Why small B2B SaaS companies should focus on presales information security

Matt Huber
4 min readMar 31, 2024

There are many reasons to focus on B2B SaaS Information Security. In this article, lets focus on prospects and how to build trust with your potential customer.

When I started my first company, I was a software developer, dabbling in Information Security. I had a big interest in infosec from listening to podcasts, movies, etc. I loved how I was directly contributing to our product and seeing the code I wrote being used by paying customers. It was awesome. Things quickly changed as my company started to grow and the need for cybersecurity in our product and company culture was becoming more apparent.

My company was a B2B SaaS company that would store a lot of sensitive information about a company’s Enterprise Social Collaboration platforms (Teams, Yammer, Slack, etc.). Our prospects were often Fortune 100 companies and with rigorous procurement processes. Many of those processes included Third Party Risk, to assess if the product or service being used carried with it a lot of risk that if not mitigated or handled could impact the company purchasing the software. Our product, due to the nature of what can be stored in Enterprise Social Collaboration, was almost always deemed ‘high risk’. That term, ‘high risk’, is relative, but often involves understanding scenarios or outcomes that could have Financial, Legal, Reputational, and other types of impacts if not mitigated or partially mitigated.

So that beings me to a core reason as to why you should invest in cybersecurity for your company. Your prospects will evaluate the risk of doing business with you. If you are in any form of regulated industry or handle sensitive data, you need to develop policies, procedures, and security awareness training for your employees. Why? Because you will be asked by your prospects to answer questions about key cybersecurity concepts and how you approach them. Below is an example of some of those questions:

  • Has your company had a breach before? If so, please detail.
  • What information will you be processing and/or storing?
  • Is the data encrypted? If so, how?
  • Do you have anti-malware on your servers?
  • How are your servers monitored for malicious activity?
  • How do you onboard/offboard employees?
  • How many users are administrators of their laptops?
  • Please attach an architecture diagram
  • Please attach a data flow diagram

These questions can vary widely. More often than not, I receive custom excel spreadsheets with questions that the prospect is asking us to answer. Occasionally, a customer will send me a login to fill out questions through a third-party assurance website… a SaaS product rather than spreadsheet. Sometimes its 10 questions in an email. Most often its 100 questions in a spreadsheet. I have seen questionnaires with 1600 questions. Those were long days!

I have found that the best way to prepare for these questionnaires is to build a compendium of common questions and their responses. Get the 80–90% of common questions answered in a format that is approved and has consensus from your teams that have a part is making that answer true. Also, there are industry-standard questionnaires that are worth investing time into because some questions will take those and save you some time! Look at the CIS CAIQ.

There is an approach where you can work with a company to have your questions uploaded and mapped to frameworks. At the time of writing this article, the “juice isn’t worth the squeeze”, as prospects will ask you to fill theirs out anyway. I look forward to the vendor or the company looking to disrupt that space though! This space is growing and the need for due diligence on cyber vendors is increasing!

Prospects may also ask you for your certifications. We were often asked to produce our SOC2 (from the AICPA). Prospects in the USA cared more about the SOC2 than our prospects abroad. Those outside of the USA would often ask for the ISO27001 certification.

Always make yourself available to your customer. Even if that means getting on a phone call with their security team. This one can be tricky though, so ask for questions to be furnished in advance for your team to prepare for the call.

My last bit of advice, is to have an approach of “not checking boxes”. Many fall into the trap of “checking a box” and its unsustainable and can cause bigger issues. You should invest in building sustainable Information Security Policies, Procedures, and Controls. Otherwise, instead of being able to tell your customers how good of a custodian you are of their data… you will be on defense stating how “we won’t have a breach again because of these reasons”. Its always easier to be on the offense, instead of the defense in this regard.

In closing, deals won’t be won with excellent cybersecurity and due diligence… but you sure can lose them by not doing it or doing it poorly. Companies are expecting their B2B partners to have engaged with these practices. Don’t wait until you are “at bat” to address cybersecurity. You want to be thinking about this as a core offering to your SaaS product.

This is a big space so my tiny blog post about it won’t cover all of the details. Leave a comment if you want me to expand into other areas! Thank you for reading!

--

--