The Software as a Service company typically combines software development with delivery on the internet. Key activities are development, operations, and support, with the addition of marketing.
Business
In the current labor market, developers are most scarce. Therefore, companies tend to work with a combination of internal and outsourced developers. Because of scarcity, developers have a separate entry as a key resource. Graphical designers are another scarce human resource depending on the type of business. Information crown jewels that need protection most are the software code base representing companies most important intellectual property and the customer data in the production servers.
Saas companies typically work closely together with hosting partners and cloud providers. Because of the importance of the code base, the providers of agile tools and code repository tools like GIT are also on the key partner list.
Depending on the proposition, the customer side of the canvas can vary greatly. From an information security & privacy viewpoint, customer choice can significantly impact. Consumers tend to be much more protected than businesses, affecting customer relations and channel use. Examples are privacy and cookie laws.
Personnel costs typically are the main cost driver of a SAAS company. Therefore, a SAAS company mostly looks to generate recurring revenues. In cases where customizations are more critical, we will discuss the connected business risk to that situation in the risk paragraph.
Risk
Canvas Block | Canvas Item | Risk | Risk rating | Risk description |
Key activities | Development | Quality of code | High | Issues with code quality will result in bugs, vulnerabilities, patches, or rework. In addition, individual issues could lead to cyber risk. On the positive side, good quality coding work will lead to less rework, thus, better company revenues and more resources for innovation. As coding is within a SAAS company's daily business and good quality coding can make a difference of more than 10% in yearly revenue, its rating is high. |
Key activities | Delivery | Hack & attack | High | A hack or attack on the SAAS platform would harm the availability, confidentiality, and possible integrity of information. The repair can be costly as the average cost of a compromised record is around €150. In case of a hack company's image will probably be damaged. The baseline should be to offer hackers no opportunity for easy access. Depending on the type of information in the Saas platform, there could be an issue of targeted attacks. The combination of repair costs and image damage causing revenue loss, this risk is rated high. |
Revenue streams | Custom Development | One standard versus customization | High | Customization of software makes easy money in the short term. However, in the long term, it can be a pain in the ass. As the main product develops, the customizations need maintenance, too, sapping away revenue unless the customer is willing to pay maintenance too. The moment the customization portion grows, the maintenance time will take focus away from the innovation of the main product. Furthermore, from a security point of view, customizations are risky as the chance of software bugs, and operational issues grow. |
Key resources | Developers | Scare them away | Medium | A typical risk seen by many software companies is that a bureaucratic approach to information security scares developers away. They generally don’t like documentation, work procedures, etc. On the other hand, developers do understand the necessity of security as no other. The challenge is to find a pragmatic way to implement information security and compliance that keeps a scarce resource like developers aboard and even gets them enthusiastic. |
Key resource | Code repository | loss of IP, compromised code | Medium | Small SAAS companies tend to look mainly to risks in the production environment and the field of operations. They tend to turn a blind eye to the company's biggest asset, the code repository. The first risk is the loss of intellectual property due to a compromised repository. Developers and their laptops are a threat vector for this risk. Laptops can be lost.
In some cases, the developer could be more trustworthy. For example, several EU companies with Ukrainian or Russian developers discussed this risk after the war between these two nations broke out. A second risk is the company's continuity should the code repository become unavailable—a topic for business continuity. Again, several solutions exist, none of them easy to implement. |
Key partner | Hosting, cloud provider | The hosting company is not secure enough. | Medium | Small software companies often use small hosting companies or small cloud providers. In the beginning, both partners are a good fit. However, as the saas company grows, the hosting provider often cannot follow their customer's needs. The hosting partner should demonstrate compliance with the next standard, but they cannot follow it. As security is as strong as the weakest link, this situation is risky for the saas company. This risk is a good reason for a mature supplier management and evaluation process. |