Security is a Customer Success Issue

Why aren’t more digital agencies providing core updates as a support offering?

Dispel your preconceptions. Support doesn’t mean “coding on demand” or occupying a lonely helpdesk on New Year’s Eve. Offer what you can deliver. Choose the tools that make support easy. And yes, ahem, Pantheon makes it super easy to update core. This alone is such a high-value, low-risk win for all. Considering recent events, choose your own adventure:

Scenario 1: A call from a client informing you that their site has been hacked. We’ve heard that some of you have received these recently.
Scenario 2: A call that someone told your client their site is four updates behind and therefore insecure. Not as bad, but certainly not an optimal circumstance.
Scenario 3: A notification from you that you have tested a critical security update and are waiting for their signoff to push to production.
Pantheon dashboard + business rules (QA, workflow) = customer success.
3 Steps to MVP Support:

  1. Make security a core value. Early in the sales process, before project discovery, before you build the site, stress the importance of keeping core up to date. Let clients know that although they might be letting their desktops run on an old version of Windows XP, the world of professional web development is in agreement that we don’t risk hoping the bad guys don’t notice us.

I would go so far as to require customers to check a box to “opt out” of support. Drastic? I don’t think so, keeping in mind that sites all over the world were hacked this recent exploit. We are logging and blocking these attempts every few seconds.

  1. Build a supportable site. If you tell me, “We can’t update core because the site we built requires days of testing and QA,” I have a disapproving look with your name on it. I have a few thousand sites on my platform that completed this recent update within hours of its release, and these weren’t brochure sites.
  2. Build a support offering. Ideally, you have let the customer see the value of keeping the site secure (step one), and (step two) built a site that should be relatively easy to update. That should allow you to offer a support agreement that doesn’t give your customers sticker shock, is easy to execute, and makes a profit. Here is the simple math:

Estimated time to execute updates: 3 hours (This is a liberal estimate, meant to include some UAT or smoke testing. My guess is most completed SA-CORE-2014-005 in less than 30 minutes.)

Estimated security updates/year: 5 (average over the last 5 years)
Bill Rate: $100 (Used for mathematical ease, adjust accordingly.)

Offer this support contract: $1500/year or $125 MRR.
It takes a bit of time to perfect, and this is a simple example. But that’s the gist.

Resistance is futile. Start offering support.
We all know that Drupal help is indeed hard to find. Your development platform should make you feel confident that junior support developers should be able to easily execute updates with a bit of training and guidance. On Pantheon, changes are testable and versionable, and fast adhoc backups are included in all of our plans.

That intern? Put her or him on this. They can learn version control, best practices, and a little about Drupal core as they make your client’s site secure.

Development shops understand how cash flow can get sticky between projects, especially during the frenetic early years. Monthly Recurring Revenue from support is the safety padding during those periods.

Additionally, support keeps the customer lifecycle alive. It is contextual engagement, which is a higher value interaction than a typical check-in by an account manager. Don’t make your customer look to anyone but you for security, support, and solutions. Solve the problems they don’t know about, but should.