The original title of this article was 'The SaaS buyers hierarchy of needs'. But when we started to write it we realised that these needs are fundamental to SaaS buyers and are not hierarchical. Sorry Maslow!
Right, let's get serious. You're a SaaS company with a great piece of software and you're selling in to big companies. Your product is solving a genuine pain and it is at a price point they are willing to pay. Great, you're halfway there. Now you need to make sure that you are addressing their fundamental needs and concerns as described below.
Achieve this, and you're well on the road to scaling your company.
We've talked before about how, as a SaaS company, your customers will forgive you for many things. Bugs, mediocre support, missed deadlines, price increases and maybe even occasional downtime. These can all happen during the life of a SaaS company. Your customers will certainly have faced these issues with other SaaS providers. Dare I say they may even be expecting some of the same from your company, in time.
But, the one thing SaaS buyers have zero tolerance for is a security breach. This is where their data gets into the public domain or into the hands of third parties. This is the single greatest breach of trust between you and your customers. In very many cases it becomes an irrecoverable event for your company. If you do nothing else, make sure you have robust information security systems in place that help to prevent this from ever happening.
This means getting your company certified to ISO 27001 for information security.
We said in the introduction that these needs and concerns are not hierarchical. But if you had to put them in some kind of priority order from your customers perspective, then availability closely follows security. The only thing worse than exposing your customer's data to the public internet is preventing them from accessing their data for an extended period of time. Or even worse again - losing their data entirely!
So, when we talk about availability we are talking about two things. First, that you are performing regular backups of your customer's data. And, importantly, that you are making sure their data can be restored should disaster strike. Second, that you have the infrastructure in place to ensure a minimum level of both performance and uptime so that their data is always available to them as and when they need it.
Again, ISO 27001 helps you address this critically important customer need. It does this by identifying, treating and controlling the risks that affect the availability of your systems.
You're probably familiar with the expression; "garbage-in, garbage-out". It's used to express the idea that, despite your best error checking, if the customer is putting poor quality data into the system, then that's exactly what they'll get back out again. But, what customers don't expect is to put data into your SaaS application and get back something different or unexpected.
When we talk about integrity we mean the integrity of the information that you are providing to your customers based upon their inputs. You must ensure that your customer's data is stored properly and is being returned exactly as expected. Calculations must be accurate, reports must be correct, processing must be timely. In other words, your SaaS must actually do what it is intended to do and without error.
Again, ISO 27001 will help you identify the controls that you need to ensure the integrity of your valuable customer data.
People often confuse security and confidentiality (and indeed privacy, which we'll cover next). They are all related. When it comes to confidentiality what we mean is that customer data should only be seen by those with explicit permission to do so.
Firstly, this requires that you, as the host and processor of their data, do not access their data unless you have been given explicit permission to do so. For example, a catch-all support account with access into each customer tenant is an absolute no-no (even though many a SaaS provider has done it).
Secondly, that the roles, rights and permissions functionality of your software actually works as designed. If your customer gives member, as appose to admin, access to someone then that person better not get access to any admin functions.
Thirdly, and especially nowadays, it is expected that data at rest is encrypted. There was a time when this was expensive, and you could just about convince the buyer that it wasn't necessary. But most PaaS/IaaS vendors provide it out of the box now, so turn it on.
Once again, ISO 27001 will ensure that you are identifying and implementing international best practice controls to respect the confidentiality of customer data.
With privacy we are referring to the collection, use, retention, disclosure and disposal of information about real people. This is also known as 'personally identifiable information' (PII) or personal data. Data stored and processed about people is some of the most sensitive and valuable information out there.
Nearly all of the high profile security breach cases that we hear about relate to the loss of PII data such as names, emails, passwords, social security numbers, credit card data and so on.
All SaaS vendors process personal data to an extent, but some more than others. For example, if you are a vendor of payroll or HR software which stores and processes detailed information about your customer's employees, then the need for privacy controls become very important.
We'll cover this topic in greater detail another time. Suffice to say for now that ISO 27001 and its privacy extension ISO 27701 will help you meet both customer and regulatory privacy requirements such as GDPR.
Stuff happens. Are you prepared to deal with it when it does? Are you ready to provide continuity of service when the world is falling down around you? When we talk about continuity within the context of a SaaS company, we mean two things.
Firstly, we mean business continuity in the traditional sense and as it relates to your company operations. Picture a scenario where you are all huddled into an office building from 9-5 and there is a fire, flood, earthquake or zombie apocalypse. You need to have a tried and tested plan to resume operations somewhere and somehow.
Secondly, we mean continuity in relation to your product which is also known interchangeably as disaster recovery. If your PaaS or IaaS provider suffers an outage, how do you deal with this business interruption? How do you communicate with your customers and resume services effectively when the incident is resolved? These are really important considerations and you need to have plans in place for all of this.
The good news is that ISO 27001 requires you to consider and implement controls around business continuity. If you want to raise your continuity game up another level, ISO 22301 is a standard dedicated to business continuity planning and applicable to mission critical SaaS vendors.
"How do we know you're still going to be around this time next year, or even tomorrow?"
This is a question we were often asked by big enterprise prospects in previous SaaS companies. It's a valid concern. SaaS is ubiquitous nowadays and many companies actually won't be around next year, or even tomorrow! This is especially the case with the low-code / no-code revolution - where it seems anyone can start a software company these days.
When SaaS buyers, especially big companies, adopt a new application it comes at a considerable cost, way above and beyond the price tag. They want to make sure that their investment in adopting your solution won't backfire on them.
This can happen if you run out of money, go out of business, get acquired, suffer a major incident, someone dies, founders get bored and the list goes on. It happens all the time so you need to be able to give your customers the assurance they need that you're in this for the long haul.
There are several ways you can do that which we have covered in detail in our article on passing the longevity test in SaaS procurement.
It's a funny industry, SaaS. In most other established industries quality would be fairly high on the pecking order of customer needs and concerns. In the case of this particular list (and although we haven't tried to prioritise as such), the expression 'last but not least' doesn't really hold true.
This is because arguably all other needs above take precedence in the eyes of a SaaS buyer. Everything else above is a fundamental need, whereas quality is an emerging need. This is due to the relatively young age and rapid pace of growth of the SaaS industry since its inception a short few years ago.
But, we are starting to see a change in SaaS buyer expectations. We predict that as the industry settles and matures in the years to come, the focus will shift beyond these fundamentals to quality. By 'quality' we are not only referring to the quality of the product that you have built. But also the quality of service that you provide to your customers.
This includes pre-sales, technical support, customer service, customer success and everything that you do as an organisation to drive and improve customer satisfaction.
This is where ISO 9001 for quality management comes into play and can help enormously in putting the structures that you need in place to prove your commitment to business excellence.
The above needs of a SaaS buyer are not exhaustive by any means. But, they do capture most of the key considerations and concerns that large SaaS buyers, in particular, have when seeking solutions. If you're a SaaS founder or executive reading this article then take a moment to ask yourself what exactly are you doing for each individual need above. If you're unable to answer that coherently then you're not doing enough to address the needs and concerns of your customers, and this is stifling growth.
The good news is that ISO standards exist for this very purpose. They exist so that we don't have to figure out for ourselves what to do and how to do it. They provide the international best practice playbook that you need to address your customer's concerns.
The even better news is that Upscaler provides you with the perfect solution to implement that ISO playbook. And you'll do it with less effort, less cost and less confusion than any other solution in the market.
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.