When I started out in security, only very large organizations with a mature set of business processes dared to talk about implementing some form of governance, risk, and compliance (GRC) or enterprise program (e-GRC). They generally did it in an attempt to get ISO or similar certification, or to “move their programs to the next level,” and some, I think, attempted it just to prove they did it. Many of those efforts were monumental, costing millions of dollars and taking years to complete. However, a significant number seemed to end in compromise, yielding a smaller end result or totally failing after thousands of man hours and millions of dollars for software, systems, and consulting had been spent.
Evan Quinn and I have been collecting popular customer questions for a while and wanted to share our thoughts on these questions in the form of a new format: EMA CLOUD RANTS. Each week we will discuss one of the hot topics in enterprise IT to provide the viewer with rapid analyst insights, without any fluff. Here goes the first one:
Cloud SaaS can be a cost effective and fast way to buy and start using software (see my top ten reasons to do SaaS). However, while cloud SaaS can be great when done right, it can be painful to use when done wrong. With the increasing interest, adequate bandwidth for delivery, and a marketplace ready to try SaaS applications, many traditional software companies are considering a SaaS option. The greatest risk to the success of SaaS is poorly done SaaS ruining the market by disappointing early adopters and creating a bad reputation for SaaS. I am concerned that traditional software companies, rushing in to a SaaS delivery model and under estimating what is required to do SaaS right, are the most likely to do SaaS poorly.