Ensuring your security is up to scratch is far from the best part of growing a startup, and yet it is one of the most important things to consider if you want to land the most desirable clients and customers, according to the CISOs of major companies.
Installing and monitoring startup security can feel like a minefield, especially if you have little to no experience in the area. We put together this series of posts to demystify the needs and wants of your startup's potential enterprise customers, enabling you startup to meet their expectations.
By reaching out to professionals on LinkedIn, our company SafeBase -- which helps startups share their security status in a dynamically updated status page, with the aim of winning enterprise customers -- was able to speak to Bradley Schaufenbuel, Vice President and Chief Information Security Officer of Paychex, a major HR and Payroll solutions company. We were granted insider access to what CISOs really want when assessing whether their company should work with a startup.
Here's what we learned:
CISOs will check your startup's security against what they've been told.
In any relationship, trust is key. When you tell a potential customer about the level of security your startup has, make sure not to bend the truth.
Mr. Schaufenbuel has revealed that they carry out a number of checks, and they often use SecurityScorecard to do a perimeter check to assess the security of your startup. Not only do they use this grade to measure the security level of your startup, but they check it against what your company has said the level of security is.
If there's a difference between what you've said, and the grade that SecurityScorecard comes up with, then a company will be wary about trusting your startup -- what else might you have lied about?
Since enterprises don't have the resources, or the inclination, to perform an onsite audit for every single company, and there's no easy way to validate everything your startup claims about its security, they have to go on what they can validate. Enterprises are much more likely to take your word on your security measures, if your security is consistent with what the enterprise customer has been told.
Unless you're a fan of paperwork, get your SOC2 or third-party pen-testing certification.
If you have SOC2 or third-party penetration-testing results for your startup, these can save you a significant amount of hassle. When you have these things, many enterprises will choose to present you with a reasonably short questionnaire to fill out in order to get to grips with your company's security.
If you don't have these things, however, get ready to fill in a huge, detailed questionnaire, since an enterprise -- your startup's potential customer -- needs to obtain as much information as possible on your startup's security, since they have little else to go on.
If your startup seems blasé or uninformed about its security, it's a big red flag.
For example, if a startup chooses to store data on a cloud, and hands over that cloud provider's SOC2 certifications as proof of their own security, this doesn't go down well with CISOs. The CISO at Paychex said that this shows that a startup doesn't take the security process seriously, and suggests a lack of security awareness on the part of the startup.
The CISO at Paychex said that often, startups don't focus on security, and it's a side of business that is often 'completely ignored' -- entrepreneurs often don't have enough knowledge when it comes to setting up good security practices. Often, startups focus too much on the product or service they are building, and not the security measures protecting it, making them a cybersecurity risk for any enterprise customers they acquire.
Potential enterprise customers will always ask for your security policies.
If you think you can coast by without drawing up security policies which are relevant and specific to your startup, then think again.
When assessing a vendor's security, enterprise customers will always ask for its security policies, in order to evaluate whether doing business with your startup is safe and will not pose a risk to their company. What we can take away from this is to make sure that your policies, firstly, exist, but then are also well thought out and actually enforced within the company.
According to Mr. Schaufenbuel, enterprise customers divide vendors into different risk categories -- high vs low risk -- and the type of relationship they would have to the company -- business critical or as a limited service vendor. Based on these metrics, an enterprise customer will decide how thorough their security assessment will lookand how strict the adherence to their requirements will be before they let a deal go through.
So, if you want to make your startup enterprise-ready, we think it'd be smart to review these learnings from the CISO of Paychex and prioritize building a robust security program for your startup to enable you to win over your enterprise customers more effectively.