Security Challenges Selling to Corporations
If you ever tried to sell to corporations, smaller or bigger, financial institutions, banks or legal firms, you would be required to go through a rigorous security check. All of those organizations are very sensitive to their security and have deployed information security management systems of varying degrees. A big part of those security system requirements is about their suppliers as their security is as good as their suppliers’ is.
Selling to Security-Aware Organizations
When you want to sell to a security-aware organization, your company has to go through their supplier risk & security assessment process. These processes are in place so that the purchasing company can be sure that you, as the supplier, are taking security seriously and can demonstrate it through your policies and actions.
These processes come in the form of “security questionnaires” that can be quite lengthy and arduous to fill out. They also involve highly sensitive information regarding your internal security, infrastructure, the architecture of software (if you are a software business), business continuity plans and all aspects of how you operate as a business down to employee-specific policies.
You will also find that each company has its way of exchanging this information with you, varying from “secure web portals” to, most likely, simple e-mail attachments. And of course, this is an interactive process, someone, usually a person from information security, will examine your responses and most likely will have follow up questions.
What Can You Do?
As we’ve said before, this is an arduous, resourceful and tedious process that needs to be done and get out of your way so you can start doing business. So you need to consider how you can mitigate the following:
- Reduce the time you need to fill out the questionnaires.
- Try to provide as much information upfront to avoid follow-up questions.
- Convince the assessors that you take security seriously.
- Don’t expose really sensitive information.
To elaborate on the last point, you wouldn’t want to expose the intimates of your security profile on such questionnaires. As much as this process is for security, the reality is you don’t control how this information is stored, accessed and transmitted. You need to find the right balance so the assessors are satisfied without compromising your security standards.
The “Information Security Package”
One practical way of dealing with corporate procurement and the security questionnaires is to prepare ahead of time the “Information Security Package”. That would be a collection of your security-related policies into one zip-file with a README file that speaks a few words about the company’s security and also acts as an index as to what can be found in this package.
What should be included in the package:
- Any Security Certificates you may have (ISO27001, Cyber Essentials, etc).
- If you have an ISO27001: Your statement of applicability.
- If you are a Software company, include a rough diagram of your infrastructure architecture demonstrating how your services are all behind a firewall.
- Business Continuity Plan
- Data & Corporate Information Security related Policies
- Company Password and Document Protection Policies
- HR and IT Infrastructure management policies
- Incident Management Process
- Internal Audit and Management Review Process
With these documents and policies in place, you will address most, if not all, of your clients’ concerns around how seriously you are taking security at your organization.
How to Share Sensitive Information
E-mail is not your friend if you want to be serious about security. It doesn’t satisfy either of the two basic security requirements when dealing with data: It isn’t encrypted during transmission nor at rest. On top of that, you also need a detailed audit log trail that can inform you about who send what information to whom and when that information was accessed.
This is where our service, SROP excels at. With SROP you can have your Information Security Package uploaded and generate a unique, cryptographically secure, URL that you can share with your potential clients. Supported by extensive audit log trails, you and your company’s IT administrators are in complete control as to what happens over the sensitive information you are sharing with third-parties.
While for many this is a checkbox ticking exercise, we know that you care deeply about your security and the security of your partners. That is why it is important to assess the risks throughout your operations and third-party exchanges.