What Enterprise CISOs Want to See from Startup Security Programs

Stan Chang
October 16, 2020

When your startup is beginning to gather steam, one of the biggest hurdles to overcome next is ensuring proper security, since this is one of the top reasons why enterprise deals fall through for startups.  

Consequently, the best thing that startups can do to start winning the largest enterprise customers – and set themselves apart from their competition – is to create a stellar security program that enterprise customers can trust. 

Across this series of blogs, our company –SafeBase – has been using its access to speak to CISOs from some of the most established enterprises in the world, to find out what they want from the security programs of SaaS startups. This time, we’ve compiled our learning from interviews with two Chief Information Security Officers who, for confidentiality reasons, we cannot name, or disclose the specific companies that they belong to.

The CISOs we spoke to were employed, respectively, by a major supermarket chain, and by a major multi-national investment and technology development company, with billions in assets – in short, highly desirable customers for growing startups.

Here’s what we learned:

Despite their mature business lines, both enterprises are working with a large number of SaaS startups 

It should be exciting to hear for growing companies that some of the largest enterprises have no problem purchasing from early-stage startups, and even say that startups have an advantage over bigger companies, according to the CISO of the technology development company we spoke to.

This is because startups are willing to adapt and make changes, and will build things right to begin with, taking into account the needs of their enterprise customers, whereas larger vendors don’t typically want to adapt to new ways of working.

Both CISOs value penetration testing more than SOC2

Both the CISO from the technology development enterprise, and the CISO from the supermarket enterprise, said that pen-testing was more telling, and more likely to inspire their confidence in a startup’s security, than a SOC2 audit.

Not only does pen-testing and ethical hacking provide a more practical report for enterprises to look at, but it can help your startup to identify its own areas of vulnerability to improve its security program.

Although they find pen-testing helpful, both enterprises also said they would like to see SOC2 certifications from startups– though one CISO cautioned startups to use it as ‘a baseline, not a ceiling’.In the case of the major supermarket enterprise, the startup could fill out a 300+ question questionnaire to detail their security program instead.

One CISO said that they wouldn’t work with a startup unless they had a dedicated security professional 

The CISO of the technology development company we spoke to said that they wouldn’t work with a startup without a dedicated security professional or security team, since without specialist knowledge in security and security maintenance, it’s unlikely that they’d be secure enough for their company to trust it with their data.

Though not all the CISOs we’ve spoken to have had this stipulation, it’s a good idea – regardless – to have an employee whose sole job is to ensure the security of your systems, to keep sensitive information safe and secure, and to show enterprises that you take security seriously. 

The two CISOs had contrasting thoughts on SecurityScorecard

Throughout this series, the verdict on SecurityScorecard from CISOs has been unclear since, while most have admitted that it’s limited in its security assessing capability, half the CISOs we’ve spoken to still use the site to assess a company’s security.

In these cases, the major supermarket enterprise uses SecurityScorecard to get an idea of a startup’s security, whereas the CISO from the technology development enterprise said that they didn’t, claiming it was ‘not very useful’ because it only checks the public domain. 

Both CISOs thought that the SafeBase Security Status Page was a great product for startups

One point on which both CISOs could agree, was the usefulness of the SafeBase Security Status Page, which allows startups to showcase their up-to-date information about the different components that make up their security program, , so that potential customers can understand the approach that the startup has taken to protect themselves and their clients.

The CISO at the technology development firm stated that one of the most tedious parts of working with vendors, was the continual reassessment of these vendors, as well as the time it takes to assess whether they’re secure enough to work with in the first place.

The CISO we spoke to said that they want to know as soon as possible whether a startup is secure enough to work with, and the security page could help to make this process faster for enterprises, which will likely make them more inclined to work with your startup.

Lastly, the CISO we spoke to from the major supermarket enterprise said that the product would be particularly useful for vendors who are looking to land customers in highly regulated industries and banks.

One CISO said that startups’ being mature enough is almost as important as its security 

By maturity, one CISO specifically defined this as a startup having ‘reached an inflection point’. In short, enterprise customers want to know that their vendors aren’t going to flop, so that they’re no longer able to provide the service that they’ve promised.

While this is a blanket rule, the CISO admitted that they’d worked with a startup that hadn’t reached this point, but they’d showed dedication, and had a realistic plan to show that they wouldn’t fail – so, if your startup is still young, get ready to prove to potential enterprise customers that you have an actionable plan, to ensure that you can continue to provide for your customers.

So, if you want to appeal to some of the most established enterprise customers in the market, make sure to undergo pen-testing, have an employee or team dedicated solely to security, and consider setting up your SafeBase Security Status Page today, to begin closing deals faster with your enterprise customers.