I've sold to several multi-billion dollar orgs with a product that had no certifications, no formal pen testing, etc.
In my experience selling to the enterprise things like SOC2 and ISO270001 simplify and reduce friction in the sales process, but they're often not showstoppers.
When you pitch your product to your business sponsor, they're buying based on the value you deliver, a trust in you as a seller, and a conviction that the product will solve their problem. And then once they start to involve IT and procurement and security, then all of a sudden the focus shifts away from value and towards risk and cost management.
By having SOC2, a rock solid pen test report, ISO270001, etc. you can fast-track a ton of these processes. But otherwise, as you note, they'll throw big Excel sheets at you with questions for which many of your answers will likely be "No".
Answering "no" on questionnaires is not a showstopper. Your response on financial questionnaires will most definitely raise business continuity red flags. Your response to the security questionnaire will definitely raise data security red flags. But ultimately these questionnaires are an effort to get a full picture of the risk profile of working with you, not a test where you need to score 100/100.
So in your case, your focus needs to be on the business sponsor. They will be presented the risks from your security and financial reviews, but if you have adequately articulated the value of your product, presented an aura of business stability and growth, operated from a customer-focused mindset, then they will have the conviction to accept the risks presented by the other teams.
And sure, sometimes one of your answers will be a showstopper. So then it's up to you to look into whether you commit to fixing that showstopper as part of the contract. One of my contracts required us to get ISO270001 certification within 2 years - but we were still able to close the contract.
We closed a contact for a business critical system with one of the top 50 companies in the world, who demanded a financial review when we had months of runway.
In my experience selling to the enterprise things like SOC2 and ISO270001 simplify and reduce friction in the sales process, but they're often not showstoppers.
When you pitch your product to your business sponsor, they're buying based on the value you deliver, a trust in you as a seller, and a conviction that the product will solve their problem. And then once they start to involve IT and procurement and security, then all of a sudden the focus shifts away from value and towards risk and cost management.
By having SOC2, a rock solid pen test report, ISO270001, etc. you can fast-track a ton of these processes. But otherwise, as you note, they'll throw big Excel sheets at you with questions for which many of your answers will likely be "No".
Answering "no" on questionnaires is not a showstopper. Your response on financial questionnaires will most definitely raise business continuity red flags. Your response to the security questionnaire will definitely raise data security red flags. But ultimately these questionnaires are an effort to get a full picture of the risk profile of working with you, not a test where you need to score 100/100.
So in your case, your focus needs to be on the business sponsor. They will be presented the risks from your security and financial reviews, but if you have adequately articulated the value of your product, presented an aura of business stability and growth, operated from a customer-focused mindset, then they will have the conviction to accept the risks presented by the other teams.
And sure, sometimes one of your answers will be a showstopper. So then it's up to you to look into whether you commit to fixing that showstopper as part of the contract. One of my contracts required us to get ISO270001 certification within 2 years - but we were still able to close the contract.
We closed a contact for a business critical system with one of the top 50 companies in the world, who demanded a financial review when we had months of runway.
There's always a path.
Feel free to email me if you have more questions.