Making Security a Feature of your SaaS Tool


The deals are slower, more complex and full of legalize and redlines, but many SaaS providers look upstream as an opportunity to unlock their true potential.

Why SaaS Providers Look to Enterprise

There are a variety of reasons SaaS providers shift from smaller businesses to enterprise in focus. The number of small deals that need to be worked, won and maintained can become unsustainable as organizations look to move from the $1 Million ARR to $10 Million ARR. Overhead and hiring can become a bear just to keep up with supporting these organizations.

On top of that, SMBs have a greater propensity to go out of business entirely, whereas their enterprise counterparts have much more built in stability, both in the ability to afford a service and an ongoing need for a service.

So if you are a SaaS provider that has decided to move upstream and target larger customers, it is critical to understand the different priorities these large companies bring to the table.

Priorities Are Different

When you are working through deals with smaller organizations, sales funnel progress slows as the pricing conversation ramps up. Once the functionality requirements are met, SMBs have to make the numbers work with smaller means. It’s a very reasonable need but it is in stark contrast to why deals slow as you move upstream.

Enterprise-level organizations have a very different list of requirements than their smaller counterparts when it comes to choosing a SaaS vendor. Functionality is great, but often inferred (correctly or incorrectly) when a solution is brought to the table. Price per head is important as well, but the budgets organizations are working under are larger. The ability to consume the variable costs is greater and there are more ways to offset the charges with efficiency gains.

enterprise saas meeting

The difference between smaller and larger buyers is that larger organizations prioritize security and data management on the same level as end use, knowing they have to combat the complexity of their environment and mitigate their own potential risks. This awareness is accelerating as organizations operating internationally also have to factor GDPR compliance into the vendors they choose.

By adding a vendor to the fold, they are saving money by not having to create a solution. But the security of their data extends beyond their sole control. This is why deals can grind to a halt, even at the very end of the sales pipeline. Providing specific policies and procedures and data access and security aren’t always readily available or centralized, especially for smaller SaaS providers, and collecting this information into a format that you would comfortably share with a large IT team takes time.

To avoid the halt and shorten the sales cycles for enterprises, get security out of the way early on. Enterprise IT teams love to take their time with due diligence and have no reason to not say no when it comes to ensuring the stance of their organization.

Be Proactive About the Security Conversation

As a SaaS vendor, ensure your sales teams are bringing up security during an initial demo or trial with Enterprises. This could involve a slide or conversation at the beginning of a meeting to ensure the organization knows you are well-aware and well-prepared for what the expectations are going to be. Include external links to security policies and procedures in the demo, follow up emails, etc. so it can be easily referenced and distributed.

Wrike, a leading collaborative work management software provider, takes a proactive approach to tackling the security questions they are likely to receive from enterprise prospects. Almost positioned as a feature, Security is in a prime position under Product in the company’s main menu, rather than hidden in a footer. It goes beyond a generic paragraph and actually details many of the ins-and-outs of their procedures and policies. Why? Because Wrike has recognized the impact of security on enterprise sales.

“Our goal is to provide clear, easy-to-find information about our security strategy, which spans the following categories: physical, network, system, application, and people.”

Lucas Szymanowski, Director, Information Security & Governance, Wrike

“The commercial SaaS industry would not exist without globally recognized security standards and best practices,” said Wrike Director of Information Security and GRC Lucas Szymanowski. “Wrike has understood this from day one, which is why the company has always included security in its Software Development Life Cycle (SDLC) and product offerings. The company has chosen to feature its five-pronged security approach prominently on the website and within other collateral because we believe in transparency and the endless pursuit of a more secure platform.

“Our goal is to provide clear, easy-to-find information about our security strategy, which spans the following categories: physical, network, system, application, and people. Our comprehensive strategy and relentless focus on raising the security bar in our category have helped Wrike earn its position as a leader in the collaborative work management space and is the reason why Wrike is a trusted partner by many of the most recognizable brands in the world. Offering robust security functionality is not just about sales, though. We look at it as an opportunity to educate our customers and prospects on what is possible in the industry as a whole, and at any size company.”

I like how Wrike lumps security under product rather than under an about Wrike company page because it highlights how security is not an afterthought. It appears to be rooted in the product. If you are looking to move upstream and win enterprise deals from those competitors with greater resources or a longer history, bring security to the forefront of the conversation, especially if you have built it into the foundation of your solution.

Continued Security Prioritization

The company recently announced that it has earned the ISO/IEC 27001:2013 certification for its platform from the British Standards Institute, which is the most highly regarded and only internationally recognized standard for the establishment and certification of an information security management system (ISMS).

On the same day, Wrike announced a series of additional security features that address enterprise needs, including Wrike Lock. Wrike Lock allows customers to own and manage the keys to their encrypted Wrike data, giving them data access control and audit capabilities even though their data is in the cloud. Wrike is the only vendor in the category to offer customer managed encryption keys. Wrike Founder and CEO Andrew Filev published a blog post the same day as the announcement that further explains the company’s perspective on and commitment to security.

Security Matters, So Do It Right

Often SaaS providers, especially smaller ones, can hitch their wagon to simple being a “better” tool. More functions, more integrations, more collaborative, better UX, better reports, better visuals, etc. Building a great tool is important, there is no debating that. But being better is subjective, and goes well beyond the product, especially when it comes to conversations with large enterprises.

Enterprise prospects weigh security, data management and access on the same level as the end user experience. Why? Because the impact is just as significant if something were to go wrong. Even if you disagree with the notion, commit to bringing security to the front of your enterprise conversations and see number of deals and the speed at which they close increase.

Curious on How to Implement this Security Prioritization?

There are 3 immediate steps you can take as a SaaS provider.

  • Build Security in as Code with a DevSecOps Mindset If your app isn’t foundationally secure, your problem aren’t going to arise from a lack of access to your security stance (because you don’t have one). Leverage a DevSecOps approach and include your internal security team into conversations around what you are building. They will have a tremendous amount of insight.
  • Talk Security Early…On your Site and On any Demo You may be thinking that is the least interesting thing to talk about when you have an enterprise prospects attention but remember, they are going to be thinking about how secure your tool is as you attempt to demo a truly revolutionary feature. So rather than compete for attention, get it out of the way early. Wrike does this well also, inviting the conversation to engage with sales off the bat under their Enterprise Grade Security section.
  • Publish your Security Policies and Procedures If you have already assembled your policies, procedures and other documentation, share it on your site. You can go the route of publicly hosting the information (which also helps with internal versioning, updates, controls and sharing) or at least host the main points that are sure to come up in conversation. JupiterOne’s policy builder is a useful resource if you haven’t built out a robust set of policies and procedures. Organizations can quickly create and publish security policies, as well as visualize those specific resources, entities and relationships.

Security cannot be an afterthought if you are looking to move upstream as a SaaS provider. Enterprises have many more considerations being the function of your solution that drive the decision making process. By bringing security to the beginning of conversations, you will find the path to these long enterprise sales cycles shortens.


Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.