Last updated on July 6th, 2023

Lessons learned: Security and Sales

Pardeep Kullar
Pardeep Kullar
Lessons learned: Security and Sales

This lessons learned series is part of our live SaaS resource list we're
building while launching a new product.

This is specifically about the security requirements that companies need to
meet in order to sell their product to other enterprises that legally or
professionally require those standards.

What one lesson about security and sales was the most important and why?

If you're going to do enterprise sales, use software to build, manage and
maintain all the key security information including your policies, background
checks, system checks etc.

There are a number of companies that provide this software like Drata, Vanta,
VGS and, while they vary a lot, they'll have all the checking and reporting
functionality you need.

They provide the software as part of the SOC2 or ISO auditing process and we
noticed that the security requirements of many enterprises pretty much fit the
requirements within something like SOC2.

The cost? Approximately 2,000 per month.

In the early days this would be way too much and you could simply read up and
create the docs yourselves and stick to those practices but at some point the
$2,000 per month is worth it.

The SOC2 software costs around $1,000 per month and it's then another $12k per
year for an auditor depending on the size of your company.

What dumb assumptions did we make about security at the very start of our

SaaS journey?

At the start of our journey we didn't realise that those security forms large
enterprises sent over to us all match up to common industry standards within
ISO27001 and SOC2

For example, a company will ask us to fill out a security form that includes
questions on our clear desk policy or whether we run internal security audits.
Only after completing ISO and now SOC2 have we realised that the questions
within those security docs matches up to security standards within ISO and
SOC2.

At the start we casually filled it out and that may have cost us many deals.
After ISO and with our new SOC2 reporting software it's a lot easier to
complete.

What's the one thing we did that made a big difference?

Keep a bug bounty going. It's an absolute pain to deal with sometimes because
so many people report the same nonsense bugs but in-between you get some gems.
Some bug bounty hunters take a good look at your system and find faults you
didn't imagine.

What did we waste the most time on which we regret?

I'm not 100% certain if we need both ISO and SOC2. We could simply have done
SOC2 and it would cover most of the ISO requirements. However, the SOC2
software we use only came out this year (2021) and many others have only just
launched. We could just do one of them and save ourselves time by covering any
missing areas ourselves.

What would we advise someone to do if they were starting from scratch?

If you're going to do the enterprise sales thing and you have the money then
just pay for the software like Drata or Vanta and do the SOC2 audit.

Alternatively, you can cover most of the process yourselves without an audit.
You can get hold of a standard set of SOC2 policy documents (there's around 20
of them) and edit those to make them your own.

Follow the key practices they ask for like background checks, clean desk
policies, backups, maintaining a risk register, running audits, running
penetration tests etc.

It's a lot of work but that helps you pass those security tests without being
certified. It helps to have that certificate but you can tick off most of the
boxes without it.

If we had a magic wand how would we use it to improve our security / sales

process?

We'd magically match up the SOC2 report fields to the security doc fields.
Even though our software generates a report the big companies don't
necessarily accept that report. They have their own spreadsheets they want us
to fill out, so we wish we could magically transfer the SOC2 report onto the
spreadsheet. This would save hours per security spreadsheet.

How will we use our experience for our new product?

We'll continue to run a bug bounty and not because of enterprises requesting
it but simply as a security measure.

As we expand we'll use our Drata software to onboard, background check new
employees, train them in cybersecurity, make sure they use the password
manager, ant-virus software and more.

Overall we have a good foundation to build on.

Top resources


Should SaaS companies be ISO27001 certified?

Yes, initially getting certified is quite a process and each year there’s an
audit but does it help companies see you as more secure? Will it get you more
customers? If you’re working with health or financial organisations then it’ll
help you pass their security requirements faster, so yes it does but… you can
prove you’re secure in other ways by running your own checks and documenting
them.

Should SaaS companies get ISO
certified

Drata reporting

When you get started with a system like Drata the great thing is that it
generates a set of policies for you, which you then customise for your
company. It stores these policies, links into your systems, shows you what
else you need to do to secure your systems and more.

We'll update this resource section in the future with a link to an example
security spreadsheet and how Drata helps complete that.

See the Drata website here

Pardeep Kullar
Pardeep Kullar

Pardeep overlooks growth at Upscope and loves writing about SaaS companies, customer success and customer experience.