Picture this: A meeting is called to review a deal the Sales team has been chasing for over a year. You are a Software-as-a-Service or SaaS provider, the deal is over $500K annual recurring revenue and have a 5-year contract. Needless to say, you really want to win. It’s down to your company and your number one competitor. In that meeting, the first question from CEO is, “How do we win this?” The SVP of Sales responses, “We’re well positioned, our coach says it’s ours to lose the only thing left is the Information Security review”. All eyes turn to the CTO. The CEO drops the second question everyone was already thinking, “Are we concerned about this InfoSec review?” The CTO’s response, “I need to review the InfoSec docs and get back to you.”

Not exactly the confidence needed to win the deal or to end to this type of meeting.

There are two notable areas of concern in this short conversation:

  • The CEO not knowing if InfoSec should be a concern
  • The CTO not knowing enough about the company’s Information Security program to respond with confidence

The scenario continues: The CTO calls and the forwards the documents to the person who wears the Information Security hat, among other roles. The CTO asks a question they should know the answer to, “Where are we with completion of our SOC 2 Type 2 audit, which is a requirement in InfoSec review process for this deal?” – SVP of Infrastructure response with a roll of the eys behind the phone, “We’re ready, but didn’t start the audit process yet. You didn’t approve the expenditure for the audit.” Yep, somebody is about to have an unpleasant conversation with the CEO.

Fast forward past the four letter words, heated emails and finger pointing. This can go down two ways:

  • Option A – You pass on this deal because there are some gaps in your Information Security program. Not an option as far as the CEO and SVP of Sales are concerned.
  • Options B – You really only have one option, remember this is a deal you want to win; ask for an extension on submitting the audit report and start the fire drill. Select an audit firm, bring in a consultant and get ready for some weekends and nights of work.

Neither sound too appealing.

So how does a SaaS provider end up in this situation? You have a talented team, the company is growing and you clearly understand the importance of Information Security because you host information for your clients. The answer is easy:

Make Money, Save Money, Keep Me Out of Jail – Like it or not that is how most executives prioritize decision-making and it is hard to argue with that logic. Keep Me Out of Jail refers to fines, penalties and audits and Information Security programs generally fall into this bucket. The CEO and CTO know InfoSec is important, but they are focused on growing the company, Make Money and reducing expenses, Save Money. They did not devote the time and resources to a continually improving Information Security program.

Do More With Less Forever – This is the mantra for almost every SaaS provider. Most SMB SaaS providers do not have a resource dedicated to InfoSec so often someone involved in IT Infrastructure will inevitably have Information Security on their list of responsibilities. Does that person have the right skillset and knowledge, are they proactively staying on top of the evolving compliance landscape and do they even have the bandwidth? If the answer to any of these three questions is “No” that is generally because your IT resources are stretched too thin and no ongoing training and education around Information Security is being provided.

What is the solution? – Regardless of the market you serve, if you are a SaaS provider competition is fierce. If that were not enough of a challenge, buyers are becoming more knowledgeable and demanding with it comes to Information Security. The days of getting by with an “OK” InfoSec program are gone. Hackers are becoming too smart and staying compliant is becoming too complicated. Execs cannot afford “Not Knowing” because a strong Information Security posture is no longer only about Keep Me Out of Jail it is tied to Make Money.

There is a global shortage of cyber security professionals and that shortage is increasing, so even if you can afford to add a dedicated resource you might not be able to find one. For SMB SaaS providers developing a relationship with an InfoSec consultant might be part of your solution but smart organizations are turning to vCISO (Virtual Chief Information Security Officer) programs. This emerging Information Security business segment gives SMB’s affordable access to the technology and expertise that only enterprises can afford to have in-house. Whatever approach you take to continually improving and evolving your Information Security program, if you are a SaaS provider you must start now. Waiting puts your clients and more importantly your business at risk.

#youdontknowchris