The US has announced moves to make the tech sector, particularly SaaS (Software as a Service) providers, accountable for cyber issues. A number of countries, including the “five eyes” partners such as Australia, have indicated that they will follow suit.
The White House said, “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”
It makes sense that vendors should be accountable for the products they sell, but it also means that the same providers will take on increased risk, and hence cost, which they will look to recover. Software is inherently complex, and all software is subject to bugs, some of which create cyber risks. Mission critical software for industries such as aviation can only tackle this by investing orders of magnitude more in testing than everyday solutions. Doing the same for all business software would either make it unaffordable or dramatically slow the rate of innovation.
Without mitigation or removing all bugs the only other way to manage the risk is in the manner of operating and monitoring the solution in production. It may be that additional testing and operating layers could run in real time, potentially with increasing support from Generative AI. All of this, however, requires solution providers to be involved in how their software is used by clients.
Despite more than 50 years of software sales, the only real business model change in the industry is the move from buying a software license to paying a service subscription. That is, software providers sell software, now typically software as a service, for a fee. What the users do with the software is largely up to them. This worked when the accountability of the solution provider was to respond to bugs, rectifying but not mitigating or compensating for issues as they arise.
Flipping the model as has been proposed may accelerate an already emerging trend where the providers are not charging a simple fee but are rather fully engaged in the running of their clients’ businesses.
Companies like eBay and Amazon pioneered business partnership models built on more than subscription but rather the shared success of their marketplace partners. While those early models attracted smaller participants to work with their larger platforms, the scale of these partnerships are becoming more equal with delivery partners such as Uber and Door Dash joining with major retailers in exchange for shared profits.
These companies don’t just partner because it is profitable. They also do it because it spreads risk. Online retailers can mitigate the risk and cost of a wider product range and retailers can avoid taking on the increasing technology and labour complexity of delivery.
As cyber and other online risks grow. It is possible that we will see the same business trend of reducing risk by partnering with the users of more software solutions. Rather than set and forget, it could mean that supply chain, customer payment and other platform software will actually require joint operation to work well and protect customers. In exchange, the customer wallet will be shared between increasingly equal business partners.
An alternative is to evolve the managed services, or “operate” model as recently envisioned by Harvard University Press (Next-Generation Managed Services: Journey from Cost to Value). This approach sees the business partner take responsibility for strategic parts of the organisation, providing a more specialised interface to the software providers while also opening up the opportunity for shared value.
From these models, it is only a small step to seeing SaaS as full profit partners with the businesses that they serve, earning revenue based on the go-to-market success of those that use their services. They are then no longer service providers and rather true business partners. This has long been the promise of cloud computing, but it has been hard to realise.
Such a change is not automatically a nirvana. There is the potential that innovation is stifled by a small number of players operating a significant portion of business value chains. On the other hand, done well it could allow businesses to focus on their areas of true innovation. Either way, we are going into (another) period of change.