Business (Managing Higher Ed)

What to Ask When Outsourcing SaaS

outsourcing SaaS

PHOTO © BAKHTIAR ZEIN

Founded in 1875, Indiana University of Pennsylvania (IUP) in Indiana, PA, is a public, research-based institution boasting nearly 12,000 undergraduate and graduate students. In 2018, Bill Balint, CIO of IUP, and his team made the decision to put the community’s email in the cloud using Microsoft Office 365. This is an example of one of many forms of Software as a Service (SaaS) to which more academic institutions are gravitating, removing the physical infrastructure from the institution. As Balint bluntly observes, “Those genies are out of their bottles, and they’re not going back in,” meaning that outsourcing to the cloud is here to stay. Sure, institutions may change service providers as contracts expire or challenges arise, but they’re not going to bring those services back in house.

When it comes to providers, there are those that offer single, specific software services, and there are those that provide collective services, such as Amazon Web Services (AWS), “which provides a wide variety of on-demand, cloud-computing platforms,” says Thomas Skill, Ph.D., associate provost and CIO, University of Dayton (UD), OH. UD is a Catholic university founded in 1850, with nearly 11,000 undergraduate, graduate, and law students.

In this face of this new trend, and considering that there are many providers and many ways to package services, how can administrators be sure they’re contracting with the SaaS provider that will best meet their needs? By asking questions. Here’s what the experts suggest you ask.

‘How Do I Know You’re Dependable?’

There was a time when some of your customers relied on technology and some didn’t. Those days are long gone. Today, all of your customers rely on technology, and they rely on you to provide it and keep it operational. Therefore, it stands to reason that, if you’re outsourcing a service, you’re counting on that vendor to do what you would do: provide the service and keep it operational. You’ll know the vendor is dependable by ensuring that “your service level agreement is spec’d out ahead of time for when there is a failure,” says Balint. “Technology is a commodity, and your customers are not so forgiving of things not working now as they were in 1995. You can’t wait until there is a failure to come up with a plan for fixing it.”

‘Can You Give Me an All-In Price?’

An all-in price that is totally transparent accounts for the cost of the level of service to which you’re agreeing and eliminates unexpected costs. Balint offers an example of unexpected costs: “Let’s say I sign an outsourcing contract. The contractor comes in and finds a challenge neither he nor I expected when I signed on the dotted line. Now it’s going to cost more to fix that challenge before we can move ahead.” An all-in cost ensures price predictability, just as there is in knowing your own staff’s salary and benefits, and it eliminates the unpleasant surprise of unexpected costs.

‘May I Speak With an Existing Client Whose Situation is Similar to Mine?’

Balint is adamant about this: It’s nonnegotiable. “I have to be able to look at and touch another school that’s the same size as mine and has the same level of complexity as I have,” he says. “I want to talk with somebody at a school similar to mine to see what the vendor has brought to the table in terms of meeting that school’s needs.”

‘How Will You Protect Our Data?’

“We have an obligation to protect our data,” says Skill, “so this is an important question for us. In interviewing vendors, we spend an extraordinary amount of time on security.” He indicates that it’s a myth to think that, if you take your services to the cloud, everything will be fine; that the cloud is a magical place that takes away your hosting problems. For him, the decision-making driver is not pure cost savings—it heavily includes security.

“Our biggest concern is security,” Skill explains. “When we hear about data breaches, in nine out of 10 cases, it seems that it’s the third party that has lost data for an organization, not the organization itself. If this happens, it’s because we, as the organization purchasing the service, failed to do our due diligence in how the third party was keeping our information secure.”

Skill acknowledges that, in the past, he has taken heat from some of his customers about the length of the due-diligence process, wondering why a service isn’t up and running already. He’s willing to take that heat in exchange for the peace of mind that the vendor has security as its top-most concern.

‘Are You SOC 2 Compliant?’

American Institute of CPAs (AICPA, www.aicpa.org) offers three different System and Organization Controls (SOC) audits for service organizations that provide valuable information for users to assess and address the risks associated with an outsourced service. SOC 2, according to AICPA, is intended to meet the needs of users “that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

Skill wants to know that potential service providers are SOC 2 compliant. However, he acknowledges that even this is inadequate and that additional questions must be asked. Those questions are formulated in a document called “Third Party Data Security Questionnaire.” This document can be readily found in different versions on the Internet and tailored to your institution, and Skill is happy to share his. “This is a very deep dive that we see as critical to our data protection obligations,” he notes. “After we ask the questions, we review the answers and ask ourselves if we’re comfortable with the answers and the risk.”

SaaS isn’t always cheaper than hosting them in-house, but it does allow you to scale up and scale up more quickly than if you did it yourself, observes Skill. “There’s a convenience and e-speed to market,” he says. “The service provider has the responsibility for doing a lot of the back-end support so our limited staff doesn’t have to.” Being prepared with the right questions can help you choose the providers that will best help you move your services to the cloud.