May 8, 2019

How often does security come up as a concern? How do you win trust?

Graham Lea @GrahamLea

How often does security come up as a concern during a B2B SaaS sale? And what steps do you take to convince opportunities to trust your app?

I'm targeting small-mid tech companies, so I'm assuming the buyers are pretty savvy in this area, but I'm keen to hear from anyone's experience.

#ask-ih

  1. 3

    I think it depends on the industry, size and maturity of the companies you are targeting as leads. I work in a very regulated financial services company/ startup and our security assessment of SaaS products is very robust, and probably worst case in terms of what any other customer would ask. The Vendor Security Alliance has an open source version of the questionnaire that is close to what we use internally: https://docs.google.com/spreadsheets/d/1DOlOiLXZvjntpufReCj1Aywc_tfRDWrY_5zoryrTEFs/edit#gid=0 I think this gives you the broadest picture of what companies could be looking for, including what an outside security audit would include, you could choose a few of the items from the spreadsheet and map them to the personas of your buyers. I am not suggesting you try to "pass" the questionnaire, but I did want to give you the full spectrum of security I would look at from the perspective of a persona very very concerned about it.

    1. 1

      That's an awesome resource. Thanks for sharing it.

    2. 1

      Useful link- thanks for the share!

  2. 2

    It really depends on what you're selling and (more importantly) who's buying. Develop buyer personas[1] for the types of people who buy/will buy your software. Determine how much that person cares about security. (In some cases, the persona will only care to the extent that you pass a checklist they get from somewhere else. In this case, learn what's typically on the checklist.)

    In my experience, most customers basically just want to know that you have a story around security and that you care at all. (Obviously, the story should be true.) After serving thousands of paid customers in a business where we have access to pretty sensitive data, I can confidently say that most customers do not know or care beyond your security story.

    The cool part about having a story is you get to define what's important at this stage of your development. If you launch with only HTTPS and encrypted passwords in the database, you can make a story around that. You can set plans for what will come in future revisions (security should be a feature on your roadmap). And you don't have to feel like you should delay launch because you're not hitting all of the OWASP guidelines, unless your buyer persona requires that as a condition of purchase.

    (An exception is if you handle credit cards, you should delegate that to Stripe or similar because that's an easy win. There should probably also be an exception for medical records.)

    Remember that if you do the very minimum, you're probably doing more than most of your potential customers. We've had customers (plural) email their credit card details in plaintext to renew.

    [1] - https://blog.hubspot.com/marketing/buyer-persona-definition-under-100-sr

    1. 1

      Thanks for that. I like the idea of focusing on having a Security Story.
      How are you communicating your security story to your prospects? What formats/mediums do you use, and do you do it proactively, or wait until it comes up?

      1. 2

        Unfortunately, there isn't going to be a standard answer here that applies to every product/market.

        For our market (incidentally composed of software developers), we essentially cover the top points in a /security page on our site. That suffices for probably 97% of our customers. Another 1% ask for essentially the same information via email.

        1% of our prospects ask for stuff we don't currently do, but which is reasonable (or which I personally wish we did). We usually do a lot of discussion around each of these. Sometimes, we will offer the prospect an option to get their requests for a nominal additional fee. Only occasionally does the prospect land (funnels etc.), but every discussion makes our product better.

        The last 1% want us to do stuff that's beyond our current security story & plans. This is the dangerous 1% because they tend to be bigger companies. Unfortunately, our market does not place a sufficient monetary value on the types of asks they usually have. (They want more stuff but they don't want to pay much/any more to get it.) So we basically let this group find another vendor.

        We have only been asked for a security audit by companies in the last grouping. In an ideal world, we would capture their business, but for us it hasn't proved worthwhile yet.

        1. 1

          Thanks for that. Really useful to hear about that breakdown.

          It reminds me of an anecdote I heard about an IH who had a big bank wanting to do a security audit to come on board with his product. He said, "That's fine, we can do that. But that audit's going to cost me $20k worth of my time, so you'll need to pay me $20k up front for the audit, whether you end up buying or not." Unfortunately, I don't know how the story ends, but I like to think he got the cash and the sale. ☺️

  3. 2

    I don't know exactly what kind of product you are selling, but if it's big enough you may want to pay for an audit. It's a bit pricy, but having a reputable firm go through your code is a good step towards building trust.

    If you ever find a vulnerability, report it and explain what you did to remediate it.

  4. 2

    Yes, absolutely. Security is always real concern.

    Address through using standards. All access over TLS1.2 or later, data encrypted at rest, audit logging and clear role based permissions to data. Use SAML2 for user authentication, don't do your own authentication, hand that off to experts like Microsoft or Google. For system to system authentication use OAuth SAML Bearer, for file based transfer of data (yes many systems still do that) use PGP encryption and SFTP.

    The more standards that you follow, the less people worry. It's when you invent a clever way that no one else is doing that they rightly get worried, can't understand what you're doing and the sale goes out of the window.

    1. 1

      Thanks. Great suggestions.

      What methods do you use to communicate about your security to prospects, and what's your trigger for doing that?