What Startups Need to Know About How Enterprise Customers Evaluate Vendor Security

Al Yang
October 16, 2020

While setting up a good security program is usually one of the most overlooked areas in the early days of growing startups– even those built by seasoned entrepreneurs – it is one of the most important factors in deciding whether or not you can successfully close a deal with enterprise customers. Unsatisfactory information security is one of the key reasons why deals fall through for SaaS startups.

Don't let your enterprise deals fall apart because of information security risk

To help remedy this, SafeBase is on a journey to speak to Chief Information Security Officers (CISOs) at some of the most established enterprise customers for SaaS startups, to find out what they really care about when it comes to a startup’s security program.

We most recently spoke to Maarten Van Horenbeeck– Chief Information Security Officer of Zendesk, a customer service software company based in San Francisco, which allows companies to engage with its customers using real-time chat across their website or app. 

Maarten has been the CISO of Zendesk for the past2 years, having previously worked as a cybersecurity policy fellow at New America, held the position of Vice President of the security engineering department at Fastly, and was chairman of the Forum of Incident Response and Security Teams (FIRST), giving him an extensive background in incident response. As such, when it comes to security, he knows what to look for in startups that Zendesk is considering to purchase products or services from.

Here’s what we learned from him:

CISOs don’t always use third parties to assess a vendor’s security.

In contrast to the standard practice at Paychex, at Zendesk they don’t bother with a third-party security scoring firm, and instead, rely on other means to assess vendor security. Maarten revealed tha the considers third-party ratings only a partial indicator of a startup’s security capabilities.

Since Maarten has worked in numerous positions within the field of security in a number of companies, he knows first-hand that looking beyond the score is important and that even when the site gave a company a low score, it doesn’t always mean that adequate security measures weren’t in place. A vendor may be misrepresented because it has a business that stores data on behalf of customers – or it may score very highly because of an external reason that says little about its internal practices.

Zendesk uses questionnaires and personal interactions to assess a vendor’s security.

Unsurprisingly, each new potential vendor hoping to work with Zendesk is evaluated on their security before any agreement is signed, and this begins with the completion of a security questionnaire.

Unlike some other enterprise customers, Zendesk is familiar with the challenges of being a vendor to their own customers. Rather than forcing prospective vendors to complete an enormous questionnaire, they ask only the most essential questions. If the vendor is going to be working in close association with Zendesk’s sensitive information, they have an additional vetting step in order to guarantee that information’s safety.

From this point, the interaction will be converted to an in-person discussion, as the people at Zendesk value human relationships as a key indicator of trustworthiness, and will usually conduct a phone call to learn more about the vendor, and the security measures in place, as well as to suggest any improvements.

Having SOC2 and IS270001 is essential.

If your SaaS product integrates with your enterprise customer’s product, or is otherwise working in close association with their sensitive information, having these security certifications is a must at Zendesk.

In the eyes of a CISO, there’s no point taking a risk on a vendor that doesn’t have these certifications. And for in-product use, Zendesk rarely deviates from this stipulation, unless it’s for a very special reason.

Zendesk doesn’t need your startup’s security to be perfect right away.

 When working with vendors, Zendesk may ask for improvements or changes to your startup’s security – they don’t expect your security system to be perfect immediately, but in order to ensure a good working relationship with the company, you need to agree and commit to making the changes that Zendesk considers necessary.

Transparency is everything.

 Rather than trying to talk up your security practices, just be honest. That way, the enterprise customers you want to work with can tell you what you need to improve straight up, in order to have an acceptable level of security to sign a deal with them.

On the other hand, they could find out later down the line that your security isn’t as comprehensive as you’ve said it is, and this will damage your relationship with the customers you’ve won – if you’ve already secured the deal – and will make them question you in the future.

After you’ve closed the deal, according to the CISO at Zendesk, CISOs want real-time updates on the security of your company –when you close a loophole in your security, you should tell them straight away. Maarten says that, at Zendesk, they don’t have the capacity to follow up on every single improvement they ask for during procurement, so trust and relationships are paramount. Vendors that are proactive about reporting their security updates to Maarten and his team often become strong partners.

If you want to win deals with the world’s most established enterprise customers, make sure to be honest, ensure that you have the certifications to show that you take security and the safety of their information seriously, and don’t stress too much about your public security score, since there are other ways you can prove the strength of your startup’s security program. 

To learn more about how Zendesk protects customer data, be sure to read their blog post on the topic.