Tipping the scales…. Cybersecurity as a Differentiator

4 minutes

For many years software and SaaS organizations have seen Cybersecurity as simply a liability on the balance sheet; a required cost of doing business that adds little value. The business likened it to insurance. You have to have it in hopes you don’t use it. It really only has a value if something bad happens. You see where I am going with this. (As a side note, at its worst cybersecurity has been used as merely a checkbox. I have plenty of stories on this.)

That is simply the wrong way to look at any security investment and instead the tides have turned. In many organizations, security is becoming a necessity; a requirement to even be considered by their customers and potential customers. In the more progressive companies, security is being leveraged as a critical differentiator between their organization and their competitors. Security teams are being asked to meet with potential customers to share the steps taken to protect their data. This is becoming more present in SaaS (Software as a Service) providers. As organizations continue to utilize SaaS for their most critical applications, the security of those SaaS providers is in sync with their own success.

Put yourself in the shoes (which you may already be) of a CIO/CTO. You are responsible for the most critical infrastructure and applications your widget company has. Let’s say that you are on the hunt for a new inventory management system and you adhere to JIT (Just in Time). The uptime of that application and the business’ success are tied to one another. You must evaluate the security of that application… especially if it is SaaS. Is that now a critical factor in your decision making? I’d argue it is right behind the minimum functions needed for the application to work for your business.

So, let’s pivot back to the provider of that SaaS solution. Your CISO now has an opportunity to no longer position security in the same light as insurance. Your security posture is now a critical differentiator between you and your competitors. It might sound like a small nuance, but this change in perception is truly game changing. You must now build security into everything you do. Devops, sales, marketing, etc. is all looking to you to be one of the differentiators that actively wins business.

Sounds pretty rosey, right? CISOs, you are now much more important and budgets are easier to acquire with this new found respect of the other business units. (yes, that last sentence has a tinge of sarcasm) Well, now there is a new skill set that you need to build or hire for. You need individuals that are capable of speaking to and illustrating your security posture. They need to inspire confidence and speak to both buyers and security professionals about the controls in place to ensure CIA (Confidentiality, Integrity, and Availability).

As you start to evaluate this in your organization here are some key questions to consider:

  • Does your business talk about the security of your platform to potential customers?
    • If not, I bet your competitors are.
  • Have you appropriately documented your protection mechanisms for your customers?
  • How do you handle audits?
    • Do you hire independent auditors and make the audits available to your customers?
    • Do you allow customers to conduct their own audits?
  • Is your security team aligned with other business units, especially your sales team?
  • Do you have individuals in your security team that are able to present your security posture to your customers and potential customers?

If you are on the other side of this equation… the buyer:

  • Do you ask about the security of your SaaS provider?
  • Does your provider have a team to address your security concerns as they arise? (Are they timely in their responses?)
  • Are you committed to walking away from the perfect SaaS solution if the security isn’t right for your organization?

What are your thoughts? I’d love to hear them! Does the above only apply to SaaS companies or does it apply to more traditional businesses as well?