up for use because it only required web access, said David Bradshaw, principal analyst at Ovum.

He added: “The key for many businesses is quickly deploying ‘good enough’ software. Rather than getting 120% of what you need now in two years’ time, you can have 80% of what you need straight away. A lot of businesses prefer that.”

Experian, the credit checking agency that has almost doubled in size over five years through acquisitions, said SaaS had been crucial to it speedily deploying systems across its new businesses.

“One of our key imperatives was to get the most from our acquisitions. We needed to move quickly and SaaS suited us,” explained Nigel Hodges, the company’s CRM strategy manager.

Hodges said with SaaS, the IT department only needed to set up and manage configuration, which saved time compared to a standard software implementation. But he warned that some divisions of his business, which had created their own software, were more “sensitive” to the idea of changing to standard software online.

In some institutions, SaaS configuration is controlled by the divisions using the software, and in others the IT department is responsible.

Glynis Morris, contact centre manager at Gloucestershire City Council, said: “As a division manager I have control over our SaaS, so it’s easier for me. I probably shouldn’t say it but it means things don’t take weeks to change like when I have to ring the IT department and have traditional IT implementations.”

SaaS ensured the council was able to cope with the floods this summer, which cut off its contact centres from access. “All of the contact centre staff were moved to Wiltshire and Worcester in four hours,” said Morris, “and they could log in to our systems on other machines and still deliver what the customers wanted.”

Security remained a major worry among managers at the event, though many said they had not actually experienced a problem yet. Howard Lamb, CIO at operations consulting firm Celerant, said: “I’m always a bit concerned about security. We were most worried about employees [accessing the software online] running off with the data.”

Businesses that were used to outsourcing, like Celerant, would know how to manage their SaaS suppliers and be able to make sure they provided strong security, Lamb said.

There was some debate as to who was responsible for ensuring SaaS customers were secure. Vendors remained under pressure on this theme at the event, following recent news that Salesforce.com customer ADP had suffered a major phishing attack on its data, with over 900,000 customer records reported to have been illegally accessed.

Suppliers promised they were guaranteeing strong security, and access “over 99% of the time”, to their services. Steve Garnett, Europe, Middle East and Africa president at Salesforce.com, told Computerworld UK: “We have some of the strongest security standards out there, often more strong than internal IT departments have. No one can totally stop phishing.”

He stressed that Salesforce had the security to properly serve highly sensitive customers including financial firms Merrill Lynch, ABN Amro and Barclays, and said the firm also provided all customers with guidance to ensure their own security was strong.

Customers and vendors alike largely agreed that vendors should take a lead in SaaS security, though they said that CIOs too had to make sure their security configurations were right. Alan Thilthorpe, professionalism programme manager at the British Computer Society, said that CIOs needed to remember their role in setting configurations, even if SaaS vendors put “great effort into security”.

Craig Sullivan, Netsuite vice president, added: “The key is that CIOs recognise they make those ultimate decisions.”

Firms should have strong passwords, Bradshaw at Ovum advised, as well as good spyware detection on all machines, and clear policies banning access outside company networks.