Concrete CMS is an open source content management system that focuses on providing secure and robust frameworks that content teams absolutely love. In this interview, Founder and CEO Franz Maruna portrays the company’s story and explains its benefits for collaborative, non-technical team work.
Please describe the story behind the company: What sparked the idea, and how has it evolved so far?
We started back in 2001 as a full-service interactive media shop that helped ad agencies, brands, and angel investors to build websites and online communities. We didn’t like the content management tools that were available at the time. We’d put lots of work into building a website, and when we handed it to the client, they wouldn’t know what to do with it, and were afraid to use the complicated tools to manage it. We wanted to make it easier for our customers by building websites that their team could use effectively without needing a developer.
We started building our content management system (CMS) which we then used for multiple projects. Particularly, we were building online communities for specific vertical markets. Of course, this was before Facebook had taken over the world.
Then the 2008 financial crisis came along and we released our CMS as an open-source tool set. We always relied on open-source software but had never really contributed to it until that point. We uploaded it to SourceForge in hope that it would gain some popularity. Within 90 days, we were selected “Project of the month” and people started using it across the board for projects large and small.
We spent the next few years being pulled in different directions and trying to figure out what our product-market fit was. I think that’s one of the biggest challenges with open-source. You get so many people who apply your product to their scenarios that it’s easy to chase their dreams, as opposed to focusing on one thing and doing it well.
Eventually, we realized that Concrete CMS was most valuable for teams who need to have permissions and workflows in place, and power complex websites with a simple user interface.
Here’s a quick video introduction to Concrete CMS:
In such a competitive market, what makes Concrete CMS unique?
Our architecture is flexible and robust. We’ve rebuilt things over the years and we now run entirely on modern PHP. It’s a joy for a developer to use.
Our competitive advantage becomes clearer when working on more complex websites. If you want to build a blog, WordPress is the perfect tool for you. But if you’re building an intranet with personalized employee experiences, and particularly if privacy and security are a concern, Concrete CMS is the best solution you can find. We have a lot of experience building and running compliant, safe, secure websites for big organizations, and we do that very well.
What do you do to protect your system and users from cyber threats?
Securing a website is a process. It’s not a one-and-done kind of thing. You need ongoing attention and a system that you can trust. It starts with security by design. Just acknowledging the things that can or need to be improved is important right from the get-go.
Our core CMS is ISO:27001 and SOC 2 compliant. We have a full-time chief information security officer that points out important security considerations whenever we build new features, and we maintain an active presence on HackerOne.
If you choose to host with us, we’ll build a tailored plan that makes sense for your organization. Sometimes that means doing a code audit to point out some issues they might want to check before they go live, like cross-site scripting issues.
Some clients want us to be that gateway. Others want to be able to pull the trigger and push an update on their own. We can put together a hosting plan and service level agreement that meets any unique need.
Larger organizations that work with us, such as BASF and the US Army, love that it’s open-source because they know they can leave whenever they want, with no strings attached. That said, they don’t want to touch a line of code. They want us to make sure that everything is running smoothly and that everyone who has access to the server is a trusted resource working in a managed process.
If someone leaves the organization, they want to have a process for making sure that they no longer have access to that server. If one of the libraries or tools we rely on gets an update, they want to know that someone from our team will apply it quickly. That type of thinking is more of a process than a product, but it’s how you maintain a secure website in a changing world. More and more organizations are realizing that security is really important.
Banks are a great example of organizations that know a lot about compliance and security and have robust systems for managing their back end, but often see their marketing site as an afterthought. Their online banking systems all come from vendors that go through lots of audits, but often, their website is just a copy of WordPress with a bunch of 3rd party plugins that nobody bothers to update.
I think people are starting to realize that websites are like your storefront and need to be secured accordingly. You need to have that same level of process around who has access to the code base, just as you would with your storefront, and check all the dependencies when updating a new version.
If you’re using a bunch of plugins on WordPress, you might be exposing yourself to third-party threats, and the agency you hired five years ago may or may not exist anymore. We are going to be here in 5 years from now just like we have been for the last 20 years. If you have an SLA with us, you can still work with different 3rd party creative services agencies, and your codebase is always going to remain solid.
How does your platform interact with third-party software applications?
There are plenty of ways to get data out of Concrete CMS today. We have a marketplace of third-party add-ons and themes that range from image galleries to third-party SaaS platforms like Shopify to extend your site’s capabilities.
We do very well on the DIY front, for people who are looking to just plug and play, but if you’re willing to get your hands a little dirty, you could build anything you want with Concrete CMS.
What would be your tips for teams that are building their first website?
Work hard on defining your goals and making them measurable. It’s really easy to assume that everyone is on the same page when they’re not.
When designing a website, there’s a tricky balance between aesthetics and functionality. It’s easy to get sucked into modern design trends and pay lots of money for some super cool mobile parallax scrolling page that you are unable to edit.
Before you dive into all that, stop and think about what you need to measure to compete in your industry. You want to think about the Time to Post just like Time to Market for a new product. If content marketing is important for what you’re doing, think about how long it takes you to get content approved and published. Think about what happens when you follow this approval process and it gets stuck halfway through.
Some clients prefer to move quickly even if it means some mistakes might go live, while others cannot allow errors even for a minute, so they have a robust approval process that they can follow safely.
Which trends or technologies that you find particularly interesting these days?
We have hosting tools that do that for Concrete CMS. For many of our webshop owners, that feels like a new way of thinking. Using SFTP for a little project with only yearly updates is probably fine, but what happens if your website needs updating every month, and half a dozen developers are working on it? How much time are you spending trying to update this website when you’re ready to push? I think we are going to see a lot of new services around that. There isn’t a one-size-fits-all answer to WebOps. Different projects require different approaches.
I also hope we’re going to see a continued interest in decentralization. People have realized that building your whole web presence on Facebook because it’s easy means you don’t own any of your work. In that sense, you are the product, not the customer. I think more and more people are realizing they’d rather build their communities somewhere where they can control and own the content, so they can monetize it any way they want.
What can you share about your future plans for Concrete CMS?
We’ve been around for a long time, but we just went through some fairly significant changes. We’ve just redesigned our website and rebranded ourselves from concrete5 to Concrete CMS. We’re rolling out more hosting offerings now. We’ve got a new version 9 coming out that has a complete interface update to go with our name revision.
Another thing that we’re going to be focusing on in the coming year is a feature we call Express, which has existed in Concrete CMS for a while but is ready to go to the next level. It’s a way to build a lightweight relational database on top of the CMS. It’s another way that Concrete can support an organization as its needs grow online.