Everyone seems to be talking about SaaS and its potential benefits and risks.  But what are companies really doing with it and what can anyone thinking of deploying SaaS learn from the actual implementations over the past 3 years?  We partnered with Ziff Davis Enterprise to conduct a study to find the answer to this question.  In April, 2008, Burton Group and Ziff Davis Enterprise conducted a study of 318 organizations in the U.S. and Canada. 

We found that the most common use of SaaS, at about 25% of organizations, was web conferencing.  This is no surprise since web conferencing requires little setup, minimal integration with a company's directory or data stores, and the web conferencing vendor doesn't store much of your data so information security risks are low.  Still, Salesforce.com seems to have won over information security fears as CRM showed up as #2 on the list.  The good news for some applications lower on the list is that they are due to double in SaaS market share (the dark blue "plan to use" bar is about the same as the light blue current users).  Collaboration and content management seem to have great SaaS potential since, not only are they due to double, but penetration of installed versions of this software (the green bar) demonstrates this is an important category for users.

While SaaS implementations generally went as planned (about 3 months), there were twice as many bad surprises as good ones.  The chart below shows how long the SaaS implementation took compared to expectations.  The issue is then how to stay out of the red and orange parts of this chart - to implement SaaS in a way that it can meet expectations. 

Our survey delved more into what the expectations were, where companies tended to spend the most time, and how contractual changes were used to mitigate risk.  I won't describe all of that here or you'd be scrolling down quite a lot in this blog and I'll be writing a full report on this that will be out in late August or early September.  But I do want to show some interesting results around what controls organizations put around their SaaS implementations.  While contractual terms can be used to help mitigate the risk of the vendor not doing what it is supposed to, there are also tasks in the hands of the implementer.  For example, it's up to you (the implementer) to do disaster recovery and continuity planning.  For conventionally licensed software practically every major installation has some backup and continuity plans, but only 54% of SaaS users had the same plans (see chart below for percentage of SaaS implementations with necessary controls).  Likewise, while about 70% of major installed systems have defined a provisioning process, only 45% of SaaS systems have done so. 

In summary, I'd say that while SaaS has proven to be a positive experience for organizations that are using it and can offer financial benefits that have justified the few negative incidents that have occurred, maturity in how organizations approach SaaS is still lagging.  Using SaaS instead of conventional software doesn't eliminate the need for common sense in planning, setting expectations, implementing controls, and insisting on contractual protections where possible.

Those are just a few of the findings we announced at Catalyst.  You can read more in the July issue of Baseline Magazine and in an upcoming overview from the Burton Group in late August or early September.

SOURCE: Burton Group - Craig Roth