Guardian Life Insurance isn't about to take big risks when making IT investments, and CIO Frank Wander will be the first to tell you that he doesn't have a cloud computing strategy, per se.
But over the past five years, the $10 billion financial services company has moved 18 applications into the cloud. It shut down a compute grid and moved its actuarial modeling application into an Amazon EC2 cloud. And it's now in the process of broadly deploying two major software-as-a-service suites.
One of the two is Workday's human resource management suite. Guardian wasn't ready to reveal the other, but at the Atmosphere conference last fall, Google announced that it had signed Guardian as a Google Apps customer.
There's no cloud agenda at work here, says Wander. Each service has earned its seat at the table by undergoing a rigorous technology acquisition process that has been updated to include considerations unique to SaaS and other cloud services. Each service has also passed through a collaborative review process that involved the legal, security and sourcing groups in addition to IT.
"We don't do anything because it's cloud. But if the financials look right, if the risk profile looks right, if the richness and robustness look right, we go with that solution," says Wander.
The sheer breadth of Guardian's move to the cloud puts the company on the leading edge among Fortune 250 organizations. The extent of its commitment to cloud services is also changing the business's IT infrastructure and redefining roles in the IT organization.
As more corporate infrastructure moves to SaaS, it's important for organizations to build a strong foundation of best practices to manage risks around security, uptime guarantees, compliance, limitations of liability, remedies and other contract details, say Wander and other IT executives. The business must be fully engaged in the technology acquisition process, and the organization must follow best practices that are well thought out -- from the initial request for information to integration, ongoing management and contract renewal.
Computerworld talked with several organizations about the challenges they face in scaling up with SaaS and other cloud services, why the technology still isn't the best fit for some applications or business requirements, and why they decided to sign on -- or walk away.
Leading by Example
Wander "is a real leader," says Robert McNeill, vice president of research at HFS Research. In many organizations, he says, SaaS "happens" to CIOs as business units bypass IT. "What's interesting is that he is using SaaS in IT -- an area that he controls. He is embracing SaaS as a way of changing the business," says McNeill.
Would you sign this contract?
The following terms and conditions have been summarized from actual SaaS vendor agreements. It pays to read the fine print. What's more, users may encounter a "click-wrap agreement" that pops up, even if they have a separate contract. Which agreement takes precedence if a user clicks OK? Make sure your contract spells that out, says Russell Weiss, a partner at Morrison & Foerster.
• The SaaS vendor can suspend your right and license to use services, or terminate the agreement in its entirety, for any reason or no reason, at its discretion at any time, with, at most, 60 days' notice.
• In the event of a suspension of service, the SaaS provider will not intentionally erase your data (but will not represent that it will preserve it) and can condition return of your data upon your compliance with terms and conditions that the SaaS provider may establish in the future.
• Your access to services may be suspended without notice, and the SaaS vendor will have no liability with regard to such downtime.
• You bear sole responsibility for adequate security, protection and backup of your data, even though the other party is hosting it.
• The contract terms can be changed at any time by the SaaS vendor.
• Your company must indemnify the SaaS provider from all claims relating to your use of the vendor's services, with no limitations on liability.
Source: Morrison & Foerster
— Robert L. Mitchell
But Wander isn't alone in his thinking. The number of SaaS implementations is climbing in other enterprises, says McNeill. He adds, "We're seeing global implementations of cloud services across the very largest of organizations," including even core enterprise applications to some extent. McNeill sees the use of horizontal SaaS applications globally or across large swaths of the corporate user base as a key trend.
That view is backed up by research from Gartner. The overall market for SaaS-delivered enterprise applications will increase from $9.97 billion to $23 billion by 2015, representing a compound annual growth rate of 17.9%, according to a November 2011 Gartner report.
Cindy McKenzie, senior vice president of enterprise application services at Fox Entertainment Group, has also moved aggressively into the cloud. Transferring 11 shared services applications, ranging from recruiting to tax reporting, over to SaaS providers was "the riskiest business decision I have made in the last 18 months," she says. The global SaaS deployments, which host personally identifiable information and other sensitive data, "pushed information security, audit and legal [departments] past their comfort zones," but allowed the business to get strategic initiatives up and running more quickly and at a lower cost than on-premises alternatives, says McKenzie.
This year, Fox plans to move more corporate applications to the public cloud, including payroll and HR. The new system is easier to use than the existing PeopleSoft application, has passed a five-year total-cost-of-ownership evaluation and can be online in much less time than it takes to upgrade PeopleSoft.
The most critical success factor, McKenzie says, was involving the audit, security and compliance departments from the beginning. "It saved a lot of headaches. If you try to do that work after the fact or when you're signing a contract, you've lost your negotiating power," she says. "The biggest surprise was how immature the governance processes were for some of the smaller SaaS vendors. We ended up pushing a number of vendors to make changes to meet our standards."
Guardian's team follows a well-defined, formalized process from start to finish, says CTO Richard Scott. "Together we evaluate all aspects of technology solutions. It's based on a matrix and scoring and a very pragmatic, objective way of looking at the solutions," he says.
"We have good vendor management processes," which are part of Guardian's governance model, Wander says. Guardian has the same operational processes for SaaS and on-premises software. "We have operational performance management. We check response times just as we would do internally. And we take end-user satisfaction measures over time," he says.
A Disciplined Approach
Start scaling up SaaS with a centralized procurement model, these executives say. Before Guardian developed its federated approach to technology acquisition, its SaaS deployments didn't always go through IT, says Doug Greene, vice president of corporate systems, security, risk and compliance at Guardian. That's a common problem, especially in large companies, according to Robert DeSisto, an analyst at Gartner.
How cloud is redefining IT roles
As the number of SaaS and other cloud service deployments continue to increase in the enterprise, IT executives are rethinking IT roles. The demand for new skill sets is leading to new job descriptions, and some traditional functions will eventually fade away.
"There will be a disruption in the IT talent base, and you need to retool and plan for that," says Mark Nathan, head of technology, planning and governance in the Corporate Office of Technology at Guardian. The insurer has 20 SaaS deployments in place or underway and recently turned off a large compute grid that powered its actuarial modeling application and moved it to the cloud. With even more functions likely to move into the cloud, Nathan is already planning for how to prepare the IT team for the transition.
So what's out? Guardian's migration to SaaS has meant fewer "rack and stack" administration jobs and less work for internal software developers. Rather than code changes, IT staff increasingly deals with configuration changes. But the need for integration specialists, contract managers and business transformation experts has increased, as has the need for specialists trained to monitor vendor performance and service level agreements. "Our plan is to retool IT toward these skills over the next five to 10 years," says Nathan.
Fox Entertainment Group has recently both deployed a private cloud and migrated 11 applications to SaaS providers. "With SaaS, our roles have lessened considerably. We have a whole lot fewer software developers assigned to staff and we don't have server admins," says Cindy McKenzie, senior vice president of enterprise application services. But database administrators are still actively involved, and project manager and project analyst roles have increased. It's a big change, she says: "The management oversight is larger, but overall the IT roles are smaller."
The Boeing Co.'s internal private cloud is also bringing changes. "Traditional roles that do a lot of designing and standing up of servers and creating customer solutions are going to go away," says Federico Genoese-Zerbi, former vice president of information technology infrastructure. Instead of building and administering servers, "IT will focus on continuing to upgrade the design patterns of the infrastructure, predicting volumes, and optimizing the way that the multitenant environment gets consumed." In the future, he says, "servers will be self-provisioned and IT will spend more time examining what that service looks like."
"The IT skill of the future is capacity management," says Amit Singh, a partner at Avasant, an outsourcing advisory and consulting firm based in Manhattan Beach, Calif. He sees an increase in the need for contract and license management, billing and invoice management and contract compliance monitoring. "A lot of training will be required. So think it through and retrain your people," he says.
— Robert L. Mitchell
"I get calls from sales organizations that are buying directly from Salesforce.com outside of the IT procurement process," he says. One client he spoke with had 19 individually negotiated Salesforce.com contracts, none of which went through IT. That business was losing its volume purchasing power, and contracts weren't getting the scrutiny they deserved, DeSisto says.
Both McKenzie and Wander say it's also critical to understand the fully loaded costs of hosting applications on-site and to include that in the technology acquisition model when comparing costs to SaaS alternatives. "We always do a five-year total-cost-of-ownership evaluation that includes all costs, such as power, data center resources and staffing," says McKenzie.
But Tom Check, CIO at Visiting Nurse Service of New York, says organizations shouldn't draw any conclusions based on IT costs alone. The $1.5 billion provider of home healthcare services has about a half-dozen SaaS deployments, including HR and CRM.
There's also one application that its nearly 4,000 clinicians in the field use to order medical supplies. In that case, Check says, "the software subscription was higher than what we incurred in the past, but the overall cost of the business process has gone down and the value to the business has increased."
At Guardian, upgrade-and-refresh cycles have traditionally consumed 12% of the shared services budget. The move to SaaS, and an intense focus on expense optimization, has transformed Guardian's IT budget. "What makes SaaS valuable is the continuous upgrading without the burden on our organization," says Scott.
Today, 40% of the budget goes toward running and maintaining existing operations, down from about 60% a few years ago, leaving more money to invest in solving other business problems, says Wander.
Scaling Up the Contract
The contract sets the tone for the relationship with a cloud services provider, says Wander. If you want to be successful, he says, "focus on the contract."
Unfortunately, "cloud computing often is not amenable to in-depth negotiations," says Russell Weiss, a partner at Morrison & Foerster, a law firm that specializes in negotiating service agreements. "Click-wrap agreements" -- the ones users typically opt for when signing up for SaaS offerings online -- are the norm for small and medium-size businesses. "They're full of 'outs.' When you read the fine print, it can be very alarming," he says.
Fox's McKenzie says it's critical to think about contract terms and conditions early in the process by making clear what terms the organization can live with and which ones are nonstarters. "I have a requirements template, request for information and request for proposal templates, and a contract template with all of our criteria," she says. Included are canned paragraphs covering important areas such as information security. "If they can take that, we don't need to involve information security again," McKenzie says.
Greene says Guardian starts by clearly defining the service it's signing up for. "Make sure you have a defined service, not a product name. And ensuring that baseline functions won't change with updates to the SaaS application is critical," he says. "You want to make sure you're getting your minimum [requirements] around security and functionality [and that] they can't dumb down the product in a future release."
Limitations of liability clauses can be a major sticking point. "[The vendors] want no liability, and we want unlimited liability," says Wander. As with remediation for failure to provide service at agreed-upon levels, providers usually limit liability to a refund of up to the total dollar amount of the contract -- or a prorated service credit. "But if a service is buggy, do you really want more of something that's bad? It's better to get a promise of better service or a certain termination right," says Weiss. Likewise, a data breach can easily cost more than the value of the contract.
Finally, contract pricing can come back to bite you, and vendors don't like to make downward price adjustments for changing user counts, as McKenzie discovered. "We need the ability to scale up and down. SaaS doesn't work that way. That's been our most heinous fight," she says, because vendors wanted to lock Fox Entertainment Group into a volume purchase agreement for three or five years.
Wander had better luck. "We have a five-year contract that locks in terms and conditions but trues up on an annual basis. We've gotten very good terms in many cases," he says. But Guardian is a big account, he admits, adding, "I don't think everyone can achieve that."
There are two other ways to improve your negotiating position, says Weiss. One is to announce up front that you'll be doing competitive bidding, and then take the most favorable contract terms and pricing from each proposal and ask vendors to meet them. Another is to work with a reseller. "They can help out with terms," he says.
Still, SaaS isn't a fit for every application or large business. Boeing provides SaaS applications to its customers at MyBoeingSuite.com but uses only about a half-dozen SaaS offerings itself -- in part because it's a defense contractor and must adhere to strict data security requirements. "Things that hold lots of intellectual property are way out of scope for SaaS," says Ted Colbert, vice president of IT infrastructure at the aerospace giant.
Integration issues present another potential challenge. For example, Boeing's current HR applications for recruiting, staffing and other functions are built around a data warehouse. "To use SaaS, we would have to build more interfaces than we have today, which would drive our complexity higher," Colbert says.
Also, with 160,000 employees, the ability of SaaS providers to scale is a concern. "We haven't seen that play out yet," he says.
And Boeing's complex business processes would require extensive customization of any SaaS application. "The traditional SaaS offerings don't support the structure we have today," Colbert says, but Boeing will be better positioned for SaaS as it continues to simplify its business processes.
As the number of SaaS applications in use grows, managing integrations and data flows becomes a bigger concern. "One of the things we're careful about is understanding the integration and what that does to the overall profile of our solutions," says Scott at Guardian. As part of its governance process, Guardian has always had life-cycle methodologies for the software it builds internally. Scott's team extended that to accommodate SaaS. "Having this template to follow, which is predictable, has proved itself and is really one of the secrets to our success," he says.
Some business applications in the cloud aren't up to enterprise standards. "There are certain scenarios that aren't there yet," Greene says. In some situations, the risk profile doesn't match the organization's requirements. In others, the business might need to wait until existing IT investments are fully amortized before investing in SaaS.
Even Guardian is still nibbling around the edges when it comes to moving core ERP applications to the cloud, and Gartner says cloud-based ERP implementations aren't nearly as common as cloud-based HR and CRM systems.
SaaS offerings for core ERP applications are still evolving. "One process I haven't seen in maturity out there yet is core financials," says Greene. McKenzie also evaluated financial service offerings but declined them. "The two major products I looked at were not ready for prime time. Honestly, the market is not mature enough," she says.
Overall, IT executives say their experiences with SaaS providers have been generally positive. "We haven't had one real problem, never a breach or had a vendor go away or bad service or SLA breaches or had to sue anybody," McKenzie says. "Our experiences have been exceptionally good -- so good that we're pushing more and more."
These IT executives say SaaS didn't win out in every case. But Guardian chose that option in 20 instances because the business case made sense and the services were mature enough to meet the needs of a large enterprise in areas such as service-level performance and security. And Guardian had the clout to negotiate favorable contract terms for service levels, limitation of liability clauses, pricing and other requirements.
Every system that isn't a competitive differentiator should be delivered as a service, says Wander, warning that "businesses that fail to pare their legacy architecture may find their core business disrupted by smaller, nimbler companies who have built on SaaS and cloud."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.