Two major trends have come to the forefront of digital security over the last decade. One, companies have become increasingly reliant on third parties (like SaaS startups) to do business, and two, security breaches are increasingly impacting large corporations.
Alarmingly, studies report that over half of all security breaches (59 percent) were caused by the very third party vendors that companies have become reliant on.
As a result, company leaders have become hesitant to do business with anyone who cannot provide a minimum level of assurance that their data is safe.
These trends have brought about a number of new security certifications and compliance requirements that SaaS vendors must navigate to win new business. If you want to do business with the Fortune 500, you have to be able to effectively communicate your security and compliance posture.
Here are four things you should consider in preparation for the inevitable security conversations with big company prospects.
Create a Vendor Security Transparency Package
Security transparency packages are a proactive means to provide prospective customers insight into your security and compliance postures. They also help your organization control the messaging around your product or service’s approach to information security.
A good security transparency package has three core components:
- A marketing-style report describing the product and any relevant security features
- A pre-filled security questionnaire
- A copy of your information security policy
Write Meaningful Policies and Procedures
Information security policies clarify management’s intended strategy for information security and a required element for any compliance framework. If top-level management is thoughtful about their information security policies, they set the tone from the top and empower mid-level managers.
If you are prioritizing your policy writing efforts, consider starting with these:
- Information Security Policy
- Address information security in the employee handbook
- Incident Response Policy
- Change Management/System Development Policy
- Data Backup Policy
- Business Continuity and Disaster Recovery Policy
If you are looking for a framework, SANS Institute provides free examples of “light” information security policy templates. The National Institute of Standards and Technology (NIST) also has helpful security resources.
Leverage Built-In Platform Features
Most software startups leverage a modern technology stack (like Amazon Web Services, Microsoft Azure, Slack, JIRA, etc). Many of these platforms have built-in or easy-to-add security features that are affordable and relatively simple to implement, such as:
- Firewall (such as AWS WAF or Azure Application Gateway, or Google’s Cloud Armor)
- Log Analytics (such as Amazon GuardDuty, Azure Monitor, or Google’s Stackdriver Logging)
- DDoS (such as AWS Shield, Azures DDos Defense, or Google’s Cloud Armor)
- Key Management (AWS’s Key Management System, Azure’s Key Vault, or Google’s Key Management Service)
- Backup and Recovery (AWS S3 Glacier, Azure Site Recovery, Google’s Cloud Storage Nearline)
These are just a few of the features that can boost the security posture of your organization and elevate your security status with prospective clients.
Consider a Formal Compliance Report
Most startups reach a point when a self-assessment is no longer enough to satisfy prospective customers. To meet contractual requirements and to compete in a crowded marketplace, obtaining formal compliance certifications is a good next step.A few of the most common compliance requirements include: SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, HITRUST, and FedRAMP.
In a heightened security environment, these formal certifications have become table stakes for any high-growth startup seeking to capture their chosen markets.
Christian Hyatt is a Managing Director at risk3sixty. His practice helps high growth technology companies build information security and compliance programs.