Every small business is unique, and should consult a qualified attorney for advice on the FTC Safeguards Rule. But, as cybersecurity professionals we believe you should have access to a way to jumpstart your effort, while you work with counsel on any unique particulars related to your situation. So, today we’re offering extremely actionable steps that would be a great step towards some of your FTC Safeguards Rule obligations. Let’s cut straight to the chase:
Blog Posts by Phil Leslie
We’ve talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.
But, a sticking point in those conversations between founders and enterprise compliance teams can be… well… compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.
So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile). We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don’t yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.
When a founder-led business gets their first Vendor Security Assessment, it’s a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise — often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.
One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they’ll deliver. From the enterprise’s perspective, probing on testing practices is just a “common sense” way to get a sense for the maturity of the small business that they are considering working with.
But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here’s what we found.
Vendor Security Assessments are slooooow to change. If there is one part of a large enterprise that has a thankless job, it’s the IT compliance team that is charged with creating, revising, and reviewing vendor security assessment processes and forms. Make it too difficult, and business sponsors (buyers) across the company get upset that it takes too long to onboard their favorite new vendor. Make it too easy, and the enterprise takes on headline-grabbing cybersecurity risk that has wide-reaching regulatory and reputational impact.
So, in the face of these opposing pressures, what happens to an enterprise’s vendor security assessment forms / questionnaires over time? In our observation, almost nothing. You heard that correctly: the vendor security assessments that a particular enterprise had in place 12 months ago, are almost certainly what they have in place currently.
If you are considering a SOC 2 Readiness Assessment, now is the time to think critically about what you want out of that process. Most companies pursuing a SOC 2 Readiness Assessment see it as their smooth on-ramp into a full SOC 2 examination. And, they see it as a way to preemptively identify and resolve any major gaps in their security program.
In almost any imaginable case, that approach is dramatically better than getting knee-deep into an audit and discovering that you have a huge pile of urgent remediations that you need to take care of in order to obtain a clean SOC 2 report (an “unmodified opinion”). If you find yourself discovering major SOC 2 shortcomings during an audit, something went very wrong during your readiness effort.
So, SOC 2 Readiness Assessments are a good thing, right? Yes. But only if you pick one that is rooted in TSP Section 100.
Before we get into the interplay between vendor risk assessment and security awareness training, let’s get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It’s a smart move either way.
However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of “we should probably be doing some security awareness training” — and we certainly empathize with founders in that situation.
SOC 2 Readiness Assessment has become a buzzword amongst the community of founding teams that are starting companies that sell their services to big businesses. And why shouldn’t it be? Most startups with that particular go-to-market strategy will almost certainly need to successfully complete a SOC 2 examination to satisfy enterprise requirements at some point now or in the future. So, “readiness” is a natural first step.
Today we’ll zoom in on a particularly misunderstood topic — one that is even misunderstood by many of the SOC 2 Readiness Assessment providers. If it’s misunderstood by some of the companies that are conducting SOC 2 Readiness Assessments, we’ll bet it’s also misunderstood by the founder-led teams that they serve.
Today’s misunderstood topic is the interplay between service organization commitments and contractors.
When founding teams find a way to survive their first vendor risk assessment — usually on the tail end of making their first enterprise sale — it’s a moment that calls for celebration. At Havoc Shield, one of the absolute best moments for us is when a client calls us back and says “with your help, we made it through that security questionnaire” — it’s a celebration on our end too! But, is the end of a vendor risk assessment the final chapter in the vetting that the startup will face from their new enterprise customer? In a word, no. We’ll explore below.
recently dug through 100+ vendor risk assessment templates and released some of our initial findings. We’re motivated to understand the prevailing norms in these types of assessments/questionnaires because our clients tend to find themselves on the receiving end of these types of documents on a frequent basis. When we can do a great job of helping our clients predict what security questions are likely to arise, it helps our clients prioritize what security controls to push closer to the top of the prioritization stack. One of the topics that is almost always covered in vendor risk assessment is the matter of infosec policies and infosec plans. 88% of the vendor risk assessments in our analysis contained questions about plans and policies.
Every day we talk with startup founders about small business cybersecurity. Although we’d love to speak with founders that spontaneously decided to “do more” about cybersecurity, our conversations usually start very differently than that.
Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We’re happy to help — not a problem! However, for the benefit of founders that haven’t yet hit one of those moments, here’s what folks a few steps ahead of you are running into. We’re glad to help with these more proactively if you’d like, to save a hectic scramble later.