If you’ve ever run a SaaS start-up in the enterprise space, you’ve received the Questionnaire. Actually you’ve received many of them. What is this Questionnaire thing? (Let’s call it Q to save some typing). The Q is how the large-enterprise IT department evaluates your start-up as a risk (in the data security sense of that word). The Q may cover how software is developed, how software is deployed, operational processes (including security), …

Yep, Enterprise IT waits until the 11th hour before before hinting at what it requires from the SaaS start-up. The service may already be in widespread use within the company (shadow IT), or it might be that a LOB pilot is about to go live. Now IT is all fired up, but it is kinda late in the game — if you ask me.

Hinting? Yes. The Q has questions, not requirements. After completion, the Q is sent back into the corporate dark regions, where execs take turns clubbing each other with possible security breaches and probable business consequences. If the start-up is doing a decent job at SaaS, and the business need is real, then the start-up may be graded a “medium risk”, and nothing more may come of the process.

11th hour? Yes. Let your mind’s eye paint a picture of IT talking with the start-up founders about what’s important — right when they’re first starting to write the code and setup Ops. Wouldn’t that be best? Wouldn’t that be the best time to explain what IT precisely meant by the term “Incident Response Plan”? Good thing this isn’t sex education!

You might say “Hey! There’s ITIL, ISO 27001/2, everyone can go get a CISSP, …”. I say that’s not realistic, and it still leaves the SaaS start-up to intuit what IT is going to care about most — out of an ocean of possible to-dos.

This is a solvable problem. It is a communication problem. How about this:

• 10 F500 CIOs commit to openly signaling their basic SaaS requirements.
• Each committed company inverts their Q into a list of requirements, sorted by priority. Each requirement is made crystal clear.
• The 10 companies merge the lists, and agree on a global priority. There is some limit to the length of the list — let’s say 50 items.
• The list is published all over the place: hacker news, VCs & incubators, etc. Everywhere a budding SaaS start-up is likely to stumble across it.

Now re-imagine the interaction between the SaaS start-up and IT:

IT: “What’s your score?”

Start-up: “32" (The start-up was able to implement the 1st 32 requirements before the first gap).

IT: “That’s fine for us, given the BU’s intended use of your service. Good bye.”

Should we get this going?

PS: If you prefer to replace the acronym “IT” with “RM”, you can.