Bay Tech Advisors

10 Considerations for Your Cloud Contracts – CIO View

Having signed two more cloud contracts this month, it feels like a good time to share what I consider to be my top 10 considerations in negotiating a cloud vendor contract. As I was writing this, I had a hard time culling the list down to just 10. I’ve learned a lot over the years and have scars to prove it. There will be different views on this depending on whether you’re talking about SaaS, IaaS or one of the other horizontals in the space (PaaS, DRaaS,..), , but these 10 are generally applicable. So, here it goes:

1. Limit price increases – There is a lot of debate on whether or not moving to the cloud is actually cheaper than on-prem applications, and my answer is that “it depends”. There are many factors that must be considered (personnel time, upgrades, etc..), but license cost is a big one. What is a fact though, is that the longer the time horizon, the more expensive the cloud alternative can become. You’re paying a constant expense stream which can blow-up any ROI analysis over time. Other than negotiating the lowest initial price you can get, the best way to limit the cost over time is to reduce the pace and amount of future price increases. There are a few ways to approach this; the first being to go for as long a stretch as possible before the first and subsequent price increases. Most vendors will give you price breaks for longer contract terms. You might think this a risky approach as you’re committing yourself to a longer contract, but I’m assuming you’ve done your due diligence and are confident you’ve picked the right vendor. Even if things don’t work out as planned, which you absolutely need to consider, you’ll not likely be in a position to actually move off completely for 2-3 years. If negotiated right, the price increases will be tied to the contract length. The second part of this is to then ensure that each increase is as low as possible. I once negotiated a 0% first anniversary increase on a 3 year contract, basically holding my per user price flat for 6 years. I also negotiated a 5 year term with a 30 day out clause. No increase for 5 years and I can leave at any time. So my long-term contract risk is……..nothing. Try it; you never know what you can get.

2. Access to Data, Integrations and SSO – Some vendors are charging different prices depending on the availability of integration connectors or API’s, while others don’t charge extra for this capability. Even if you’re not starting out with a lot of integrations on day 1, you have to be prepared for the high likelihood of needing to get data in or out early on. Even SSO connections can sometimes cost extra to set up, or not be supported at all. If your cloud vendor is relatively new and doesn’t have published SSO connectors, make sure you include this capability in the contract at no charge. It’s in the vendor’s best interest to get this done and will help them in future contracts, so there is no reason for them not to include this. Integration and connectors are key for most successful cloud implementations, and a must for many, so it is frustrating that some vendors are charging extra for these. I get the tiered, a la carte approach that helps with revenue, but I think this is one area to focus on in your contract negotiations.

3. Flexibility on your license growth – On the software and platform side, the number of users will be a key factor in the ongoing cost. Having a good understanding upfront of your one and three-year growth scenarios will help you lock in lower prices on future growth. If you’ve hit a wall on the initial price, negotiating favorable discount tiers can help in the long run. The focus should be on having a low ceiling on your initial tier.

4. Exit strategy for data and access to data if the vendor fails – One difference in having your data in the cloud is the amount of control you have over it. So what happens if the vendor does go bankrupt? What if you do decide to move off to a competitor? A vendor failing isn’t a big concern for many of the top-tier providers, but it is something you need to think through and account for. I’m lumping this into your exit strategy for getting data out as it’s a similar issue. You need to understand how you’ll get access to the data and what your options are for getting copies. Ensure that you have some time to get your data out after your contract ends, in addition to language that ensures assistance from the vendor. Once you implement and once you get data integration up and settled, you’re already a step ahead in this process.

5. Development/Sandbox environments – If you’ll be making configuration changes to your SaaS app, or rolling out new apps or pages under a platform model, it’s important to understand the availability of sandbox or dev environments. The need is really no different than on-prem apps, but the type, freshness, availability and size of the data available are important, and can vary or be an extra price. Some vendors will apply this increase to all your licenses, so pay close attention to this and push hard to get as much included for free as possible.

6. Security – This is a very broad topic, so I’ll narrow it down to encryption and masking. Is data encrypted at rest? Is confidential data masked to those who don’t have proper access? For products that rely heavily on built-in uploading/downloading (storage and synch solutions), is the data encrypted during transmission? These are key considerations in comparing vendors, and you’ll find a wide variety of options available. Don’t assume that the biggest vendors are the most secure or encrypt your data at rest. It’s not as common as you would think. Data masking is also important for internal controls to ensure PII or confidential data is not visible. Not every vendor has this capability as standard.

7. Data Center Location – If you’re a U.S company doing business solely in the U.S., then your data center location will likely be in a region close to where you do business, if you’re dealing with one of the larger SaaS providers. For some of the smaller ones, you may not have much choice in the matter. For SaaS products, I have generally found the location to be not much of an issue within the U.S. It becomes much more complicated if you’re a non-US company or you do business or have offices in other countries as two issues then arise. First, latency in accessing your data becomes something you need to worry about so ensure you understand where your key users are for the app in question, in relation to where the vendor has its data centers. The second issue is around data residency and the various legal restrictions on where your data can be stored. This has always been something to consider, especially in the EU. However, the U.S. government data snooping scandal has changed the dialogue on this and made it a critical item to consider and deal with. It’s a topic that deserves its own write-up, so I won’t dive into the specifics here, but it needs to be on your consideration list.

8. Disaster Recovery Capabilities – Having applications in the cloud means you don’t need to deal with backups and disaster recovery yourself, but it doesn’t mean you don’t need to worry about it. Understanding your vendor’s approach and processes is important. Do they backup to facilities in other geographic locations? How long do they keep backups for? What are their RPO and RTO’s? Don’t ignore this just because you won’t be managing it on a daily basis.

9. SLA’s and Support – Up-time or issue resolution SLA’s are very important, but don’t expect a lot of flexibility in this area. The larger the company, the less likely you’ll get any movement. The top-tier vendors typically exceed their SLA’s but most will not budge from relatively low up-time percentages in the contract. Issue resolution response times vary widely, with many charging extra for quicker response. As a consumer of the service, I hate that model. They want to tell me my default is 2 business days for support unless I pay more. Really?

10. Storage and growth – The amount of storage is becoming a much smaller issue than it used to be, but it’s something you still need to understand and account for. If storage is a key part of the product, then you’ll likely be getting 1TB, or an “unlimited” amount of storage per user. However, some vendors still charge for storage. As with the growth of license counts, you need to understand your initial and future requirements so your future storage needs are accounted for up front. You’ll never have the same leverage as you do in the initial contract negotiations, so go overboard on growth requirements up front to be safe.

These are just some of the key items to consider. I know you’ll have others you feel strongly about, so feel free to chime in here or on twitter.

User-Centric IT

I went to an interesting CEO/CIO gathering a few weeks back where the concept of User-Centric IT was presented by some of the leading cloud providers. The concept, pushed and marketed by Box, Marketo, Skyhigh, Jive, Okta, Zendesk, and GoodData, professes that enterprise software should first and foremost focus on the needs of the end-user. To be more specific, the principles of User-Centric IT are:

User-Centric IT serves the business by empowering people.
User-Centric IT adapts to the way people work, not the other way around.
People, information and knowledge must connect in real-time.
Mobility is a work-style preference, not a device.
Security should be inherent and transparent to the user experience.

In my view, User-Centric IT is real and is part of the changing expectations of enterprise users due to the rise of the Consumerization of IT, and the pervasiveness of the cloud. The principles of empowerment, mobility, and real-time connections are all standard in consumer technologies today. It’s these expectations that are driving enterprise IT to change its focus to how the user works. Work is now a thing and not a place. No longer are applications just about functionality, with UI design an afterthought. Employees are using great, user-centric tools at home and they expect the same easy to use tools while working. The same concept is driving BYOD where users have choices in the devices they use, opting for the more consumer oriented devices. User-Centric IT uses these same principles in empowering users to be more productive, while wrapping it all up with the security enterprises require out of their applications.

These principles are also what’s great about the cloud and why legacy apps and on-prem software face an uphill battle. As I come across more and more industry vertical, cloud based options these days, it’s wonderful to see how each new company has taken usability to a higher level. Of course, the social and mobile trends taking over many enterprises are the other forces driving this concept. Can’t argue with that.

The various vendors who have joined forces in marketing this principle all have products that come at the issue from different angles, whether it be enterprise collaboration, security, identity, marketing or analytics. What they all have in common is a goal towards user enablement and mobility. Now, some will argue that this concept is just pure marketing with no real substance. There is definitely a marketing bent to it no doubt, but the underlying core message does resonate with those of us who believe these trends are real. Whether you just call it the Consumerization of IT or something else, you can’t argue with principles. As a real believer of the how the cloud is quickening the pace of innovation in businesses and the inherent value it creates, peeling back the marketing layer uncovers real trends.

At the event, there was a lot of discussion about the challenges this brings to CIO’s. Some were concerned about cloud sprawl, while others are dealing with deeply entrenched legacy apps that can’t just be switched or upgraded overnight. There was also a discussion on User-Led IT vs. User-Centric IT. User-Led is where integration, security, data quality, and governance is given little value, focusing purely on the best looking and quickest to implement. User-Centric IT takes this up a level, valuing the needs of the employee, but layering on the real security, integration and data quality requirements enterprises need. These are real issues and real concerns, but it shouldn’t stop the conversation. I believe that the CIO’s that are truly innovating and driving cloud adoption today, with an eye on social and mobile, are already using these principles for transformation and innovation. As the cloud becomes even more entrenched as the go-to strategy for companies, concepts like User-Centric IT will be become more commonplace.

Here is a link to the User-Centric IT website

Consumerization of IT – Happily Turning Enterprise IT on its Head

The proliferation and acceptance of cloud computing has had a lasting effect on enterprise IT, and it’s still early in that evolution. But as we look at the changing expectations of our users, the transformation is being led by a more comprehensive trend; the Consumerization of IT. This trend has changed how IT leaders, business executives, managers, and all employees throughout an organization think about IT at work. All of this has turned Enterprise IT on its head, and we’re better off for it.

There have been wonderful advances in the technology available to us in our daily lives (consumers), led by Apple, Google, Facebook, Twitter, Yahoo, Vine, Dropbox, Instagram, etc.. How we view and use technology has changed as technology has become pervasive in our daily lives. The advancement of consumer oriented technologies, and their encroachment into enterprise IT, have evolved over the last 10 years. Initially led by Blackberry with the first really useful hand-held mobile device, followed by Apple and the innovative and easy to use iPhone, employees now expect the same access, simplicity, and pleasant user interfaces at work as they have at home. As technology has also become intertwined in our daily lives, the consumer driven devices we use are becoming standard at work, and the tools and expectations have blended together.

What this means for Enterprise IT is that we as IT leaders need to understand how this affects our employees and the heightened expectations of our users. CIO’s need to understand this shift and embrace it. Most CIO’s I know get this and have done just that over the last few years, but there are many that aren’t seeing what’s happening. They look at it from the perspective of the secure walls of enterprise IT being torn down. The safe zone is being intruded upon. CIO’s can’t think this way and they will be left behind and replaced if they continue to do this.

Specifically, the Consumerization of IT has changed the expectation levels of users in the following ways:

The applications used at work. The apps we deliver for our users can no longer be filled with endless features but short on usability. An easy and clean UI is essential. Uncluttered with clear menus is a must, as is a quick and intuitive search capability (hello Microsoft – SharePoint search sucks). Simplicity is key and browser-based design is expected.
The devices our employees use for work. BYOD has become standard as employees no longer want multiple devices for their work and home lives, nor do they want the heavy bricks affectionately called work laptops. Tablets and slim laptops are in high demand, while Blackberries have dwindled or gone away. Oh, and everyone now seems to require 2 monitors to work. Additionally, some companies are now providing employees with yearly stipends to purchase devices of their choosing. This has created turmoil for internal help-desk functions, but then again our younger users don’t need nor want our help.
Increased expectations for mobile and remote accessibility. As the line has blurred between work and home life, accessing business services while commuting, traveling, or working from home has increased exponentially. Our users are checking emails, looking for files, accessing applications, and providing enhanced customer support from any location, at any time. Therefore, our applications and services must be easily and simply available on these devices at all times.
The speed in delivering new and enhanced solutions. Elongated, half-year development programs are too long. If users have to wait 6 months for new development, they’re just as likely to go off and procure a cloud app themselves to meet their needs. This might happen anyway (more on that another time), but there is no reason why internal IT can’t be agile too, delivering cloud apps or quick, simple enhancements in a shorter and iterative fashion.

Huge transformations are happening within enterprise IT because of these factors and CIO’s needs to understand this and embrace it. No more of the IT bottleneck or the refusal to accept the convergence of consumer expectations. If they don’t accept these changes, their replacements will.

CIO of the Future: SFSU CIO Executive Development Program

Last week, I had the privilege of presenting to the San Francisco State Executive Development Program, which was aimed at aspiring CIO’s, along with current CIO’s who are looking to expand their knowledge.

My presentation was on the Future of the CIO. I had great interaction and comments from the group, but what was most interesting was the many questions at the beginning about my “cloud first” strategy. We spent 15 minutes just discussing the risks, challenges and overall value of the cloud. Discussing the value and the great potential of outsourcing your non-core IT components to the cloud is a passion of mine, so I was surprised at the level of questions received. Why go to the public cloud? Aren’t you concerned about security? More questions like these, which left me still believing there are a lot of companies and IT leaders out there who are still scared or uninformed about the value.

The Ongoing Talk About Titles

There have been numerous articles and conversations lately about what the “new” CIO title should be. Most of the conversation is around the Chief Digital Officer, as digital has become the mantra for organizations. Some of the other titles being bantered about these days are Chief Innovation Officer, Chief Infrastructure Officer, Chief Integration Office, Chief Data Officer, Chief Social Media Officer, Chief Risk Officer, Chief Cloud Officer, and so on….

The real question is, does it matter? Does the title really change the role, or is the role driven by the company culture and the IT Head’s ability to engage, transform, and innovate? Most of the titles listed are really persona’s, and not titles. Many CIO’s actually play one or more of these roles at any time, shifting from an integration focus to a data focus to risk, while focusing on innovation throughout.

My view is that the talk go back to focusing on HOW the CIO can innovate and help drive increased revenue or raise customer satisfaction. Even the Chief Digital Officer role implies that the CIO has a focus that is purely digital. What about integrating cloud services, a key function that progressive CIO’s need to handle today as they move more of their applications and infrastructure into the cloud? Does “Digital” describe this? Not really. Social Media is another example. That’s another area of disruption that the CIO needs to understand as it affects the employee base and the way we collaborate. A role focused solely on social media could be a subset within the Marketing department, but not likely a good description for a CIO.

These discussions are not new and they do highlight the transformation and changes affecting CIO’s today. They are worthwhile as we highlight the roles, or persona’s, that we need to understand and take on. Let’s just not let it get in the way of creating real business value.

Why IT Still Matters and Rogue IT

There has been a lot of press and conversations lately on “Rogue IT”, particularly with the proliferation of BYOC (Bring Your Own Cloud). It’s an important topic as it relates to the changing dynamics of IT, the core competencies of a CIO, and where IT can really add value to an organization. IT still has a role here, and it will be most effective when playing the role of a consultant to the business.

First, the word “rogue” is not an accurate description of what’s occurring. The description implies a negative view of the relationship between IT and the business when in reality, it’s a an acceleration of technology innovation and capabilities. No longer do you need a central IT department to facilitate and lead every technology decision. The rogue term may truly have been negative many years back when business units would try to make IT decisions with vendors without involving IT. It caused conflicts at the time and the tactics did not advance innovation, but that’s not the case today.

Today, it’s extremely easy for any user to cut a deal with a cloud company for almost any business capability or computing resource. I’ve seen it many times. However, this actually can be a good thing as it accelerates innovation and the solving of business problems that are so critical to an organization. Where this falls down, however, is where the CIO or IT department is completely unaware or left out of the conversation. When this happens, important enterprise issues around security, data privacy, data integration, pricing, backups, SLA’s and many other important topics are typically ignored.

So, how should a CIO deal with “rogue” or “shadow” IT? Embrace it! Use your influencing skills to demonstrate to the other departments that what they’re looking at can be good, and powerful tools, and that they should use IT as a consultant to help them achieve their goals. That’s the key. You’re not there to say no, but probe and bring issues that will resonate with them. Ask them how the information will be maintained (think efficiency). Will information be needed from other systems, or vice-verse (data quality and efficiency)? Security or backups won’t typically be of interest, but focusing the consulting view on what matters to them most will get IT involved in the end. Once involved, the other enterprise issues can be reviewed, and it’s your job to do this without saying “no”.

So, embrace BYOC, BYOD, and the consumerization of IT and focus on solving business problems. The users will begin to come to you earlier in the process. You’ll get farther, you’ll be more successful, and in the end, the enterprise wins.

Send me your views and comments: @sappley