This lessons learned series is part of our live SaaS resource list we're building while launching a new product.
This is specifically about the security requirements that companies need to meet in order to sell their product to other enterprises that legally or professionally require those standards.
What one lesson about security and sales was the most important and why?
If you're going to do enterprise sales, use software to build, manage and maintain all the key security information including your policies, background checks, system checks etc.
There are a number of companies that provide this software like Drata, Vanta, VGS and, while they vary a lot, they'll have all the checking and reporting functionality you need.
They provide the software as part of the SOC2 or ISO auditing process and we noticed that the security requirements of many enterprises pretty much fit the requirements within something like SOC2.
The cost? Approximately 2,000 per month.
In the early days this would be way too much and you could simply read up and create the docs yourselves and stick to those practices but at some point the $2,000 per month is worth it.
The SOC2 software costs around $1,000 per month and it's then another $12k per year for an auditor depending on the size of your company.
What dumb assumptions did we make about security at the very start of our SaaS journey?
At the start of our journey we didn't realise that those security forms large enterprises sent over to us all match up to common industry standards within ISO27001 and SOC2
For example, a company will ask us to fill out a security form that includes questions on our clear desk policy or whether we run internal security audits. Only after completing ISO and now SOC2 have we realised that the questions within those security docs matches up to security standards within ISO and SOC2.
At the start we casually filled it out and that may have cost us many deals. After ISO and with our new SOC2 reporting software it's a lot easier to complete.
What's the one thing we did that made a big difference?
Keep a bug bounty going. It's an absolute pain to deal with sometimes because so many people report the same nonsense bugs but in-between you get some gems. Some bug bounty hunters take a good look at your system and find faults you didn't imagine.
What did we waste the most time on which we regret?
I'm not 100% certain if we need both ISO and SOC2. We could simply have done SOC2 and it would cover most of the ISO requirements. However, the SOC2 software we use only came out this year (2021) and many others have only just launched. We could just do one of them and save ourselves time by covering any missing areas ourselves.
What would we advise someone to do if they were starting from scratch?
If you're going to do the enterprise sales thing and you have the money then just pay for the software like Drata or Vanta and do the SOC2 audit.
Alternatively, you can cover most of the process yourselves without an audit. You can get hold of a standard set of SOC2 policy documents (there's around 20 of them) and edit those to make them your own.
Follow the key practices they ask for like background checks, clean desk policies, backups, maintaining a risk register, running audits, running penetration tests etc.
It's a lot of work but that helps you pass those security tests without being certified. It helps to have that certificate but you can tick off most of the boxes without it.
If we had a magic wand how would we use it to improve our security / sales process?
We'd magically match up the SOC2 report fields to the security doc fields. Even though our software generates a report the big companies don't necessarily accept that report. They have their own spreadsheets they want us to fill out, so we wish we could magically transfer the SOC2 report onto the spreadsheet. This would save hours per security spreadsheet.
How will we use our experience for our new product?
We'll continue to run a bug bounty and not because of enterprises requesting it but simply as a security measure.
As we expand we'll use our Drata software to onboard, background check new employees, train them in cybersecurity, make sure they use the password manager, ant-virus software and more.
Overall we have a good foundation to build on.
Should SaaS companies be ISO27001 certified?
Yes, initially getting certified is quite a process and each year there’s an audit but does it help companies see you as more secure? Will it get you more customers? If you’re working with health or financial organisations then it’ll help you pass their security requirements faster, so yes it does but… you can prove you’re secure in other ways by running your own checks and documenting them.
When you get started with a system like Drata the great thing is that it generates a set of policies for you, which you then customise for your company. It stores these policies, links into your systems, shows you what else you need to do to secure your systems and more.
We'll update this resource section in the future with a link to an example security spreadsheet and how Drata helps complete that.