Been there, done that and have the T-shirt and scars to prove it
Matt Hines over at InfoWorld has an article up on the inevitability of software as a service becoming more prevalent. I don't want to rain on anyones parade and I do believe we will see more SaaS, but there are a few things in this article that bear correction and comment. So here are my three biggest lies about SaaS.
1.SaaS is the way to sell "security by subscription. That is the title of Mat's article, "Security by subscription". The fact is the companies Matt mentions, Symantec, McAfee and Trend have been selling security by subscription for years. They don't need SaaS to do so. In my definition subscription is when you buy their AV or similar product and if you don't re-up at the end of the license period you stop getting updates.Without the updates the software is useless. Over the years the entire AV industry moved to this model including Microsoft when they entered the market. In fact they automatically renew your subscription and it can be a pain to get them to stop. So though SaaS is one way of selling security by subscription it is not the only way or even the dominant way. It is not novel or a particularly big driver for the SaaS model.
2. SaaS is cheaper with a better ROI. I say bull crap to this. Another company I helped create was called Interliant and we were one of the top 3 ASPs back in the day. We did a ton of analysis on this and I can tell you that while SaaS can deliver a high level of coverage, it is not cheaper. In fact SaaS actually winds up being more expensive over an extended period of time.Generally it may be slightly less over time for the service itself, but when you factor in the total costs it most often is not. So lets not start saying that SaaS is a way to deal with shrinking budgets and downturns in the economy.
3. SaaS is not channel friendly. The problem is that a channel partner can easily sell the SaaS, but at that point is cut out of the picture. They have nothing to with the delivery or other ways for value add. Once they don't own the customer and have been cut out of the delivery of the product there opportunity to monetize the customer is diminished and this is bad business for the VAR. SaaS is a great way to cut out the middleman and the middlemen are smart enough to see this very quickly and reject it.
All of the above not withstanding I do think SaaS and security in the cloud will become more of a factor. The trick is that there is more to SaaS than a Symantec live update service. That is not SaaS. As Matt correctly notes, there are certain types of security technologies that lend themselves well to SaaS and there are some that do not. Figuring out which is which is the key. Also outsourcing versus in house is a consistent pendulum that swings first one way and then the other. People will start complaining about not having enough "control" over the process and not enough customization options to do it they way they want. They start complaining about the cost, when they find out it is more money. Just as the trend appears to be swinging towards SaaS now, it will inevitably swing back the other way.