Choose SaaS Vendors That Secure Data Better Than You Can

The Workday customer panel had barely started the discussion when the first hand shot up from the audience. Those attending the recent event were CIOs and HR managers wanting to learn more about Workday and its SaaS offerings. It’s not surprising the first question was about data privacy.

A short while after that question was answered came this one from the audience: “How did you get comfortable with the idea that your data was no longer under your control?”

Those in attendance were clearly intrigued by the lower costs and easier management provided by software-as-a-service, but that nagging skepticism around data security and privacy remained. And it goes something like this: Do I really want to give another company control of my data?

But why not ask this question: Is there any reason to believe that my own IT department will better protect my data than a vendor that specializes in—and banks its business on—keeping its customers’ data secure?

Some of the CIOs on the Workday customer panel acknowledged that they had to think this one through, and suggested audience members do the same. “Are we being arrogant, believing that we’re better than others?” asked one CIO of the audience. “Would I rather have someone who does this for a living protect my data, or have my own employees do it?”

Most IT departments aren’t obsessive about data security, unless the parent company is in the type of business that demands it. Reputable and well-managed SaaS and cloud computing vendors, on the other hand, will make security a top priority.

That’s a good hypothesis to start with, anyway, but must be proven through proper due diligence to ensure that a SaaS vendor can protect your data, and probably better than you can. This means visiting a vendor’s data center, understanding its technology infrastructure and technical approaches to data security, learning how it does patches, upgrades, and testing, ensuring it has SAS 70 certification and actually reading the document, and learning the details on how it physically secures its centers. (See “The Truth About SaaS and Security” for an in-depth look at this topic, including advice from CIOs experienced with SaaS.)

Due diligence is reviewing the vendor’s technology and process approaches to back-up and recovery. It’s talking to its customers, particularly large company customers, which likely put their substantial IT resources to work to vet the vendor on security before signing on the dotted line.

Then, after doing this work, it’s time to ask the question: “Has this vendor proven that it can protect my company’s data at least as well as I can, and probably better?” Anything short of a firm “yes” is probably not a vendor to be dealing with, anyway.

Security is a serious subject. But the most important question regarding data security is not where the data is at, but how well it’s secured.