If your B2B startup is selling to enterprise companies, there is no doubt you are noticing an increased level of scrutiny around your company’s information management practices.
You are seeing an increase in questions about your company’s security posture and compliance with privacy regulations, such as GDPR. You are probably getting lengthy security questionnaires, asked about third-party penetration tests, SOC 2 reports, ISO compliance, or other security audits.
Several years ago, this was not a frequent thing. Certainly not to the degree that we see in enterprise security requirements or evaluations today.
What Happened? Why Are Startups Under So Much Pressure Now?
Let me give you a few highlights from recent years, to show just how quickly cybercrime and malicious hackers became a top business risk.
- In 2017, Interpol calculated that cybercrime passed illicit drug sales, becoming the new leader of the black market. Cybercrime generates big money for the criminals involved.
- In 2018, revenues from cybercrime were estimated in excess of $1.5 trillion dollars.
- Now in 2019, cybercrime continues to exceed all other black-market “businesses.”
- By 2021, Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually.
This exponential growth in illegal activity has gained the attention of the C-suite, boards, and government officials. Across every facet of an enterprise, the result is increased analysis and improvement of risk management. It has initiated a slew of laws covering privacy and cybersecurity. Most notably, Europe’s GDPR (General Data Protection Regulation). However, other countries and states are quickly moving to follow suit.
How Is Enterprise Responding to Increased Cyber Attacks?
As more and more major entities have been the headlines of data breaches, executives have woken up and prioritized cyber risk. This has manifested into major investments in security personnel and tools. Executives are now pushing to assess and mitigate risk across their entire enterprise.
At the same time, legal teams scurry about to figure out how they will ensure that the global enterprises they represent are not violating a variety of international, national, and state-level privacy regulations.
All these regulations have one shared component: data security. Without security to protect information, there can be no privacy.
From the perspective of the Chief Information Security Officer (CISO), this has created pressure to secure data across entire organizations. This includes the supply chain. This is where the startups that sell to enterprise come in and why the scrutiny is so intense now.
Once enterprise companies have implemented a multi-regulation privacy compliance program and defined improved data security requirements, they now have to make sure that their supply chain does not violate their new security posture. If you are a B2B startup, this is why your security is so important right now.
Startups that figure out how to mitigate risk and increase their security posture will have a distinct advantage while selling to enterprise.
What Are The Objectives of an Enterprise Third-Party Risk Assessor?
1. What risks will a supplier introduce into our organization?
The main question a security assessor considers is whether you, as a vendor, practice sufficient controls to mitigate risks to a reasonable/acceptable level.
The first part of this depends on the type of access that your product or service needs. The sensitivity or volume of data you would be processing or storing on behalf of the enterprise increases risk.
For example, if your SaaS solution is going to process a few hundred records containing no confidential data… then the potential risk to the enterprise is relatively low. However, if they are going to use your solution to store personal information of millions of their customers, that’s a much higher level of risk.
For this reason, you can expect the auditor will dig much deeper the greater the potential exposure. General cybersecurity practice dictates that the size and risk profile of an organization should be aligned with the diligence of that organization. However, when you sell a SaaS to enterprise they are not considering your size or risk profile. They are looking at their exposure via the engagement.
In other words, if you are a small company that is going to be processing and storing large amounts of personal and or confidential records, you will need to have a security posture that is much greater than many other companies your size. They are generally looking to see similar “due care and due diligence” around their information as they apply internally.
2. Does the supplier touch data or other regulated aspects of our business? (Especially any laws such as HIPAA, GDPR, CCPA, etc.)
The enterprise you are selling to may run a privacy compliance program. They’re likely one or several regulations that they must comply with. They will want to ensure that working with you does not violate those compliance requirements.
This is likely to be a priority in cases where you will be storing, processing, or accessing personal information. The volume of personal information will likely be a factor as to how strict they will be. However, we are seeing more and more enterprises requiring compliance even with small amounts of records. Or the chance that records could be accessed. In other words, the fear of lawsuits and exposure is forcing enterprise to err on the side of caution.
3. Am I covering my ass?
Most world-class organizations are going to take a serious look at your company’s data management and privacy compliance practices. They need to make sure you are following best practices to protect their organization.
There are some cases where this exercise may be driven by a need for the enterprise, their legal team, or even the auditor to cover their ass. In other words, they need a paper trail that shows that they complied with the company or government requirements.
If they’re just creating the minimum required paper trail, you could probably BS your way through the vendor security questionnaire. They won’t dig any deeper. They might not push to see if you are telling them the truth about your security policies and procedures. HOWEVER keep in mind that if you did this, you would be introducing a huge new risk to your business.
If you ever had a mishap that affected these customers, then you could be found in breach of contract, or even fraud. If in fact you lied, or stretched the truth, or agreed that you have policies or procedures that you actually do not have, that could crush your business.
Also, if you did get through a few audits with minimal work, then don’t get overconfident that approach will win your next deal. More and more organizations are prioritizing data management, information security, and compliance.
The simple “paper trail” approach is quickly getting replaced by real risk assessments into the supply chain.
Every B2B company selling to enterprise, even small startups, needs to be prepared. Security policies and plans are a crucial requirement to get through enterprise risk evaluations.