Applications delivered in an as-a-service model are popular, for good reason. There’s no need to write — or write big upfront checks for — the software you need to run your business or to spend on the infrastructure or expertise to host applications in-house. I’m not surprised that IDC pegs spending on shared cloud services at $385 billion in 2021, or that it predicts sales will reach $809 billion by 2025.
Some companies maintain copies of their data and perform customizations on their SaaS apps, but even these tasks can be outsourced. And not only is the cloud more convenient, but with proper management, it is likely less expensive in the long run when you consider SaaS advantages like scalability, automatic upkeep and reliability.
However, risks come with these benefits.
What those risks are for your company depends on the function of the software, the types and sensitivity of data involved, the complexity of the functions involved and how well you control access, among other factors. Still, while there are financial gotchas to cloud services, like paying for idle resources or missing out on discounts, most risks involve cybersecurity. So as you consider adding SaaS applications, you as CFO need to factor in these concerns just as much as you consider business benefits and cost savings.
Here are the three issues that I often see tripping companies up. My recommendation is to develop a standard checklist to follow when doing a financial and security risks and benefits assessment of working with a SaaS provider.
A SaaS provider should have certifications to attest that it has both processes and security controls in place throughout its operations. While no certification guarantees security, many accreditations do indicate that an independent party reviewed the vendor’s processes against a set of industry-defined standards. A certification at minimum ensures that best practices are in place.
What’s that? Your security guy says certifications don’t matter? I want to reiterate that certifications do not guarantee security. Many people in the industry view standards cynically. But the absence of a certification means there has been zero attempt to verify system reliability and security. As important, the absence of an interest in being accredited says that this provider does not want to compete in the market.
ISO/IEC 27001 is a popular, internationally recognized accreditation that requires a formal audit and regular recertification. Vendors must prove they have controls around information security and HR policies, asset management and asset control, supplier relationships and more, as well as plans for business continuity and how to respond to incidents.
ISO 22301 is concerned with resilience — minimizing expensive downtime and data loss by reducing the likelihood of disruptions and having a plan to respond to and recover from incidents when they do arise.
SOC 2 was developed by the American Institute of CPAs (AICPA) specifically for services firms. It addresses protection of customer data based on five trust service principles: security, availability, processing integrity, confidentiality and privacy.
CSA STAR, for security, trust, assurance and risk, was developed by the Cloud Security Alliance and focuses on “transparency, rigorous auditing and harmonization of standards.” Note that there are two levels of assurance: A Level 1 self-assessment is better than nothing but not as stringent as a Level 2 third-party audit.
OWASP Application Security Verification Standard (ASVS) provides a basis for testing web application technical security controls and provides developers with a list of requirements for secure development.
The types of certifications you should demand depend on the situation, but the ones listed above are a good starting point.
Depending on your data and customers, you may wish to also look for PCI DSS for payment processing, NIST 800-53 for federal government contractors, HIPAA or Sarbanes-Oxley.
I have one universal and major recommendation for companies: Never dumb down your own policies to accommodate a third party.
That includes working with a SaaS provider, no matter how cool its product. Hopefully you have a reasonably strong cyber and financial security posture with policies and procedures that all employees must follow. Ensure that your vendors are at least as rigorous.
For example, if your company requires multi-factor authentication and a vendor does not support multi-factor authentication, you should not consider it. Period.
Possibly one of the most critical concerns globally today is privacy. If a SaaS product under consideration will touch data that might be considered personally identifiable information (PII) or is otherwise sensitive, then add privacy certs, such an extension of ISO 27001 to include the ISO 27018 control set, to your checklist.
And don’t forget the patchwork of state and international laws regarding privacy requirements. If you hold any data for customers from California, you have to adhere to CCPA. There are also standards to consider from Iowa, Massachusetts and Virginia. If you are processing data involving citizens from other countries, there are privacy laws, such as GDPR, that your vendor needs to adhere to.
Remember: You are outsourcing management of the software. You are not outsourcing liability or especially the risk to your company’s reputation.
Your tech vendors should maintain robust security while allowing convenient access to their systems. NetSuite fits the bill, as it is audited to SOC 2 standards and maintains ISO 27001, ISO 27018 and PCI DSS compliance.
Well-established SaaS vendors’ cybersecurity capabilities are almost certainly better than those of your own organization. However, you should not take this for granted. Over the years, I have evaluated vendors that had poor cybersecurity practices, even though I would have assumed they knew better. One organization, for example, stipulated in its contracts that it could share data with outside partners, which might be a privacy violation. Some vendors have offshore data centers and operations, which can be a violation of a variety of laws — or, if you have a presence in that country, it could be a selling point. An EU data center is advantageous for GDPR compliance.
My point is, you can confidently take advantage of SaaS applications. There are many more benefits than risks. But don’t skimp on your due diligence, tailored to your reality.
Ira Winkler, CISSP, is CISO for Skyline Technology Solutions and author of books including “You Can Stop Stupid,” “Corporate Espionage” and the bestselling “Through the Eyes of the Enemy.” He is in the Information Systems Security Association Hall of Fame, and CSO Magazine named him a CSO Compass Award winner. Ira writes for a number of industry publications and has been a keynote speaker at major information security events.
Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting and director of technology of the National Computer Security Association. He was also on the faculties of Johns Hopkins University and the University of Maryland.