• Environmental management
• Conflict of interest controls
• A code of conduct/ethics aligned with theirs
• Digital accessibility & disability inclusion – UX/UI requirements

• Health and safety policy and training
• People screening/background and sanctioning checks
• Avoidance of child labour
• Fair wage
• Diversity and inclusion
• Human rights – freedom of association
• Grievance and Whistleblowing procedures

• D&O
• Professional Indemnity
• Public Liability

• clear service description
• start date, end date, notice periods
• governing law
• parties financial obligations
• subcontracting arrangements
• service deliver/data storage location – including the requirement to notify of changes
• provisions addressing data availability, integrity, privacy
• monitoring rights and reporting obligations
• service levels
• insurance requirements
• requirements to implement and test business continuity plans
• provisions to ensure access to data in case of service provider insolvency
• obligation on the service provider to co-operate with regulators
• a clear reference to regulators’ authority
• audit and information access rights
• termination rights

Not to be confused with shared or dedicated instances/resources, although this is still a factor to consider. A single tenancy is where the entire cloud architecture is dedicated to one Enterprise. A multi-tenancy is where one cloud architecture hosts multiple Enterprises.

With this in mind, you as the software provider may already have a preferred method in order to host your applications. You may have an architecture for shared resources and databases or you may have a completely separate tenancy for each Enterprise.

Depending on who the Enterprise is will depend on how they want their application and data hosted. For example, financial and transaction data will want to remain in a dedicated database, or more preferably in a dedicated cloud tenancy. Governance and legislation will also dictate how the data should be managed.

Some Enterprises may already have a preferred provider so be prepared to adapt, especially if this is a deal-breaker. For example, online shopping Enterprises may prefer to host with Azure or GCP rather than AWS.

As with tenancy, you may already have a preferred model. Out of the three mentioned, the Hybrid model is the one to be prepared for. Enterprises may want a composition of private and public clouds therefore, utilising the differing advantages of both such as scalability, low costs and the ability to run business-critical applications in a secure environment.

Your application not only needs to deliver scale and value but it must also be deployable seamlessly. Simply put, you need open architecture that sympathises with the needs of the Enterprise.

What does that mean?

i) Data Export – your Enterprise will want to be able to access their raw data to analyse it, absorb it into their own systems or simply to take some comfort that if the worst happens, they have their own store. Whether you offer this upon request with an agreed response time, or as a self-service offering is up to you, but make no mistake the Enterprise will want access to it.

ii) Restful API – ideally you make data available via an API allowing your Enterprise customers to retrieve and query perhaps using JSON as a data format. Document your API to include things such as: authentication, base URL for test, production, response codes, endpoint URLs, descriptions, data structures and a narrative around the general concepts of your API.

Consider incremental endpoints for data synchronisation, such as data points from a given timestamp.

iii) Webhooks – similar to an API, webhooks are real-time rather than requiring a request. They aren’t great for sending and synching tonnes of data but they are excellent for signalling when a change has happened and therefore can be incorporated into the Enterprises workflow to highlight if something has stopped working or data is no longer being received. Ideally, there are never any problems but allowing your Enterprise to monitor aspects of the service is an important add-on.

An Enterprise will know the performance of their on-premise solution. It may be monitored 24/7/365 to ensure the performance is as expected, they would be able to change requirements as needed. Although moving to a cloud environment is more efficient and more easily scalable, performance and monitoring is still a key factor to consider. Daily reports may be requested by the Enterprise to ensure the application is running as expected. SLA’s will be part of the agreement and will need to be adhered to.

Brace yourself. This is a broad and complex piece of the puzzle but mission critical for you to successfully navigate the stringent information security or infosec process of the Enterprise.

Whilst there are a number of initiatives to standardise supplier security criteria, the largest Enterprises will have their own risk management teams and as such you will receive and have to complete a security questionnaire with literally hundreds of questions. You will need to be able to articulate your security posture on areas such as access controls,  network security, business continuity/disaster recovery, supplier management, physical security, employee screening etc.

You will need to demonstrate you have policies in place covering these areas and have the ability to evidence compliance with them.

Increasingly the Enterprise will mandate that software suppliers have externally audited information security certifications such as:

• Cyber Essentials Plus (UK Gov requirements)
• ISO 27001 – internationally recognised certification
• SOC 2 – US firms tend to prefer this – the audit has to be conducted by an accountant so it tends to be more stringent

Whilst arguably a subset of cybersecurity, GDPR deserves special attention.

Data security is probably the most important consideration a prospective Enterprise will take into account when assessing the risk associated with your services. Depending on how the Enterprise currently maintains their data they may want it hosted within a dedicated cloud tenancy, or at least within a dedicated database instance. Furthermore, you should be prepared to manage a hybrid solution where the data is maintained by the Enterprise directly and outside of your cloud environment.

Five of the most common factors to consider when storing Enterprises data within a cloud environment are:

i) Region – the geographical area where the physical data server is which stores data. The region where data is stored will also dictate its accessibility. From an Enterprises point of view, it would be preferable for their data to be stored in their desired region as they would be more familiar with the data laws than they would be if their data was stored in a different region.

ii) Regulations and Compliance – differs between regions and relates to regulations and compliance such as data laws. Data Protection Laws (dealing with the transfer of data across borders) and Data Localisation Laws (requires data to remain in a particular location) may mean that certain records have to remain in a certain country or are even unable to be moved to a cloud environment.

iii) Security – works alongside performance and assures the Enterprise that the correct measures are in place. There are four categories that sit in cloud security. Deterrent controls are essentially warning signs which inform potential attackers of the consequences. Preventive controls are used to eliminate vulnerabilities, for example having strong user authentication or a piece of code that disables inactive ports. Detective controls would identify security threats and react accordingly, for example, security monitoring tools can monitor networks for any attacks. Corrective controls are used to limit damage, for example, a piece of code that will shut down servers when a threat is detected.

iv) Accessibility – being able to access your data from anywhere there is a network connection is paramount for any Enterprise business. The accessibility of data is also dependent on the region where the data is stored, and the subsequent data sovereignty. For example, some regulatory requirements may prevent storing specific data in a cloud environment meaning that Enterprises will not be able to have full access to their data on a remote basis. Furthermore, without data, critical applications may not run effectively. Again, a hybrid solution could be integrated, where a portion of data is stored in the cloud, whilst the data that is not permitted in the cloud remains within a non-SaaS solution.

v) Disaster Recovery – it is important for any Enterprise that utilises the cloud in a critical manner to have a disaster recovery plan. This plan will help identify elements such as critical resources and data within the cloud environment, define a recovery time objective and recovery point objective, choose a recovery method (backup and restore, pilot light, warm standby, hot standby), implement security and corrective measures, schedule maintenance and use cross regions backups.

In all of our experience with software companies and Enterprises, cyber security is one of the key areas that is often overlooked and can cause the largest delays in beginning the onboarding process.

Cyber security is a complex and broad subject but there are three minimum requirements of cyber hygiene you must ensure you have conducted before you commence your enterprise engagement process:

i) Ability to demonstrate that you have conducted annual penetration tests and run ongoing vulnerability assessments.

ii) Evidence that all staff have completed annual cyber training.

iii) An understanding of the nature of your target Enterprise business and therefore what level of cyber security you will need to achieve and maintain. Do not wait to get in place your cyber posture once engaging with the customer as this can insert a considerable delay in the Enterprise onboarding process.

Your enterprise customers will expect you to:

• maintain a list of suppliers
• carry out a risk assessment on each supplier
• have a third-party risk management (TPRM) process in place
• ensure your contracts with them are aligned with their standard
• ensure the supplier has appropriate information security controls in place
• notify them if significant suppliers change

Including:

• Availability
• Maintenance
• Support
• Incident Categorisation
• ‘Indicators’ for monitoring outsourcing arrangements, including indicators based on unacceptable service levels that should trigger exit

• data backup and recovery processes
• key backup and storage

You will need to evidence:

• That a Business Continuity and Disaster Recovery plan is in place
• The plan identifies critical resources and data
• Define recovery time objectives (RTO) – how quickly you need to recover
• Define recovery point objective (RPO) – maximum amount of data – as measured by time – that can be lost after a recovery from a disaster
• Details of recovery method (backup and restore, pilot light, warm standby, hot standby), implement security and corrective measures, schedule maintenance and use of cross regions backups.

• What happens to data if company fails
• Is there a continuity plan
• Is escrow in place – does this provide service continuity

Costs are escalating as:

• The sales ops/ pre-sale team keeps growing
• The CISO can’t handle all the queries so hires more InfoSec staff
• The spreadsheet of answers gets bigger and hard to manage
• SOC2 / ISO certifications are eating up lots of time as evidence needs to be collated all the time
• The questions are never the same – you’ve only reacted to the requests of previous clients

Review your “Enterprise Ready” task list and ask yourself:

• how much time are they taking
• how much is it costing
• if you had 5x more customers would the cost increase in a linear fashion
• which processes are automated
• are there tools out there that could bring efficiency to the processes
• at what point does it make sense to automate manual processes

Clearly, the ability to scale requires analysis of all aspects of the business not simply the Enterprise Ready aspects. For example, the classic challenge is a technology architecture that can’t scale.

Automation will not remove the need for additional staff. Consider:

• offshore hires
• outsourcing blocks of work
• hiring a greater number of juniors and training
• joining local recruitment schemes
• setting up links with local universities

You’ve been a start-up, everyone knows everyone now you are growing rapidly and

• staff are resistant to change
• founders aren’t setting an example and are resistant – they grew the business the old way
• people you have never met are making decisions you weren’t involved in
• the previous team trusted each other – fewer controls were required

Consider:

• Clear communication
• Transparency
• Acceptance that some people aren’t suited to large companies