When I joined the Humane Society of the United States in mid-2005, our new CEO, Wayne Pacelle, had just begun a vigorous acceleration of programs and fund raising for animal advocacy. Since then, revenue has jumped significantly, and so have requirements for IT to support new initiatives. This is a happy situation for any CIO, and one in which SaaS has helped us rapidly implement new applications.

Fund raising stimulated our first encounter with SaaS. Many contributions are made via credit card, and a major requirement for organizations processing credit cards is compliance with the Payment Card Industry Data Security Standard, or PCI. Compliance requires, among other mandates, that merchants maintain a secure network, encrypt stored cardholder information, have vulnerability management processes in place, and regularly monitor their security posture. Failure to comply can be costly: fines, restrictions, and even permanent expulsion from card-acceptance programs.

PCI went into effect just before I joined the Humane Society, so there was an urgent mandate to protect our revenue stream with compliance. We already had strong security measures in place, but we lacked a reliable, automated way to conduct independent network security audits and securely transmit compliance reports to acquiring banks. That's when we discovered SaaS.

Qualys introduced us to the notion of on-demand with its SaaS-based network vulnerability management and compliance service called QualysGuard. Our heritage with IT has been the do-it-yourself approach of running an in-house infrastructure of servers and software applications. Our main constituent database is housed on an IBM AS/400. We also run a VPN that connects eight regional offices and field representatives in more than 30 states. We control everything internally.

	Magda says SaaS has the Humane Society purring

SaaS opened our eyes to a new way of doing things. With QualysGuard, we didn't need to install any software or infrastructure. QualysGuard runs on Qualys' own secure global infrastructure, so we run security audits on-demand over the Internet with a standard Web browser. The application automatically finds all vulnerabilities on our local and remote network, provides directions to our IT staff for remediation, and submits PCI audit reports to our acquiring banks.

Automation eliminated a major concern for PCI compliance. Trouble was, I had reservations about relinquishing control of such a vital application to a third-party service provider. In years past, I probably wouldn't have considered SaaS. On the other hand, our small IT department was finding it harder to do ongoing maintenance of existing applications. A concomitant initiative to implement disaster recovery for key applications made me rethink SaaS as an opportunity. As it turns out, we were able to use QualysGuard right away without incident.

This positive SaaS experience erased our reticence in considering the on-demand model for new applications. Suggestions for these typically arise during monthly meetings of our technology steering committee. I established this cross-functional team to bring together business users, who are far more informed about their apps and requirements than technical experts. Our IT staff uses this forum to demonstrate potential solutions to business problems defined by our user community and to gauge which solutions will be a good fit.