security reviews shouldn’t block your sales

note: I served as Chief of Staff at SafeBase for a bit, so I am a little biased 🙂 

It’s 2023 people. We can access the sum total of human knowledge (up until 2021) with a free robot that will talk to us all day. I take a driverless taxi home at night. My grandmother is probably better at using an iPad than I am.

And yet, I have yet to meet a B2B sales leader that can figure out how to scale the security review process.

I’ve been on the inside of two B2B sales orgs and have talked with a ton of founders that are in the process of scaling their sales motion and the absolute sharpest pain they feel is during the security review process.

That’s not to malign our friends on a company’s Information Security or Vendor Management teams - they need to do their jobs (keep the company safe) while sales does theirs (close deals). Ultimately both teams are working towards the same goal, and it’s not until they start acting like it that the security review stops being a problem.

Ultimately, a salesperson is never going to understand the nuances of the company or product’s security program as well as someone who lives and breathes it every day on the Security team. Nor should they.

In the same vein, a Security professional is not going to have the same enthusiasm for an AE’s quota as the AE is. This is why the security review becomes a painful game of hot potato, where nobody actually wants to be playing but if it doesn’t get done then everyone looks bad. If sales doesn’t help facilitate the security review, their deals don’t close. If security doesn’t help complete the review, they’re blocking revenue growth. No bueno.

Spreadsheets have always been the answer to cross-functional business processes involving multiple stakeholders, same goes for security reviews. When I helped manage Upgrade’s B2B GTM team, I worked with a guy who spent 40-50% of his time completing security review questionnaires from prospective customers. He wasn’t even on the security team, but had spent so much time in the subject matter that he had nearly mastered it.

That’s a valuable asset for the team, but when you consider that our north star metric was how many new customers we onboarded in any particular month, and how much of his time was spent on a small yet critical part of a very complex process (like any B2B sales cycle), it always felt like we were leaving a lot of chips on the table.

Until recently there really wasn’t a great way outside of spreadsheets to manage this process. As the seller you want to make the buying journey as easy as possible, so of course you’ll fill out their info sec questionnaire. Of course you’ll make the security team available to speak with the prospect so they can get more comfortable with the way you do business.

From the security team’s point of view, they’re giving the same canned responses on a questionnaire or on a call that they’ve given 100 times or more - and that’s a terrible use of their time!

Then all of a sudden, continuous compliance was the hottest thing in startups. Vanta, Drata, and others like Thoropass (prev. Laika), and Sprinto offered a platform that enabled security teams to monitor their compliance with security certifications and standards like SOC2 and ISO27001 that had become standard requests from customer info sec teams, in real time.

For any business selling into other businesses, continuous compliance became a necessity. But just having a SOC2 report doesn’t guarantee an automatic pass, there’s lots of unrelated items that a vendor management team is going to want to dig into, especially as the prospects get larger.

And that just it: customers’ security and VM teams know exactly what it takes to pass their review, they designed it. The spreadsheets and the back and forth up until now were the best way to convey the requirements and for the vendor to provide feedback.

Then all of a sudden - SafeBase tapped into two huge insights:

1. Security folks are willing to go out and get the information they need if you give them the means to do so. It’s not like they derive some perverse pleasure from torturing their vendors (maybe some do). But ultimately, security is also blocking the deal on the buyer side almost as much as on the seller side.

2. Proactively sharing your security posture is a disarming gesture. If you make your prospect poke and prod and dig and bother your security team, they’re going to get frustrated. If you offer up what they need in a well-designed, self-serve package, you might not even recognize when the security review gets done.

The concept of a public-facing trust center was more or less novel when SafeBase hit the market in 2021 but larger, more well-funded competitors quickly took notice and now you can spin up a trust.company.com security landing page (trust center) with Vanta or Drata, who you are likely going to select as your compliance automation provider anyway.

That said, I do believe that SafeBase has the best product in the space, plus it’s completely self-serve to set up and their free plan offers more than you’ll need to close an enterprise logo.

Now you’re probably thinking, “I’ve barely started thinking about our security posture. We just signed with Vanta and are hoping to get into shape for SOC2 in the next 6 months. Way too early for me to have a trust center and I’m too busy to set it up anyway.”

Just do it.

If you keep your trust center up to date (even if it feels like looking after an aquarium with no fish in it), you’re going to be much better positioned once sales do start to ramp up.

Beyond that - you’ve got yourself a useful, interactive, beautiful market asset. It’s weird but true. Beyond working on the vendor side of the buying process, I run a lot of procurement activities for the startups I’ve worked for. At a bigger company like Upgrade, I was always wary of the security team’s review backlog wrecking the purchase timeline for something we needed to execute on our goals. At a smaller company like SafeBase, all I needed to know is that you’ve got a SOC2 Type II (or a letter of engagement for a respectable auditor).

In EITHER case I would always check for a security information page (I didn’t know they were called trust centers before I worked for the company that created the category 😉).

Beyond making life easier for your sales and security teams, your prospects and customers are actually going to like this. One of the biggest takeaways from the work I did with Instacart was how much time their trust center saved their customers and how much their customers loved interacting with it.

Once it is up and running, there’s a ton of ways you can use your trust center across your security and revenue teams - but that’s a story for another post.

For now, head over to SafeBase and get going.