Blog

The Guide to Becoming Enterprise Ready for SaaS Product Managers

November 6, 2023

This guide is for SaaS product managers that want to better understand the essential features enterprises expect, ideal timing for going upmarket, build vs. buy considerations, and pricing & packaging implications.

Becoming ”Enterprise Ready" signals the ability of a SaaS product to meet the security, compliance, reliability, and support needs of larger customers. These larger customers are typically businesses of considerable size (>1000 employees) with complex evaluation and procurement processes. 

  • Enterprise Timing: When to prioritize becoming Enterprise Ready
  • Enterprise Personas: Customer profiles that become important when selling to larger organizations
  • Enterprise Features: Important and common features enterprises expect from vendors
  • Resourcing: “Build vs. buy” considerations
  • Pricing and Packaging: Commercial implications of enterprise specific features     

Insights below are drawn from interviews with product leaders who have successfully navigated the enterprise journey. Special thanks to: Thomas Schiavone, Former VP of Product, Sift; Patrick Malatack, Former VP of Product, Twilio; Matt Rinehart, Staff Product Manager, Netlify; Meagan Gamache, VP Product, Render; Lawrence Han, Product Management Lead, Asana; Sean Santschi, Enterprise Product, Motive; JB Volta, Former Staff Software Engineer, Slack; and Mark Tran, Engineering Manager, WorkOS.

Timing

The decision to move upmarket is typically driven by either a "pull" or a "push" motion. Pull occurs when a user base grows organically, naturally leading to enterprise conversations. Push happens when an organization proactively goes after enterprises and Fortune 1000 companies, customers that can offer a more sustainable and bigger stream of revenue.

One thing that product leaders emphasized was prioritizing a culture of “Day 1” enterprise readiness. It’s a company-wide transition that can be complex, but early preparation greatly simplifies the process. It also provides benefits like tapping into a larger market, boosting your ACV, reducing churn, and increasing long-term customer value.

Personas: Know your customer(s)

Most SaaS product managers understand their product's primary users very well. However, the decision-marking process within larger organizations involves a wider array of personas. This extended group includes these stakeholders:

Security & Compliance: Security focuses on features like end-to-end encryption, multi-factor authentication, and detailed audit logs along with compliance (GDPR, HIPAA, SOC 2).

Procurement & Legal: Procurement pays closer attention to how the software is used and licensed, while legal goes over the terms of service, privacy policies, and SLAs to keep the company protected from any legal or financial risks.

Senior Leadership: For c-suite executives, finding vendors that provide a long-term product roadmap, proven track of innovation, and mutual partnership is more important.

Enterprise Features, Unpacked  

Compliance

Although compliance isn’t really a feature you can develop, it is a first milestone that most organizations achieve when moving upmarket. Most common compliance certifications include SOC 2 and ISO 27001.

There are two types of SOC 2 certification:

  • Type 1 indicates a company’s systems and controls at a specific point in time are designed properly to meet SOC 2 criteria.
  • Type 2 indicates a company’s systems and controls over an extended period, typically 6-12 months, effectively operate as intended.

ISO 27001 is an international standard for managing and protecting data. Getting certified requires identifying threats, evaluating impacts, and establishing robust controls.

SOC 2 is more common in North America for businesses dealing with customer data, whereas ISO 27001 is more prevalent in Europe.

Attaining SOC 2 compliance has three distinct benefits:

  • Reinforces trust between an organization and customers. In an interview with WorkOS, Daniel Marashlian, Co-Founder and CTO at Drata, mentioned, “The main thing about SOC 2 is establishing trust. As you talk to your upstream vendors, you’ll realize that it’s not so much about the certification or the report but rather, reinforcing the notion that you care about your customers and their users.”
  • Enables the customer to also be SOC 2 compliant more easily. As Thomas Schiavone noted, “Customers will also want to remain SOC 2 compliant. As their vendor, if your product is also SOC 2 compliant, it makes things much easier. SOC 2 compliance has a downstream impact that you, even as a series A company, must adhere to nowadays.”
  • Offers an easy win that doesn’t require much engineering resources. Schiavone added, “The thing about SOC 2 is that it’s a lot of paperwork, not a lot of engineering work. Most of the work can be handled by one engineering manager, making it a cost-effective way to signal enterprise readiness.”

Secure User Authentication 

Once compliance requirements are met, organizations tend to focus on improving their existing user authentication capabilities. Implementing basic features like email/password login and session management is straightforward, and these are the first things every organization sets up when building their application.In comparison, features like multi-factor authentication (MFA) and Single Sign-On (SSO) are much more sophisticated and provide deeper security value to enterprises.

Multi-Factor Authentication (MFA)

MFA adds a layer of security during sign in that requires a user to provide an additional time-based one-time password (TOTP). It adds an extra layer of protection, so even if one factor, like the user's password, is compromised, unauthorized access to the account is still unlikely.

Single Sign-On (SSO)

SSO is one of the most common features enterprises request when adopting new SaaS applications. SSO enables authentication via an organization’s identity provider (IdP), through protocols like SAML, OAuth, and OIDC.

The benefits of SSO are two-fold: it consolidates the sign-in process for multiple applications into a single process and reduces security risks associated with having to manage multiple passwords.

Automated User Lifecycle Management: Directory Sync & SCIM

Directory Sync, or SCIM provisioning, is another important feature that usually accompanies requests for SSO. SCIM stands for System for Cross-Domain Identity Management and is the default protocol Directory Sync — similar to what the SAML protocol is for SSO.

It functions as a single source of truth for the identity and characteristics of employees at an organization. Use cases of SCIM include:

Automatic Deprovisioning: The most common (and security-focused) use case for SCIM is deprovisioning users. When employees leave an organization, access to all applications should be cut off immediately. The problem is that employment status that is initially updated in the IdP, like Okta, can only communicate with all connected applications via SCIM. Without SCIM the IT admin has to log into individual applications the former employee had access to and manually deactivate the account. SCIM automates this entire process.

Pre-provisioning: Similar to deprovisioning, pre-provisioning takes advantage of the automatic exchange of employee information between the IdP and connected applications. For example, when a new employee joins an organization, their accounts for applications they need access to, are automatically “turned on,” eliminating manual intervention from the IT admin.

Automated Access Management: SCIM automates most of the process of assigning roles and permissions. It works by syncing information from an organization’s IdP, where employee details like team and group memberships are stored. For instance, if a tech lead is in the "admin" group in the IdP, SCIM can automatically apply the right roles and permissions in your application.

This is important for IT admins because at a certain scale, manually assigning roles and permissions becomes unmanageable. Plus, whenever roles change (like after a promotion), SCIM automatically updates them, saving a lot of manual work.

Audit Trail and Log Streaming 

An audit trail is a detailed, chronological log that tracks events and operations within an application. It records who performed actions, when and where they occurred, and what changes or access were made. This is crucial for security monitoring, forensic analysis, and regulatory compliance, as it helps identify unauthorized activities and ensures accountability.

Log streaming transfers these logs in real-time from applications to centralized logging systems like Datadog and Splunk. This allows enterprises to immediately collect, process, and store logs, enabling rapid detection and response to security incidents.

Uptime SLAs 

Uptime SLAs are a bit unique in that they are formal agreements established between service providers and customers. SLAs consist of service level objectives (SLOs), which define explicit metrics such as uptime, response time, latency, and throughput. If providers are unable to meet these standards, they usually have to offer service credits or compensation to the customer.

When negotiating with enterprise clients, SLAs go beyond just being legal obligations — they help build trust and serve as a benchmark for the provider’s reliability and operational excellence. An uptime guarantee, often expressed as 99.9% ("three nines") or even 99.99% ("four nines"), shows the provider's commitment to keeping their service available and their infrastructure solid.

Build vs. Buy

The build vs. buy dilemma depends on factors such as engineering bandwidth, committed timelines with customers, product roadmap, complexity of implementation, and more. This topic is also one of the hardest to navigate for engineering leaders, since quantifying the true cost of building in-house can be challenging.

When deciding whether to build or buy a feature, consider these three key factors: how closely the feature aligns with your business's core value proposition, the resources needed to build and maintain the solution, and the risk of vendor lock-in.

How close is the feature to the core product capabilities?

Deciding whether a feature is part of the product’s core capabilities is a pivotal decision that shapes the build vs. buy decision. For example, Render, which provides cloud infrastructure services that are more developer-friendly than traditional cloud providers, built Audit Logs in-house to have deeper control over log format and event types. Similarly, Asana decided to develop most of its enterprise features internally. This decision stemmed from its philosophy that a homegrown solution offers better user experience and enhances its unique value proposition — the intersection of data modeling and workforce management.

How complex is the feature to build and maintain?

But what if a feature is integral to the product's core functionality but is incredibly complex to build and maintain? How should product managers approach the situation then? The answer depends, but here are some key considerations to guide that process.

1. Plan more time than you think is necessary.

Patrick Malatack shared that supporting enterprise customers is a never-ending, constantly evolving process. He emphasized, “Yes, it is sometimes necessary to build features in-house, but it is critical to realize that processes will be even more complex and time-consuming than you expect.”

Schiavone voiced similar thoughts, highlighting the need to “adopt a mindset that is okay with the first few iterations simply not working. It’s also super annoying to have to worry about all the edge cases but those are inevitable when building in-house."

2. Finding motivated engineers with expertise in enterprise features is difficult.

Inherently, building enterprise features like SSO and SCIM provisioning requires engineers to work with more traditional tech stacks that may not be at the bleeding edge of technology. Driving these tasks is also under-appreciated, compared to projects related to the company’s flagship products. According JB Volta, who was a former engineer at Slack, the atmosphere of maintaining enterprise features was very much a perpetually high-stakes setting. Their team sometimes functioned like an emergency response unit, always on page to tackle the next critical issue.

How many alternative options to a vendor exist?

Potential vendor lock-in was another concern that many product leaders articulated. When assessing the broader market for a specific feature, Schiavone mentioned it’s best to avoid purchasing a solution in a noncompetitive market, which is usually associated with higher possibility of vendor lock-in. He added, “If there are several viable solutions operating in a space, that’s a good enough signal for me.” 

Pricing & Packaging Best Practices

Enterprise features play a key role in justifying premium pricing for a product. While marketing, selling, and supporting larger organizations don’t have direct costs like compute resources, they still require significant investment and should be priced accordingly. Here are three examples of companies that successfully leverage enterprise features in their pricing plans.

Postman

Postman, one of the leading platforms for building and managing APIs, has created a premium Enterprise Plan that includes some core product differentiation features, e.g. Private API Network and API Builder, with standard enterprise-grade features like SSO, SCIM provisioning, and reporting & analytics. 

Notion

Notion is one of the fastest growing enterprise SaaS workflow tools, and has created a core enterprise package specifically targeting security, compliance, and procurement personas with features like SCIM, SSO, and Audit Logs.

Slack

Slack, famous for revolutionizing workplace communication, has tailored its enterprise offering to provide more robust data residency and compliance as well as granular controls over how sensitive data is used and accessed across devices. The Enterprise Grid plan includes support for data loss prevention, HIPPA compliance, and Enterprise Mobility Management.

Conclusion

Becoming Enterprise Ready is about future-proofing your product and positioning your company for sustained growth in an increasingly competitive market. Ultimately, there will be a clear divide between SaaS companies that can rapidly move upmarket vs. those that struggle to catch up. This means that embracing a culture that prioritizes becoming Enterprise Ready on Day 1 is more important than ever.

For organizations navigating this transition, working with WorkOS can be a game-changer. It eliminates all the complexities associated with implementing features like SSO, SCIM, FGA, and user management. By choosing WorkOS, companies can free their engineering teams from years of R&D and maintenance, allowing them to focus on core products and increase their competitive edge in a fast-paced market.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.