Technology Process
People

B2B SaaS Cybersecurity Programs Do Not Scale Linearly

Mike Meyer
by Mike Meyer
7 min read
(January 6, 2025)
B2B SaaS Cybersecurity Programs Do Not Scale Linearly
11:03

B2B SaaS cybersecurity programs do not scale linearly. The needs of the business are not the same at every growth stage, and cybersecurity programs must evolve to meet those changing needs. One might define the stages of a successfully scaling B2B SaaS security program as Surviving, Formalizing, Maturing, and Leading.  

This won’t be a perfect model for every B2B SaaS business, but this should be a helpful tool for CISOs who are at any point in this journey. 

Surviving 

Early in the life of a B2B SaaS business, the security program is typically not a priority. The focus is on achieving product-market fit and surviving the brutal conditions that wipe out most early stage startups. Developers are shipping code at breakneck speed; sales reps serve as support engineers; any third-party tool that can help acquire customers is purchased with no questions asked. With that said, many of the companies these businesses hope to serve are likely to have some form of security requirements - so some level of security investment is needed for survival. Some common “survival tactics” are included below: 

  1. The product itself will need to align with a wide range of customer policies - this could be a requirement for single sign-on or MFA for authentication, or a prohibition of certain permissions within customer systems.
  2. Customers will require certain baseline internal controls to be in place - things like security awareness training, user access reviews, firewall and other networking controls for production environments, etc. Companies will do well to implement these controls, even in rudimentary form - and never misrepresent what controls are actually in place. 
  3. In some cases, customers will want to see third party attestations like SOC 2 and ISO 27001. While the merits of these achievements are debatable, they at least demonstrate a company’s willingness to invest in cybersecurity and provide some surface-level information about the company’s security posture. 

If a firm is in a market where these things matter to its customers (most SaaS businesses are), addressing customer concerns around cybersecurity as they come in is critical to survival. Once a transparent, defensible position on cybersecurity has been established in the market, it will be critical to begin formalizing the program. 

Formalizing 

While some level of formalization is required to reach the compliance milestones mentioned above, the business will need to level up significantly to manage cyber risk at scale. The next evolution, which may come after a new round of funding or hiring dedicated security personnel, is about laying the foundation for the company’s future cybersecurity identity. 

This is where a leader - whether it’s a VP of Engineering, Head of IT, or CISO (this is my recommendation) - must begin to define the people, processes, and technology that will set the business up for long-term success. 

People 

  • Roles and responsibilities for security should be clearly defined in policies - some will roll their eyes at policies as an effective tool, and in many ways, they would be right to do so - but having a well-defined, well-understood policy with buy-in from relevant parties will give you a source of truth to point to when decisions need to be made. 
  • As with any other element of a program, leaders should also be thinking about the ideal future state of the security organization - maybe it’s not possible to build out a SOC or application security function today, but creating this vision (and presenting it to the executive team and board) is useful in setting the direction of the program. 

Process 

  • When formalizing the program, the risk assessment may be the most critical process to get right. By choosing an established cyber risk framework, involving the right people, and establishing clear accountability guidelines, firms can create fairly lightweight risk programs that genuinely add value (i.e., as opposed to simply checking a box). 
  • Shifting security “left” in any process gets harder to do as a business becomes more complex. If firms can begin to build security gates into project and product lifecycles early, maturing those processes at scale will become much simpler. 
  • Threat detection and vulnerability management may look fairly crude in the early days, as security monitoring, on-call, and ticketing infrastructure may not be mature. But creating intentional, efficient processes that improve visibility and hygiene will enable teams to build on those processes down the road. 

Technology 

  • Here, organizations should look for high leverage solutions - where can relatively inexpensive technologies be deployed to add significant value? Secure web gateways, email filtering, and basic cloud monitoring systems might be ideal fits in the formalizing stage. 
  • As with People, firms should have a view of the technologies that must be in place over the next 12-18 months, and should ensure the board and management are bought into that vision 

Formalizing is about laying the foundation to manage risk at scale and ultimately serve the needs of your desired customer base. 

Maturing 

As B2B SaaS businesses grow, they often have goals of reaching new markets - perhaps they are looking to move upmarket to serve enterprises, as opposed to small and medium-sized businesses; or maybe the goal is to expand into new verticals like healthcare or financial services. What got firms through those early stages is not what will propel them to achieve these goals - and that applies to cybersecurity as well. 

In this “maturing” stage, there are two major step function changes that make cybersecurity programs effective enablers of the business - risk committees and roadmaps. Sure, there are lots of technical controls, tabletop exercises, compliance initiatives, etc. that will be important - but those vary from firm to firm. Risk committees and roadmaps are universally critical. 

Risk Committee 

By this point, a CISO should be in place at the director level or higher, and that individual should be responsible for getting leaders across the business aligned on identified risks, risk treatment plans, mitigation activities, and timelines. The secret weapon this individual has at their disposal is the risk committee. There is no one way to run a risk committee, but at a minimum, CISOs will need the following: 

  • A cross-functional group of senior leaders - think finance, legal, engineering, IT, DevOps, Security, compliance - in some cases it may make sense to include representatives of go-to-market functions as well. 
  • A defined, agreed-upon periodic meeting cadence - I recommend a monthly meeting with functional leaders, a quarterly meeting with executive leadership, and at least semiannual reporting to the board. 
  • A set agenda that includes discussion of newly identified risks, major risk treatment decisions, progress on cyber initiatives, and calibration of resources.
  • A review of key metrics (e.g., vulnerability management SLAs, incident response times) 
  • A process for asynchronous activities such as off-cycle risk acceptances
  • A charter document to clearly define all the above, signed off on by executive leadership 

Cybersecurity Roadmap 

Perhaps the most important input for the risk committee is the cybersecurity roadmap - in order to construct a roadmap that is reasonably attainable and can achieve buy-in from management, CISOs must be business leaders, not just technical ones.  

The roadmap must have a timeframe and start with the end in mind. CISOs must think about where the program needs to be in 2-3 years. Is the end goal a significant improvement in cyber maturity against NIST CSF or CMMC? Achievement of compliance milestones like FedRAMP or HITRUST? CISOs must have a finger on the pulse on the business to understand what this end state should be. 

Once the timeframe and goal have been established, CISOs can then define the core strategic pillars that will lead to success. Then the roadmap will start to take shape. For example, let’s say a CISO determines that application security is a core strategic pillar of the roadmap, and that a four-person application security team is needed to have sufficient expertise and capacity to support the product team’s forecasted operations 3 years from now. In order to construct that strategic pillar, the CISO may propose hiring two engineers across years one and two, and another two engineers in year three. Examining every function of the security program in this fashion is a grueling exercise, but it will enable the CISO to communicate the vision for a highly complex subject in business terms, namely dollars. 

The deliverable of this exercise is a proposed 2-3 year plan that enables the CISO to secure the resources needed to move forward with the plan (or a modified version of it after discussion with management and the board). The roadmap should ultimately comprise a set of initiatives as well as the corresponding plans for hiring, technology, and consulting; it should also demonstrate how these initiatives achieve the end goal. Each of these plans should have a detailed, itemized spend forecast for each year of the plan - and CISOs should be prepared for the proposed investments to be met with skepticism. 

As with any plan, this roadmap will change over that 2-3 year period; that’s why it’s important for CISOs to communicate regularly with their management teams and boards about the progress against the roadmap, as well as changes to the needs and priorities of the program.  

Leading 

The reality is cybersecurity programs should never stop maturing. If they do, particularly in a B2B SaaS environment, the market often learns of that stagnation in one way or another - this might be through a breach, increased frequency of outages, or identification of publicly discoverable product vulnerabilities. 

But as organizations build and master the skill of continuous improvement and maturity, they can then lead from their experience. CISOs of B2B SaaS companies have an opportunity here to contribute not only to the cybersecurity industry, but also to the industries or categories of their business to drive revenue. Engagement with customers and creation of thought leadership content has a virtuous cycle effect on customer and internal trust:

The flywheel doesn’t always look this pretty, and the stages experienced by a given B2B SaaS company or CISO in their cybersecurity journey will not always look exactly like this. I have found it’s more important that leaders have a framework in mind, even if it’s not perfectly adhered to along the way. 

 
Previous story
← Most Popular Cybersecurity Content and Events for 2024
Next story
How Organizations Can Utilize Cybersecurity Start-up Vendors →
Insights from NFL's CISO: Safeguarding the Super Bowl
Insight from NFL's CISO: Safeguarding the Super Bowl
Technology

Insights from NFL's CISO: Safeguarding the Super Bowl

(April 22, 2024) 2 min read
5 Ways to Mitigate the Risk of the Human Firewall as the Weakest Link
5 Ways to Mitigate the Risk of the Human Firewall
Technology

5 Ways to Mitigate the Risk of the Human Firewall as the Weakest Link

(August 15, 2023) 3 min read
The Biggest Cyber Security Concerns for 2024
The Biggest Cyber Security Concerns for 2024
Technology

The Biggest Cyber Security Concerns for 2024

(September 20, 2023) 5 min read