How Dropbox used land-and-expand to move upmarket and close big enterprise customers
How Dropbox built enterprise ready features like admin controls and integrations that let them close bigger, more impactful deals, move upmarket, and stay competitive.
IT administrators had reason to hate Dropbox.
Back in 2013, a Spiceworks study found that 93% of respondents who used file-sharing services not approved by their IT administrator were using Dropbox. Imagine that you’re at work, and need an easy way to share and sync files – so you sign up for Dropbox quickly without telling the IT team. It was a classic case of shadow IT - and while it’s really annoying to IT admins, it’s actually a big part of Dropbox’s strategy.
Today, we call this land-and-expand: a company sells to developers and business users first, builds engagement from the bottom up, and, ultimately, forces companies to adopt the technology. Instead of going top down and selling to IT Admins, Dropbox gets people to actually use the product - and once teams are getting value out of Dropbox, it’s a much easier sell to the higher ups.
This strategy, however, depends on the company’s ability to develop features that these enterprise users actually need.
You can’t generate enterprise sales just by hiring an enterprise sales team. These users have special requirements and without the features to fulfill them, even the most rockstar salesperson in the world won’t be able to close. These features, like authentication, access controls, and audit trails, won’t be the most exciting things on your roadmap––but they might create the most impact.
Over time, Dropbox put in the hard work and developed the features that made their product tenable to those enterprise customers; so they were able to go from a few engaged users at a Fortune 500 to a signed contract with the big decision makers.
The pivot to enterprise was inevitable
MIT students Drew Houston and Arash Ferdowsi founded Dropbox in 2007. Growth was steady until it was explosive: in 2008, Dropbox’s (now famous) referral program took off, leading to 3900% growth in 15 months.
But profitability remained out of reach. Being a primarily consumer focused brand in an infrastructure dominated market put Dropbox in a tough position - the real money was in the enterprise, and Dropbox wasn’t able to close those deals quite yet. This is what tech analyst Ben Thompson coyly called the “messy reality of actually making money", and it’s likely what pulled Dropbox from the consumer market into the business market. This “messy reality” doesn’t just point from consumers to businesses but also points upmarket, from small businesses to enterprises.
Tomasz Tunguz, Venture Capitalist at Redpoint, has written that SaaS startups often face a churn bottleneck. According to his estimates, SaaS companies can face annual churn rates for SMBs that range from 31% to 58%. Enterprises, however, only have an annual churn rate from 6% to 10%.
On top of these business dynamics was competition––mainly from Dropbox’s similarly named competitor: Box. Box and Dropbox share a lot of similarities and eventually competed over similar markets - but Box started making the enterprise pivot a while beforehand, way back in 2007. Building features like SSO and granular access controls early gave Box a head start, which only made things harder for our protagonist.
Selling into the enterprise isn’t as easy as hiring a sales team and giving them big targets. Dropbox had to transform in two ways:
- From consumer app to enterprise app: Dropbox had a very consumer-y reputation, and that made many enterprise IT admins hesitant to adopt it. Without the right positioning, IT admins would wonder whether Dropbox’s focus was really on enterprise needs, or whether Dropbox was, at a DNA level, still a consumer company.
- From invisible, background app to engaging, lovable app: Back in 2009, Steve Jobs told the Dropbox founders that Dropbox was a feature, not a product. Jobs’s statement proved prophetic (sort of) – companies like Google, Apple, and Microsoft all eventually commodified cloud storage with consumer cloud storage apps. Without new features, Dropbox wouldn’t be able to compete with larger companies that offered products with lower price points and wider sets of integrations.
Dropbox had to become more than cloud storage, meaning it needed to build more than just cloud storage. Over the past few years, they've invested in a ton of new functionality to differentiate and make Dropbox genuinely interesting (and genuinely useful!) to enterprises.
4 features that made Dropbox’s land-and-expand plan possible
To make their pivot work, Dropbox listened closely to the feedback of their new enterprise user base. In 2013, then Dropbox business development vice president Sujay Jaswa said:
“All of our insights come from talking to customers. They come to us and say, ‘We’d love to give employees Dropbox, so here’s what we need to make that happen. Our philosophy is oriented around giving IT departments the tools they need to justify deploying Dropbox.”
But enterprise readiness was still a few years away. The two main shifts occurred in 2013, when Dropbox debuted Dropbox for Business, and in 2015, when it debuted Dropbox for Enterprise.
It worked - Dropbox eventually reduced its net losses to $112 million in 2017 compared to $210 million in 2016 and $326 million in 2015. When Dropbox went public in 2018, it was worth $10 billion.
Four key features—made specifically for enterprise customers—enabled Dropbox’s pivot to a publicly traded company serving both consumers and enterprises possible.
Dropbox could land in the enterprise with individual users, but it couldn’t expand if admins couldn’t authenticate those users at scale.
Enterprises want their apps to integrate with the user authentication stack their admins already use, like Okta or OneLogin. The number of people enterprises employ and the variety of apps and services they use make handling different authentication tools difficult and the more logins employees have to juggle, the greater the surface area for cyberattacks.
If your app uses a different, less-secure, harder-to-monitor authentication process (i.e. standard username / password), then that becomes a weakness in the enterprise’s cybersecurity armor that bad actors can exploit. It also greatly decreases the chance that these companies will take a serious look at your product. A good percentage of the Fortune 500 aren't even allowed to use products that use just username and password.
Dropbox already had a so-so reputation in the security arena. In 2012, the company suffered numerous security issues, including a case where attackers stole Dropbox usernames and passwords from other sites and accessed the victims’ Dropbox accounts.
The next year, Dropbox introduced single sign-on as part of Dropbox for Business that integrated with Microsoft Active Directory. Once users signed into Active Directory, they could sign into Dropbox without remembering an additional password. This made things easier on users and on IT.
In 2015, Dropbox added an integration for Active Directory to improve the authentication experience even more for Dropbox for Business users. IT admins could include Dropbox business accounts when they added or removed users from a network, as well as require two-factor authentication.
In 2020, SSO is becoming a basic requirement for even smaller companies. Dropbox got ahead of the curve and it helped them land those larger accounts.
Many of the industries that most needed document storage and management couldn’t use Dropbox because it wasn’t compliant with their industry’s regulatory standards (think HIPAA, SOC II, etc.). Dropbox might be able to convince a hospital administrator to try Dropbox, but without the necessary features, regulations would forbid that administrator from actually using it in the workplace.
The company’s main competitor, Box, was compliant with the Health Insurance Portability and Accountability Act (HIPAA) back in 2013. As a result, it could ensure that patient records were secure via several types of controls, including access controls, audit controls, integrity controls, and transmission security.
Dropbox finally got HIPAA compliance in 2015. Between the two years Box was HIPAA compliant and Dropbox wasn’t, Box was able to scoop up customers that couldn’t even consider Dropbox. In a regulated industry, other features don’t matter. They can’t. Until Dropbox became compliant, it simply wasn’t a contender.
Following their land-and-expand strategy, Dropbox further expanded its compliance with a whole range of other standards, including:
- ISO 27001 (Information Security Management)
- SOC 3 for Security, Confidentiality, Integrity, Availability, and Privacy
- EU General Data Protection Regulation (GDPR)
- PCI DSS
Compliance unlocks huge opportunities for revenue in new industries. Every new standard, requirement, and regulation Dropbox met meant whole new groups of businesses that could try and eventually adopt the product.
The “land” part of Dropbox’s land and expand strategy meant it had contributed to many IT admins’ shadow IT problem. Users all over a given company were storing who knows what information in Dropbox—all without IT approval. To garner legitimacy (and build some goodwill), Dropbox had to give IT admins the ability to oversee the shadow IT that had grown beneath them.
In 2013, as part of its first big push into the enterprise with Dropbox for Business, Dropbox redesigned its admin console. The new console enabled admins to better monitor user activity, such as passwords, log-ins, sharing, and membership.
In 2015, Dropbox introduced tiered administrator accounts to Dropbox for Business with three different access levels. This is important for enterprises that likely have teams of admins with varying roles and levels of authority, and lets higher-level admins can grant different levels of access to lower-level groups of admins.
In 2016, Dropbox further improved its admin console. This redesign let admins set more granular permissions at the team and folder levels and manage team folders from a centralized view. I mean, it's an admin console, so we're not exactly playing with fire here. But to an IT admin, this is absolutely necessary to get their jobs done effectively.
The admin console provided more visibility into how and where users are sharing information. Expanding into the enterprise means surfacing your features, not just making them available.
Logging, for instance, was already available in Dropbox before this update. Robert Baesman, director of product management for Dropbox Pro, Business, and Enterprise, said that “a lot of admins didn’t even know [logging] was actually there.” Marketing to enterprises is beyond the scope of this post, but needless to say that you need to talk about your features if you want people to know they exist.
Dropbox faced a challenge: It couldn’t win. At least, not in the traditional sense.
Dropbox founder Drew Houston acknowledged that “100 percent of our customers are going to be either an Office 365 customer or a Google Apps customer.” There was, and remains, no path to outright Dropbox dominance. The best case scenario for Dropbox is that their customers would use the product alongside other storage apps - and Dropbox leaned into that idea via integrations.
In 2014, Dropbox introduced the Dropbox for Business API, which helped enterprises integrate Dropbox with other services they used. The Dropbox Platform already had integrations with more than 300,000 apps, but the API gave developers functionality at the team level.
In 2018, Dropbox launched Dropbox Extensions, which made it easier to move between Dropbox and web-based apps. Later, after a successful launch, Dropbox doubled down and doubled its extensions support.
In 2019, Dropbox launched new integrations with Slack and Zoom. The new integration enabled users to share Dropbox files to Slack from a drop-down menu and video chat with Zoom without leaving Dropbox.
In that same year, Dropbox also launched an integration with G Suite that lets business users use G Suite tools without leaving Dropbox.
These integrations aren’t a compromise. At SaaStr Annual 2019, Yamini Rangan, Dropbox’s then chief customer officer, said: “We have customers like WeWork and National Geographic, where they use us specifically because we work so well with G Suite.” Integrations can be a double edged sword, but Dropbox was able to thread the needle - they made the product more useful without obviating the need for it in the first place.
Land and expand from product to ecosystem
Dropbox took the task of expansion seriously.
On their blog in 2019, the team wrote, “we’re building Dropbox as an open ecosystem that integrates deeply with popular workplace apps” and that doing so necessitated satisfying the “requirements of the IT department.”
Their success is an example of what the land-and-expand strategy needs to work. You can land with a good app, but you can’t expand just by tacking on an enterprise sales team. Your app needs a host of features that range from authentication to access controls. These features aren’t fun or exciting to develop, but they make enterprise sales possible.
If you want to land big contracts and make big money (and we’re assuming you do), then you need features that make your app enterprise-ready.
Nowadays, you don’t have to spend the better part of a decade becoming enterprise-ready. With WorkOS, you can become enterprise-ready today.