Does the CSO have a role in BPO decisions?

SaaS (Software as a Service), a.k.a. Software onDemand, is gaining momentum in many parts of the enterprise today. Many companies utilize SaaS for their customer/sales management, payroll processing, and even accounting, transferring the software development and maintenance for those applications to companies like Salesforce.com, ADP, and Intuit, respectively.

SaaS can provide great TCO and efficiency benefits to companies since they no longer have to concern themselves with the development and IT expenses that go along with building and deploying these software applications. But as these business processes are outsourced, what happens to the risk?

With in-sourced software, it’s clear — you build it and deploy it, you own the risk. If there’s a security vulnerability found, it’s your responsibility to fix it. Even with purchased software, you assume the risk of security holes that may be in software when you buy it. But when you use SaaS, do you include security clauses in your SLA (service level agreements)? What happens if ADP or Intuit is attacked and they lose YOUR payroll or accounting records? Are they responsible for your notification and damage control costs? Have you taken a close look at your SLA lately? I bet it has 3 pages of feature guarantees re. uptime and functionality and 12 pages of indemnification clauses, preventing you from seeking damages from your SaaS vendor.

Which brings me to the question:

Should the CSO have a role in making SaaS decisions?

Does your company include security requirements as part of your SaaS decisions? Do you have remuneration options if there is a security breach and your sensitive data is lost?