Customers want to know if they can trust you with their sensitive data. Just as a hostage negotiator wants “proof of life” a potential customer wants evidence that your security claims are valid. As a startup or small and medium-sized business (SMB) what evidence can you offer to these prospects to make them comfortable with you as an organization?
Depending on the stage of growth of the company I advise clients to base their “proof of life” on three factors: cost, credibility, and comprehensiveness.
In the early days of a startup resources are scarce. Time is spent determining problem/solution fit, creating a Minimum Viable Product (MVP), finding product/market fit, and a host of other activities.
Assuming the product is successful an enterprise customer who wants to buy will typically send a long, detailed, and burdensome security survey with hundreds of questions to answer. To make matters worse, filling out this questionnaire usually falls on the most senior people at the company, taking up valuable time.
To handle these requests in a cost-effective manner I suggest creating your own security questionnaire with pre-filled responses to provide to customers. Strive to have this questionnaire handle at least 80% of security inquiries. That way you can focus on the 20% of customers that bring in the most business.
For those discerning customers that want additional information create a security whitepaper that goes into more detail about your security program, automated SecDevOps processes, and operational security activities. This is exactly what a number of leading vendors provide to boost customer confidence.
As the company grows you can look to enhance your security credibility in other ways. Using an external security firm to conduct a penetration test provides assurance to prospects that experts are reviewing your application and systems. When sharing the pen test findings highlight not just the issues but also the process for addressing the discovered vulnerabilities. This is an important indicator of the maturity of your security processes.
Another sign of a maturing security program is the use of industry standard cybersecurity frameworks. They help guide the work of the security program and simplify the complex world of security in a way that can be more easily understood by potential customers.
Choose one or more frameworks as the baseline for your security program and conduct a self-assessment. This not only helps you develop an initial roadmap but also serves as an indicator to customers that you’re on a reasonable security trajectory.
A good example of a self-assessment tool is the Cloud Security Alliance (CSA) STAR Self-Assessment for cloud providers. It provides a standard approach for documenting adherence to security best practices.
Once the company is more established you need to adjust focus based on the demands of the business. A self-assessment alone might not be sufficient as customers expect more comprehensive evidence from third-party firms.
This usually means engaging a third-party audit firm to provide a certification such as SOC 2 or ISO 27001. Attaining these third-party certifications can be time, money, and resource intensive so the foundation you lay earlier in developing your program and conducting a self-assessment are extremely important.
Depending on your customer base you might need to attain other third-party certifications as well. For example, if you are providing services to the federal government then FEDRAMP certification might be necessary. Similarly, if you are serving the health care industry HITRUST certification can be important.
Just as a hostage negotiator wants unmistakable evidence that the captive is alive, a potential customer wants to hear a straightforward story about your security program. Based on your business goals and strategy you need to support the organization by leveraging the right tools (e.g. security questionnaires, whitepapers, penetration tests, security frameworks, self-assessments, third-party certifications) to drive sales and marketing. The trick is providing the right balance of cost, credibility, and comprehensiveness to show sufficient “proof of life” at the appropriate time.
Thanks to David Cawley and Benjamin West for sharing ideas for this article.