In the cloud, as in so many other areas of IT, customers want results they can quantify and measure. Vendors that can provide “industrialized” services that are not only lower-cost, but more measurable, will have a significant leg up over their competitors.
The most recent evidence comes from recent research from Gartner, which reports that software as a service contracts “often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident. This leads to dissatisfaction among cloud services users.” It also, the analyst firm says, “makes it harder for service providers to manage risk and defend their risk position to auditors and regulators.”
This lack of clarity around security is particularly dangerous for cloud vendors, since (whether justified or not) security continues to be one of the – if not the – main reason some organizations avoid the cloud. But that also makes clarify around cloud security a competitive differentiator, if the SaaS provider can deliver it and marketers can explain it.
Needed: Audits and Penalties
For starters, Gartner said customers “need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools.”
Gartner also recommended customers get very specific in their contracts about what constitute adequate service levels for security and recovery of data in case of an attack. “We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed, wrote Alexa Bona, vice president and distinguished analyst at Gartner.
In short, maybe it’s time we all – cloud providers especially – start treating security as a measurable, verifiable deliverable subject to rewards and punishments much less uptime or performance. That assumes, of course, the provider themselves have strong enough internal processes to deliver what they promise and measure what they’re delivering.
Next: Explain Clearly
And it requires cloud marketers to explain, in equally clear terms, the benefits of this measurable, accountable approach to security, and how it’s a differentiator from the sloppier practices of their competitors.
You may be tempted, as Gardner did, to use the “T” word – transparency – to describe this new approach. Don’t. “Transparency” is exactly the kind of vague buzzword that gets SaaS (and other) vendors in trouble. Transparency can mean either “visibility” into how strong a vendor’s security is, or “accountability” in which the vendor pays a penalty if they mess up. (Gartner has also noted that transformation is a vague buzzword that can mess up outsourcing contracts.)
Instead, describe in your marketing material exactly what you’re providing (such as visibility through reports or portals) or accountability (through penalties or refunds) to show you understand and are avoiding the perils of ambiguity. If customers are demanding more clarity and specifics in security contracts, why not show them you get it by being clear and specific in your marketing material?
Let me know how you’re clarifying cloud and SaaS security, and whether muddied security rules – or muddied marketing – are doing more harm.
Like this post? Subscribe to my RSS feed and get loads more!