Streamline your sales process with a cutting-edge Saas solution for IS standard documents

How to create outlook signature

hello as John said my name is George and I'm a senior consultant at scale Factory at scale Factory it's our mission to become the leading AWS consultancy for SAS businesses worldwide we found that SAS companies grow so does their customer base with higher targets for annual recurring Revenue SAS businesses try to Target bigger and bigger fish however we've seen that many companies hit a stumbling block as they try to transition to selling to larger Enterprises if you stick around we're going to discuss why companies want to Target Enterprise customers why it turns out to be difficult and how compliance with industry standards may be the solution we'll also see how the cloud has some unique characteristics that makes compliance easier um my next slide I'm working there we go but first we're going to do some a bit of audience interaction uh there's not that many people here but we're going to do a poll um because I want to know what's what's important to you here today uh so first first poll is coming up um is compliance uh priority for your organization in 2023 and do your customers ask you about compliance uh your compliance position uh we're going to be sharing the results immediately after after this closes awesome so uh good everybody who answered uh finds a good compliance to be a priority so you're in the right place um and we've got one out of two people saying that customers are asking about it so that's that's good to see um all right let's move on um all right so let's start with the basics um why do we want to sell the larger enter Enterprises in the first place I'm sure most of you already have a very good idea of why you want to sell to Enterprise customers but I want to highlight that many of the reasons we want to sell to these bigger customers are the same reasons that make selling to them hard let's talk about the most obvious reason first uh Enterprises are big with that scale comes the opportunity for larger deals if you're using a usage-based pricing model larger organizations are generally going to have larger utilization on the flip side if you're using a seat space pricing scheme then would you rather sell to the company with 20 employees or the one with a thousand at the end of the day Enterprises have a larger appetite for your product and are willing to spend more money to get it Enterprises are so big that they may represent a cluster of potential sales with multiple teams or business units which may benefit from your product there may be the opportunity to land and expand by getting your foot in with one team and then leveraging that into further easier sales to others once you've nabbed the Enterprise buyer you'll also find them to be better customers who will stick around longer one of the reasons for this is that they have a tried and tested business model and are less likely to go out of business twenty percent of new businesses fail in their first year rising to 60 failing in the first five years we can see that reflected in research done by redpoint which shows the annual customer churn for Enterprise buyers is just six to ten percent uh compared to 31 to 58 for Less established small and mid-sized businesses but there's another factor to that lower churn rate Enterprises are slow there are many many more moving Parts in a larger business so when they make a decision it tends to have a lot more inertia this is often the byproduct of their larger size where decisions need to be made with buy-in from many disparate stakeholders which will then get compounded on by the sunk cost of making that decision this kind of vector of this kind of vendor lock-in is a double-edged sword although this can be seen as a boon when we've already bagged an Enterprise customer as it reduces Churn it also feeds into why selling to Enterprises is hard because many of the reasons we want to sell to larger companies are what makes it difficult to actually make the sale so let's put ourselves in the size 14 shoes of a large Enterprise that needs to buy some new software there are many competing interests we must worry about up front we have Regulatory Compliance are we legally allowed to use this software in all of the countries we operate in then does it meet all of our security standards both set internally or audited externally does the software do what the requesting team needs it to do does the software do what functionally similar teams needed to do does it integrate well with the dozen other SAS products we're already paying for unlike smaller businesses all of those questions that we just heard are not coming from a single decision maker instead stakeholders for buying new software are spread throughout different sorry different teams and departments that need to coordinate to make that go or no-go decision many larger Enterprises therefore set up procurement teams whose job is to evaluate and approve software purchases but even with a dedicated team they still need to actually gather the data to answer those questions take a moment to think about how you might tackle that problem and shortly we'll see how some businesses try to streamline this process but first let's break down how this affects us when we were trying when we're trying to make that sale procurement teams are often comprised of Representatives with different areas of expertise Finance legal compliance Etc while the buyer stakeholder you've been working with on a sale has a business context for the purchase of your product this might not be true of a procurement team there are probably a few members of the procurement team who either don't understand or just don't care about how your product may help their larger or their larger organization but despite that they have a big list of reasons not to work with you which they're going to try to check off your first instinct may be to try and instruct the procurement team on the value of your product and while that sounds good on paper and may work to a point you must remember that the reason a team exists in the first place is because Enterprises need to buy a lot of software with a lot of competing interests you can't and shouldn't expect the legal representative of your potential customers procurement team is going to take the time to understand the Deep business context for each vendor that crosses their desk you're probably not the only vendor they are talking to and your software doesn't fill every single need that they have remember how we said Enterprises are slow we're making the sale this is going to come back to bytos they're all they are aware they lack the agility to make tooling and process changes quickly so they want to ensure they make the right decision first time this means that they're going to front load a lot of Discovery work before they get anywhere near implementation so we have a we have a procurement team who potentially lacks contextual knowledge on why your software is needed but need to get as much information as possible up front to make a good decision how are they going to know what questions to ask they don't instead they're going to ask you all of the possible questions they may have no matter how Irrelevant in search of a reason they might say no there'll be no nuanced conversations about how your product fits into their organization and whether certain controls are absolutely necessary no you're going to get a supplier questionnaire potentially hundreds of questions long about topics ranging from how your out of our support Works to what kind of locks are on your office doors this is the solution to the chaos of their own organization standardize and Outsource the pain but someone on your side is going to have to answer those questions and it's going to take days the first time around this will probably end up being the responsibility of the CTO as the questions range from technical detail to Broad organizational policy that's days of high value time gone even if your service won't hold sensitive personal or commercial data you'll need to be convincing in your answers to these questions in order to make the sale because it's easier for a procurement team to apply the same standards to absolutely everything that they buy and then the next Enterprise lead comes along and you get another questionnaire and it's similar but not similar enough that you can copy paste all your answers and they have some questions that the first company didn't have and you repeat that process your potential customers have set have settled on a local optimization that works for them they have defined their own set of standards that must be fulfilled and developed tools to ensure that standard is met your problem is that you get to see that standard setting process repeated across all of these Enterprises with varying results if only there were overarching standards that could be applied of course there are in a moment we're going to talk about how we can use certification and an attestation to Industry standards to reduce or eliminate Supply questionnaires reducing sales uh cycle times and cost of sale but first we can do some more polls um here we go so have you faced a procurement questionnaire before uh yesterday uh how long is the average Cycles Enterprise sales cycle at your at your organization and there's a we'd like to know which kind of uh standards are relevant to your industry and have you struggled to advocate for industry standards internally so we can see that I'm we have faced procurement questionnaires before so this is because let's give this is relevant um and we're seeing that actually consistently it's taking it's taking months for uh Enterprise sales Cycles uh for the people that could call um we're interested in ISO 27001 and stock two that's good because I'll be talking about those in a second um and we've got we've mostly had uh has had some struggles to advocate for industry standards entirely that's all very good to know cool let's move on cool so quick upside before we move on when I say industry standards what do I mean there's quite a few out there uh some might be more relevant to you based on your industry sector uh and I'm going to highlight too that we just had in the poll that it seems like everybody's aware of um ISO 27001 and stock 2. uh even so um even though we've seen that uh everybody on the calls kind of got an awareness of these I'm going to do a quick Round Up in comparison of both so we can talk specifically how how you might use these as sales tools both ISO 27001 and sock 2 focus on information security and can be used to assess the confidentiality availability and integrity of customer data however they use different lenses to assess your organization and require different paths to compliance ISO 27001 is a standard in the truest sense defined by the International Organization for standardization it lays out the requirements for an information security management system that can be trusted to store and process sensitive data of all kinds after proving that your system meets these requirements you can be certified by an accredited auditor sock 2 on the other hand is a standard for producing audit reports sock stands for system and organization controls of which there are three three varieties sock 2 is the one that applies to service organizations it is defined by the American Institute of certified public accountants and assesses organizations on five trust service criteria only one of which is mandatory so you can choose your own scoping to a degree the report comes in in two forms a type 1 reports on whether an organization's controls support their own objectives for information security and type 2 assesses the actual implementation of those controls over a period of time usually six months stock two attestations are not certifications and there is no hard pass or fail both standards will cover much the same ground after certifying with ISO 27001 it will be significantly easier to produce a good sock 2 report and vice versa all right but how do we how are we going to use compliance with an information security standard to help sales in the next few minutes we will see how you can use compliance to reduce sales cycle time reduce cost of sale and improve your sales funnel and hey it's not all about sales stick around and we're also going to discuss the other benefits of standardization do you remember those procurement question as we were discussing earlier most of the questions on there are going to be about managing risk for the Enterprise buyer can you be trusted to secure that data by adopting and certifying against an industry standard like ISO 27001 many if not all of those questions can be answered by referring to the standard as these are industry standards which procurement teams are already understand they are happy to take the shortcut and strike out the questions before bothering you in some cases you may even find the procurement teams were essentially doing their own mini audit to assess conformance with the standard by certifying you may find that the entire questionnaire disappears when you do still need to fill out a questionnaire you'll also find that you have a useful shorthand for answering questions sock 2 reports are great here as you can refer your potential customer to the relevant section of your report that shows you've not only thought about control but have an attested solution furthermore the sock 2 type 2 report which assesses compliance over a period of time can be used to prove that you actually practice what you preach fund apps is a fintech company that engage the scale Factory to help design a new AWS tenancy model for their B2B SAS platform they completed a sock 2 order in 2020 their CTO tobio Rock mentioned that once they had done so complex questionnaires and follow-up negotiations that regularly took weeks were frequently completed in only half a day shortening the sales cycle by as much as a month further he's been able to delegate delegate the procurement paperwork to the head of information security freeing up his own time for more strategic activities we've heard similar stories from the leadership of other SAS companies with which we've worked you may also find that some potential customers have a hard requirement for some sort of Industry certification and will not even engage with vendors who lack them certification may give you access to New Leads who are filtering themselves who are filtering themselves out early in your sales funnel of course to reach these companies you will actually need to advertise your compliance so let's quickly talk about how you might do that trust Pages or trust centers are areas of your marketing site used to advertise your security practices and certifications to potential buyers it's there to show your customers you prioritize the security of their data and that ultimately they can trust you with it by making this information both public and easily accessible you ease the friction for Enterprise buyers and increase the quality of your needs here are some example trust pages from GitHub OCTA and in all three examples the trust page can be reached with a single click from their website homepage with a potential second click to drill down into certifications they all provide ways to either download or request certification and attestation documents right there on the page you'll also note that both ISO 27001 and sock 2 are prominently prominently featured in all three of our examples lastly let's not forget that these industry standards have a use outside of improving your sales pipeline standards are standards for a reason they encapsulate practices that as an industry we've generally agreed are good and effective by going through the certification process you will likely unearth issues you may not have realized you have and wouldn't have noticed until it's too late it's also a good excuse to pay down Tech debt you knowingly accrued in your earlier growth stages by adopting a standard you also adopt a common language that can be used within your organization adding Clarity of purpose to improvements which may cross team or Department boundaries all right so we've talked about how you want to sell to Enterprise and why compliance with uh industry standards will help but how do we actually attain that compliance in the cloud and are there tools to make it easier as we mentioned previously there are many standards you you may wish to gain compliance with so unfortunately there is not a single tick box you can enable in your AWS account to become compliant most standards will also cover some physical element or human process which cannot be addressed with Technical Solutions however as we shall see in a moment there are characteristics of the cloud that are going to make the process easier and smoother leaving you time to focus on those messy human parts the first we need to identify where our responsibilities lie this is the AWS shared responsibility model for security on the bottom in Orange we have what AWS is responsible for the security of the cloud and on top we have what customers are responsible for security in the cloud to phrase it another way AWS will provide you with a secure platform but it is your responsibility to make sure that you use that platform in a secure way the same model works for compliance obligations many AWS services are compliant with various standards but just by using a service which AWS has attained compliance for does not mean your usage of that service is automatically compliant a more concrete example would be aws's HIPAA eligible Services list Hippa is a strict Healthcare data protection standard in the U.S and AWS has a list of services which follow the processes required under HIPAA however HIPAA does not have certifications for cloud service providers and AWS is not itself HIPAA certified instead it is up to the users of AWS services to attain certification for themselves aws's HIPAA eligible services are a handy shortcut for proving compliance but users are not inherently compliant but just because there is no magic compliance button doesn't mean there aren't benefits from running in the cloud first up we have can Solutions because thousands of companies have already gone through the process of adopting these standards it's likely that any problems you encounter during the compliance and certification process for your chosen standard are not unique to you and when the when there's a common problem someone has already made a solution running your infrastructure in a giant public cloud like AWS with a standard API means there's also a good chance there is a solution you can plug right into your existing infrastructure here are some example Services which may help in your compliance Journey AWS config is a tool that scans and Records changes in your AWS resources configuration which can then be alerted on or automatically actioned you can codify your own compliance requirements as AWS config rules or alternatively use pre-baked compliance packs tailored to meet specific standards your organization May struggle to keep up with packaging requirements often found in information security standards SSM patch manager can be used here to Define and roll out patch-based lines across your Fleet of ec2 instances and finally a large part of your of any certification process will be gathering proof that your control's work is intended I am access analyzer can be used to scan for resources such as S3 buckets that may have been accidentally made available to the public validating your security policies these are just a few examples from the wide array of services AWS provides when it comes to compliance um sorry when it comes to compliance no matter your problem they're probably there's probably already solution out there the other huge benefit of running in a public cloud is the amount of usage data you have access to which you can harness to continually assess your compliance in AWS that means using services such as cloudwatch and cloudtrail to monitor an alert on usage patterns services like guard Duty take this a step further by applying machine learning to these data streams to automatically detect anomalous security threats of course you also have the ability to lock down and prevent access that would take your organization out of compliance whether through basic iron policies resource-based policies or organization-wide service control policies AWS gives you the tools to enforce your compliance requirements right there in the control plane control tower is an example of where a can solution meets continuous compliance to form a compelling service that can provide an excellent Baseline to build your compliance strategy on control tower gives you a top-down view of your entire multi-account AWS estate it has canned guard rails that can be applied across your estate to either detect or prevent actions that take your organization out of compliance it also comes with a pre-configured IAM identity Center which enables you to centralize access control for your entire AWS organization with a single sign-on system that integrates with your existing identity provider a significant portion of iso 27001 compliance relates to access control which can be greatly simplified when it's all there in one place if you think you might need any help with your AWS compliance Journey well we're here to help we offer free consultations where we can discuss any roadblocks you're hitting and offer advice if you can see control tower helping out your your organization attain its goals then don't forget to ask us about our SAS foundations product it's built around control tower and installed by our experienced consultants and as an AWS partner we're not only experts in the technology but we can help you access funding from AWS as well uh so before I leave you today I just want to recap the key takeaways we've discussed selling to Enterprise is a worthy Endeavor but many of the reasons we want to sell to Enterprise cause the sales process to be painfully slow Enterprise procurement teams reach to vendor questionnaires to front load Discovery and ensure their own standards are and obligations are met these questionnaires end up being a drain on our resources as they take significant time to fill out for each potential customer we can reduce the scope of or entirely eliminate those questionnaires by conforming to or certifying in relevant industry standards these standards give us a shorthand when engaging with prospects on any remaining questions they may have and finally the cloud has some unique characteristics which makes attaining that level of compliance simpler and that's it thanks for listening um once again I've been George from scale Factory and I'm going to hand you back to John now