When evaluating different solutions for incident response management, many factors come into play. Understandably, budget tops the list, closely followed by security, functionality, ease of use, and more. Underlying many of these concerns is the delivery method—should you choose software-as-a-service (SaaS) or an on-premise solution?
SaaS is a delivery model in which software is licensed on a subscription basis. It is hosted and maintained by a third-party vendor and typically built upon an infrastructure-as-a-service (IaaS) cloud provider such as Amazon Web Services (AWS) or Microsoft’s Azure. On-premise software is installed and run on computers on the premises of the software user.
As time passes, SaaS has become increasingly popular. Research firm Gartner forecasted significant growth of public cloud service revenues for SaaS applications—from $60.2 billion in 2017 to more than $117 billion in 2021. Despite the clear-cut benefits of SaaS solutions, however, we see many privacy professionals clinging to dangerous myths that prevent them from investing in software that delivers the best value and will serve them best in the long run.
Myth #1: SaaS is too expensive.
If you already have an IT department who maintains a stack of hardware and software onsite, you may wonder at the wisdom of investing in a whole new delivery model.
Reality #1: SaaS has a low cost of entry, a lower total cost of ownership (TCO), and a much better ROI. On-premise solutions require significant upfront capital costs for acquiring and hosting the solution, not to mention the ongoing IT costs to manage it—including hardware and software upgrades. Implementation depends on the availability of your IT department, which may take months. Scaling to accommodate growth means investing in additional server capacity and software licenses.
A SaaS solution eliminates that. The SaaS vendor manages the hardware and software and delivers upgrades seamlessly and automatically. As you add data and users, the software dynamically scales to support the load without investment on your end. The time and cost of entry is greatly reduced, so you can gain the benefits of using the software much more quickly.
In fact, a Nucleus Research report found that cloud deployments - i.e. SaaS - deliver 3.2 times the ROI, have 2.3 times lower TCO, and provide a 2.2 times faster payback than on-premise deployments.
SaaS for incident response benefit #1: Avoid the high potential risks and costs of noncompliance. A purpose-built, SaaS-based platform for incident response management, such as RADAR, automatically monitors and applies critical patches. It also keeps an updated regulatory legal engine, so you can risk assess as soon as the law becomes effective. Requirements for regulatory breach notifications are constantly changing, so your incident response solution must offer real-time or near real-time updates.
Fast and reliable, SaaS for incident response reduces the cost of inefficient and inconsistent processes, which is also essential for maintaining compliance. In addition, SaaS frees up time and resources so teams can focus on core business needs first—IT on managing strategic business systems and core data, and privacy, compliance, and security on improving their policies.
Myth #2: SaaS is not secure.
A survey by the Cloud Security Alliance found that data security was the top concern that prevented companies from adopting a cloud-based solution. Compromised accounts or insider threats, and business continuity and disaster recovery were also significant concerns.
Reality #2: SaaS uses economies of scale to deliver world-class security. While an on-premise solution keeps your business’ sensitive data within your own firewall and protected by your own security policies, this doesn’t mean it’s more secure. SaaS systems built upon high-end cloud providers such as Microsoft Azure or Amazon Web Services are highly secure with expert supervision of physical, network, and server security.
Using one of these high-end cloud providers is a great foundation. However, when looking for a SaaS solution, it is critical to make sure the vendor also has good security controls and has been audited by a reputable third party against an industry-standard security framework. The SaaS vendor should also offer guaranteed uptime and a complete disaster recovery program.
SaaS for incident response benefit #2: Reduce privacy risk with timely, consistent breach determination. SaaS for incident response reduces the time it takes to discover an incident, make a breach determination, and provide notification. RADAR, for example, is always up to date with continuous release schedules, which ensures breach decisions are based on the most current, up-to-date data breach notification laws. You avoid missing notification deadlines because of out-of-date software—and also avoid the problems of potential fines, regulatory action, or damage to your reputation and brand.
Myth #3: SaaS is hard to use.
The Cloud Security Alliance survey found that 34% of companies aren’t adopting cloud solutions “because they believe the knowledge and experience of their IT and business managers is not aligned with the skill sets that cloud computing demands.” That makes sense, right? Why invest in a solution nobody knows how to use?
Reality #3. SaaS is built with ease-of-use in mind. All the hard work of IT is managed for you—provisioning, installing, monitoring, backups, disaster recovery, updating, and configuring the required hardware and software. Your job is to simply use the software, which is easy enough. SaaS enables a “work-anywhere” model using just a regular browser. You don’t have to download or install additional software, which means you’re up and running that much more quickly.
SaaS for incident response benefit #3: Improve and increase the reach of your privacy program. Intuitive SaaS applications like RADAR encourage employees across the organization to report incidents and guide the privacy team through the incident documentation, assessment, and reporting process. Highly visual reports are available in real-time, giving the board insight into the value of your privacy program and helping you identify areas for improvement.
When evaluating your options, don’t let myths stand in the way of facts—especially the reality that SaaS solutions offer excellent value for privacy professionals who want a compliant, efficient, and results-driven incident response program.