The Impact of Compliance on the SaaS Sales Cycle

By Jon Topper, Founder and CEO, The Scale Factory (an AWS SaaS Competency Partner)

Selling to enterprise businesses can involve months-long sales cycles and detailed procurement questionnaires that take up a CTO’s time and attention. AWS can help make the process more efficient.

The journey to Series A and beyond

In the early days of a B2B Software as a Service (SaaS) startup, everything is about reaching product-market fit, to achieve annual recurring revenues (ARR) of $1 million as efficiently as possible. Because this means iterating quickly on product features, nonfunctional requirements, such as security and operations, often take a back seat.

As a startup journeys to an ARR of $1 million, venture funds may consider making a Series A investment. Along with money, such an investment comes with targets: at this stage, the company needs to aim for ARR of $5 million or $10 million.

With these bigger ARR targets, involving the founders in every sale makes little sense. Also, by now, the product and commercial model are usually pretty well understood, and so dedicated sales hires can take them to market.

Enterprise buyers are valuable but different

Enterprises spend more money than small and medium-sized businesses (SMB) do on their SaaS platforms, especially where those are priced according to usage. Research by Redpoint shows that annual customer churn is just 6%–10% for enterprise buyers, compared with 31%–58% for the SMB segment. Enterprises therefore spend more and are more likely to remain customers longer. Good SaaS salespeople will prioritize such sales.

But selling to enterprises is very different from selling to SMB or mid-market customers. In a small business, the purchasing process often involves one decision maker, with access to their own budget. An enterprise, however, has annual and quarterly budget cycles, all managed by a procurement team, with representatives from the finance, legal, compliance, and technology departments.

While the buyer-stakeholder you’ve been working with has a business context for the purchase of your product, this might not be true of a procurement team. Rather than having a nuanced conversation, for example, their primary mechanism for engaging with you will be a supplier questionnaire. Sometimes called an RFP or RFI document, this is often extensive, with hundreds of questions about topics ranging from how your out-of-hours support works to what kind of locks are on your office doors.

Even if your service won’t hold sensitive personal or commercial data, you’ll need to be convincing in your answers to these questions in order to make the sale, because it’s easier for a procurement team to apply the same standards to absolutely everything they buy than to have a deep contextual understanding of each purchase.

The first time you’re presented with a procurement questionnaire, it usually lands on the CTO’s desk, taking up days or weeks of time they could be spending on more strategic activities.

Getting compliant helps drive sales success

Procurement questionnaires exist for one reason: to reduce risk to the enterprise. One way to help reassure enterprise buyers that you care about managing risk is to adopt an industry standard, such as ISO 27001 or SOC 2.

ISO/IEC 27001 is an internationally recognized standard that establishes requirements for an information security management system. Meeting the requirements of this standard can help organizations keep financial, intellectual property, and employee information secure.

SOC 2 is the System and Organization Controls (SOC) for service organizations, which includes a set of audit reports providing evidence that an organization conforms to the standards they set for themselves around a set of defined criteria.

These two standards aren’t mutually exclusive: you can use SOC 2 to report on compliance with standards set using ISO 27001.

Adopting either standard requires an organization to look critically at how they manage information security, to improve this management, and to document their processes.

Teams who have invested in this level of compliance tend to find that procurement questionnaires become easier to fill out, because the team has already thought about the issues of concern to their buyers. In some cases, having ISO 27001 or SOC 2 documents to share with a customer can reduce the amount of the questionnaire to be completed, or even remove the requirement entirely. In some cases, a buyer will require one of these compliance levels before they’ll even speak with you.

FundApps is a Fintech company that engaged The Scale Factory to help design a new AWS tenancy model for their B2B SaaS platform. They completed an SOC 2 audit in 2020. CTO Toby O’Rourke mentioned that once they had done so, complex questionnaires and follow-up negotiations that regularly took weeks were frequently completed in half a day, shortening the sales cycle by as much as a month. Further, he’s been able to delegate the procurement paperwork to the head of information security, freeing up his own time for more strategic activities. I’ve heard similar stories from the leadership of other SaaS companies with which we’ve worked.

So, our advice is to invest in becoming compliant, in order to drive greater sales success. And you can do it on AWS.

AWS can help with compliance

The AWS cloud provides the pieces to build a secure, compliant platform that keeps your customers’ data safe. In the shared responsibility model, AWS takes responsibility for the security of the cloud, while you take responsibility for security in the cloud. You can achieve that by designing your architecture according to the best practices documented by AWS Well-Architected.

A Well-Architected review from an experienced AWS Consulting Partner can help identify ways to improve the security of an existing platform. There’s even a dedicated SaaS Lens, which considers issues unique to multi-tenant environments. When The Scale Factory engaged with FundApps, we used a Well-Architected review as a starting point.

AWS Control Tower

Companies with multiple AWS accounts, or even those just starting out with AWS, can use AWS Control Tower to set up and govern their AWS environment. AWS Control Tower establishes a centralized landing zone, providing identity protection, security threat detection and alerts, log aggregation, backup, and other functions. This centralized management and governance can help lay a secure foundation for your cloud resources.

You can set up the landing zone with best-practice blueprints for security and governance. When you vend a new AWS account from Control Tower, these blueprints are used to apply configurations. The standards in the blueprints can be created by your security team or with the help of a Consulting Partner, such as The Scale Factory.

Good security relies on strong identity and access management. AWS Control Tower can automatically configure AWS Single Sign-On in your new accounts, setting appropriate access controls for your teams, linked to your corporate directory, if appropriate.

To prevent, or be alerted to, particular types of misconfigurations, Service Control Policies, organizations policies that limit the permissions users can be granted, can be applied to your accounts. These guardrails stop those configurations from being made at all, even by root users. Alternatively, AWS Config, a service for managing configurations of your AWS resources, can monitor for configuration changes and either send alerts about noncompliant events, or run automation to take corrective action. All of these settings can be rolled out automatically to all new accounts in your landing zone.

Some compliance regimes require that you record and store system log entries for long periods of time. In this case, landing zone blueprints can set up AWS CloudTrail logs to be delivered to a separate security account, which only your security team can access to read, but which no one can modify. Other centralized security detective controls can also be set up, to monitor all of your accounts from a single interface.

Blueprints are not limited to security and compliance. They can be used to set up anything you like in your new AWS accounts by default. For example, perhaps you want to use HashiCorp Terraform Cloud to provision your applications. Control Tower can be configured to set up that integration for each new account. This could be a time-saver, if your SaaS tenancy model involves creating a fresh AWS account for each customer.

Learnerbly is a fast-growing workplace learning platform that engaged The Scale Factory to help them move closer to compliance with ISO 27001 and PCI DSS. We built out a secure landing zone for them, based on our B2B SaaS Foundations product from the AWS marketplace. Already a few steps closer to their compliance goals, Learnerbly can now also onboard new developers in seconds, a necessity for future growth.

Conclusion

To increase the chance of success when selling SaaS to enterprise customers, consider working toward compliance with ISO 27001 and/or SOC 2. Deploying AWS Control Tower provides a lot of the groundwork required for controls under these regimes. While it won’t get you all the way to compliance on its own, it does streamline and facilitate the process. Also, working with AWS SaaS Factory and/or an AWS SaaS Competency partner can help you reach more reliable outcomes, sooner.

Jon Topper is founder and CEO at The Scale Factory, where he’s been helping teams deliver business value from their infrastructure platforms since 2009. The Scale Factory is the only AWS Consulting Partner in the world focused exclusively on helping SaaS companies achieve hypergrowth. As well as his day job, Jon co-organizes, and hosts the AWS User Group UK. For this and his other community contributions, he’s been recognized as an AWS Partner Ambassador.

About AWS SaaS Factory

AWS SaaS Factory provides business and technical advisory to organizations at any stage of the software-as-a-service (SaaS) journey. Whether looking to build new products, migrate existing applications, or optimize SaaS solutions on AWS, the AWS SaaS Factory Program can help. Please reach out to your AWS account representative to inquire about engaging AWS SaaS Factory.

AWS Startups Blog