Sharing Security Documents
You’ve spent time implementing a security program, complete with policies, procedures, controls and you’ve even gathered evidence to show that the program is healthy and functioning. Now what? We say sharing is caring! When it comes to trust, security platitudes are cheap, sharing the tangible evidence that your organization is up to the task of supporting a customer’s mission is as good as gold. Putting the control in your customer’s hands and not getting in their way with arbitrary gatekeeping allows them to move quickly and you to focus on maintaining your program.
When it comes to sharing trust building content, you can aim for the status quo, or you can think outside of the box.
Talk to your sales team and review customer contracts to get an understanding of customer requirements and what can help accelerate the pipeline. Your program is not your competitors, so why does the content you provide look indistinguishable from theirs? Policies, procedures, ISO 27001 Certificate, SOC 2 Report — these documents say you meet certain expectations but don’t highlight what your organization does to exceed them. Find opportunities to stand out.
Some considerations for atypical evidence to share include:
- Penetration Test Report - Sharing the content of a recent Penetration Test shows transparency and demonstrates the true effectiveness of your program’s controls against a trained threat actor. While we don’t recommend presenting this as a document that you share with every potential customer, for high-priority partnerships, this level of openness could help solidify a valuable partnership. We also recommend that you share the version of the penetration test where exploitable vulnerabilities were remediated and re-tested. This will limit risks to your organization that there is not potentially a document out there with live vulnerabilities and step-by-step details on how an attacker exploited them.
- GRC Evidence - If you have a GRC solution that collects evidence and assesses it against desired configuration states, this information provides valuable information on the health of your controls over time. We’re not saying to share the raw data of the payloads; those could contain sensitive information about the environment. However, if your implementations track statuses of key security controls such as MFA enabled, adequate password and lockout policies, or even change management controls such as reviews and approvals of code and infrastructure changes. This can show your potential customer that not only are you aware of best practices, you are committed to effectively implementing them.
- Issues and Events - There are unforeseen circumstances and impediments that all businesses face. Recently, there has been a shift away from the knee-jerk reaction to vilify these organizations when issues occur but rather appreciation when the issues and resolutions are openly communicated. If your organization uses a status page as a communication tool for incident response activities, make customers aware of it. Demonstrating a commitment to transparency and openness will reassure customers that your organization will not compound issues by delaying action or denying impacts.
- Subprocessors - If you have to comply with GDPR, you are already familiar with the process of communicating your list of current sub-processors. As more businesses become entangled through vendor relationships, a breach at one vendor can cascade, affecting their customers, and their customers’ customers. These fourth party connections have traditionally been viewed as going too far down the rabbit hole when scoping vendor risk assessments. However, recent incidents such as the SolarWinds Orion breach show that incidents of vendors do not stay localized for long.
- Social Proof - With the sheer number of vendor options, sometimes sifting through the search options can be overwhelming. Sharing real customer stories can go a long way in building trust. Being the first to test the waters can be nerve-racking and even detrimental, however, you can feel much more confident when peers in your industry are telling you “jump in, the water is fine!”
Receiving a security questionnaire from a potential customer often comes late in the sales cycle. By sharing some (or all) of the above earlier in the sales conversation, you can help avoid delays in the sales cycle, and eliminate a mad rush at the end of quarter when the security team often gets hit with dozens (or more) independent questionnaires. For more information on the ways in which security documentation can be shared securely with individuals outside your organization, check out this post.