• United States



Chief Executive Officer, Security Innovation

Does the CSO have a role in BPO decisions?

Mar 20, 20072 mins
Business ContinuityData and Information SecurityIdentity Management Solutions

SaaS (Software as a Service), a.k.a. Software onDemand, is gaining momentum in many parts of the enterprise today. Many companies utilize SaaS for their customer/sales management, payroll processing, and even accounting, transferring the software development and maintenance for those applications to companies like, ADP, and Intuit, respectively.

SaaS can provide great TCO and efficiency benefits to companies since they no longer have to concern themselves with the development and IT expenses that go along with building and deploying these software applications. But as these business processes are outsourced, what happens to the risk?

With in-sourced software, it’s clear — you build it and deploy it, you own the risk. If there’s a security vulnerability found, it’s your responsibility to fix it. Even with purchased software, you assume the risk of security holes that may be in software when you buy it. But when you use SaaS, do you include security clauses in your SLA (service level agreements)? What happens if ADP or Intuit is attacked and they lose YOUR payroll or accounting records? Are they responsible for your notification and damage control costs? Have you taken a close look at your SLA lately? I bet it has 3 pages of feature guarantees re. uptime and functionality and 12 pages of indemnification clauses, preventing you from seeking damages from your SaaS vendor.

Which brings me to the question:

Should the CSO have a role in making SaaS decisions?

Does your company include security requirements as part of your SaaS decisions? Do you have remuneration options if there is a security breach and your sensitive data is lost? 

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.