It is intriguing to me that we have to have this conversation about SaaS and software updates yet again. There is supposed to be a balancing act between the desire of investors, efficiency for the org and the needs of the customer. Right now, that balance is (yet again) all out of whack.

I actually got to thinking about this doing work for my non-IT company. One day, I realized that between browser, OS and office solutions, we were updating and restarting something nearly every night. Then, we were forced to upgrade our accounting to a really great SaaS product. Considering that a product that has served both of my businesses so well for a decade will soon be replaced in our environments, apparently, it is excellent for investors’ mindset, not so much for customers. Oh, it’s easier to access, but it comes with a separate set of weaknesses that would cost my less profitable business a ton of money. Since I like to keep the solutions standardized between the companies (for the accountant, if nothing else), the SaaS product will have to go at both orgs. We reverted to their discontinued local install product until evaluations were done to replace it entirely.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

The problem is that both SaaS and rapid iteration are great on paper, but like just about every good idea in IT, they are being treated like a panacea. Sure, recurring revenue from SaaS is great. But if you lose customers doing it, that may not work as well. The same is true with rapid iterations—once you get to consumers, updating even weekly is a bit of crazy-town. Most end customers look for a way to turn off updates as soon as they notice the pattern. Business users aren’t much better, we all have stories of systems or hardware that weren’t updated for years. Heck, I worked on teams that hadn’t updated their own systems to get them off of outdated OSes and hardware, let alone kept on top of vendor updates. This is part of the reason for the drive to SaaS – to force upgrades. But if frequent updates introduce errors for the customer, well, it’s a lousy reason.

Make your products good, and make certain you are serving the broadest piece of the market that makes sense. Of course, follow trends and make sure you are still doing what makes sense. But what makes sense is what serves the market and/or the organization’s bottom line. Everything else is input. Some will say, “In good SaaS, the user never knows if there is an issue.” Yeah, and I never wrote a bug. Seriously, don’t force things on customers; give them what they need, where they need it. In one (security) space I cover, my regular advice to vendors is, “Users need this one bit of functionality behind the firewall and stable. Give it to them, SaaS or not, or lose them.” But that sentiment is increasingly being applied outside security. Users want vendors and products to do for them, not to them.

In short, do what you like to see from your vendors. The convenience of a SaaS accessible from anywhere and free of capital expense is huge, but it isn’t always the deciding factor and, in many spaces, limits market appeal. You all know what is useful, and you know for a given toolset what is not. Apply that mentality to your own customers. And keep rocking it. Sooner or later, this deployment octopus we’ve created will come together, and we’ll have different problems to fix.