The five stages of grief model (also known as the Kübler-Ross model) proposes that when people experience grief they go through a series of five emotions. These are: denial, anger, bargaining, depression, and acceptance. We would argue that many SaaS founders go through the exact same stages of emotions when faced with ISO certification!
Don't believe us? Read on to see if any of this sounds familiar to you.
We've gotten away without it so far, so we don't need it. Although it features in almost every RFP that we see, our prospective customers haven't put a gun to our head on it just yet. Besides, our homegrown information security system and policies are serving us well. We do the dance and send them the docs along with those penetration test results and they seem to accept them fine.
As for those 200 question spreadsheets for vendors without certification? These are becoming easier now that we have done so many of them. Sure, some of our existing customers do make noises about it, but we manage to keep them at bay by kicking the can down the road. Life is great, and who needs ISO certification anyway!
We don't have the time for this nonsense. There are far more important things to be working on than ISO bureaucracy. Our competitors only have it because they're bigger and had the resources to assign to it. Sure, we don't win many deals, but that's only because the customer had already decided their vendor and had to bring a few parties along for the ride.
It's completely unfair that our customers would expect a small and growing SaaS company to have to put in place all this 'paperwork'. Besides, it's only so that their purchasing manager can tick a box. ISO certification is old school anyway, it's not for a fast moving SaaS company like ours.
We're an agile software company and this is only going to slow us down which is not what our customers want, is it? They want us to be shipping more product, right? How about this - we'll get a security consultant in to do a review of our information systems and provide a report which shows them that everything is A-OK.
How about we do it next year? We'll surely have more time and resources then. Or, why don't we start with something easier, like Cyber Essentials. We'll get to the real deal, later when we're ready for it? Em... how about a discount?!
If we change the way we work to suit this ISO stuff we won't be the same company. We'll lose the essence of who we are, and I don't want to be here when that happens. We're not winning deals anyway, so why bother. Don't talk to me.
Look, this isn't so bad. If we get this done, it will be one less thing that we have to worry about during the sales process. We can concentrate on other stuff. Besides, our lack of processes around information security has been bothering me lately and I wouldn't mind some better quality sleep. Everyone is asking for it now, so clearly it's important enough to give it our attention. Let's get it done!
It's no surprise that SaaS companies go through these stages of grief as they transition from the known into the unknown. Part of the problem is that nearly all SaaS companies are capable of winning at least one big deal without ISO certification. This gives them a false sense of hope that every potential customer can be swayed, and that they are not really losing ground to competitors due to a lack of certification.
Our view at Upscaler is that the world of compliance for a SaaS company is rather binary. There are those that have it, and those that don't. The large grey expanse between these two points is what we call mediocrity and it's not good enough anymore.
Compliance is binary - there are those that have it, and those that don't.
Let me ask you a question. Would you purchase a car from a car manufacture that didn't have an internationally recognised safety certification? I think the answer is obviously not. How about this next one. Would you buy a car from that same manufacturer if they claimed in their brochure that, although they don't have rigorous third party certification like most other car manufacturers, they do take safety seriously and your safety is their "top priority"? I'm not sure about you, but my answer doesn't change. Should your customers?
We often meet SaaS founders that say they are too early for ISO, or they are too small, or they are still pre-revenue. Yet, these same companies tend to be highly organised and process driven in other areas such as product development, dev ops, selling and financing. Information security and the processes around it shouldn't take a back seat no matter what stage your company is at.
With a solution like Upscaler you get a complete information security management system from the get go. You can work these processes into your business operations and culture as it evolves. Don't grieve for what you are leaving behind, instead rejoice for the tremendous opportunities that lie ahead.
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.