Are you a CTO or someone on the IT or Engineering team at a smaller tech company who gets pulled into sales processes to answer security questions? You probably just want to focus on building your product or hiring your next engineer, but here it is ... a security questionnaire ... and it is always an emergency, right!?
Or maybe you are a CEO or VP Sales at a company that has to ask the tech team for help...
This post talks about how to navigate these situations. Click below for a quick guide for preparing your security to pass these hurdles.
One of the most common reasons companies ask us to help them is that their prospects are putting up lots of hurdles in their sales process. Nobody likes to have to stop talking about their value proposition to explain their security posture. Especially when it isn't a great story.
The first thing you have to understand is that it is totally normal to consider security in a vendor management process. In fact, it is a good thing! Not only that, most of these companies have already committed to doing that - so they aren't singling you out, they're just doing what they do. It turns out every vendor like you represents risk, and they are all trying to mitigate risk.
One thing that can help a lot is to build a close and transparent working relationship with a stakeholder who can help you to identify and overcome specific blockers. Sometimes companies have hard rules about certain things. For example, they may say that you MUST have a list of subprocessors.
Your stakeholder can help you understand that and direct you to the areas you must address versus a laundry list of nice to have security items.
Sometimes a stakeholder can help you bypass security altogether. We don't recommend that in general, because when the customer's security team finds out and evaluates you they may hold you to a very hard and fast standard.
Usually in these kinds of deals, the stakeholder can ask internal questions to help get context and understand how important the different things are. We recommend leveraging that and building a good relationship so that you can navigate this cleanly.
There is a saying that "in crisis there is opportunity". Although one security review really isn't a crisis, even if you lose the deal, it is true that there is an opportunity to change the whole dynamic around the security discussion. If you spend a small slice of energy on an ongoing basis, you can build to the point where you have solid answers and these types of security hurdles are easy to jump. You become like a pro athlete that can do them without breaking a sweat.
Even better, you can start to differentiate from your competitors who aren't taking security very seriously and don't have a good security posture. We work the other side of this issue too, helping our clients evaluate the security of their vendors and sometimes we guide them to explore alternative vendors that may have a more reasonable security posture. We're pragmatic about this. It only really matters when very sensitive data is being shared with the vendor and so on. But it is absolutely true that security factors into vendor selection processes and you can stand out by doing a good job.
As with everything in nature, there is a balance. You can do too much for security. You can do too little for security. Only the people at the company that know the cost of security, the cost of losing business, and the potential increase in revenue of investing in security and creating a strong story can really understand all of the trade offs.
Sometimes people do lose deals because they don't have strong enough security. In our experience, this is extremely rare if they bother to open a dialog with the prospect and make reasonable commitments. But in some cases, a company has a hard line that every vendor must have a particular audit for example. If the audit costs $100,000 to get, it may or may not be worth doing it.
At some point, security is a business decision.
What drives us at Jemurai is helping our customers succeed. We get excited watching our customers close deals, land funding rounds, sail through M&A or pass audits. Doing hurdles doesn't have to be a slog when you keep the end goal in mind.
We built our securityprogram.io tool to help people build their security programs, so of course we think that is a great option, but you can also check out our consolidated guide and get started doing it yourself!