Every profession has its own language to distinguish itself from other professions and to establish an official code that governs its practices. For the Compliance and Information Security team at a typical Fortune 500 company they rely on vendor assessment documents with acronyms like: SIG, SIG Lite, VAF, VQA, SQR, SoW, VDD, MSA etc. It's essentially a set of documents or a massive multi-tab excel spreadsheet (sometimes with a cool pivot table or glossary of approved response codes!- exciting!) that is trying to answer one key question:
“Is your product or service going to put our network, business or client data at risk?” - That’s it.
The very fact that the SIG, or VQA, that the InfoSec team sent you that has literally hundreds of questions is testament to the real starting position they are taking which is: “From an security and compliance perspective, we don’t actually want your solution in our network, but the line of business is telling us we have to look at you”.
The vendor due diligence process that security and compliance is putting you through boils down to three key questions that you must address successfully as a prospective vendor. (I’ve placed in parentheses what InfoSec’s real agenda is)
Let’s break each of these steps down.Your Security Program First step is to recognize that you need to start now, and not in the middle of your procurement cycle. Automate your security program and run it off the side of your IT person’s desk. This doesn’t need to be complicated, and a basic program can be implemented in a few hours. What’s the ROI of a security program ? Answer - sales execution velocity. When you’re selling to a large Fortune 500 you need to have your security and compliance posture aligned with your client. You need to be prepared for the inevitable vendor assessment questionnaire and fumbling for answers during the sales cycle won’t help you win your deal. If you’re in a commoditized or highly competitive solution market, you need every advantage you can get. Demonstrating that you can be trusted with sensitive data is key to winning deals. Further, you can look like a hero to the org by implementing business risk policies - like anti-harassment, anti-fraud, social media policies that have real impact on the day-to-day operations of the business. Tugboat Logic offers over 45 turnkey ISO-compliance policies information security, HR and appropriate use policies and controls that will put your company on a solid footing of governance and security. If you are looking to make your mark as a security professional, Tugboat Logic is a tangible deliverable you can point to that shows you have improved your organization’s InfoSec program. SOC-2 Certification Readiness The InfoSec or compliance team at your prospective customer will almost always ask if your company has achieved an industry standard like SOC-2 or ISO 27001. The SOC-2 is becoming the most popular because it is a security-centric standard administered by the AICPA (American Institute of Certified Public Accountants) - so you can’t cheat!
The average cost of a SOC-2 Type 1 certification will average somewhere between $30,000 USD and $60,000 USD depending on the size of your organization, complexity of products/services and the scope of the audit. A SOC-2 Certification consists of two parts - the gap assessment and the audit. An audit firm will allocate anywhere from $15,000 to $30,000 for each part of the process depending on your scope. With Tugboat Logic, we help reduce the overall cost of SOC-2 by empowering you do the gap assessment and readiness yourself, and thereby reduce the cost of the overall audit as you’ll be jumpstarting the process.Further, you can re-use the work you did in preparing for SOC-2 and apply that readiness for other certifications like ISO 27,001 or SOC-2 HITRUST.Since your SOC-2 certification must be renewed annually, you’ll need an evergreen system of record like Tugboat Logics Virtual CISO Platform to track all of your controls implementations, evidentiary documentation, gap analysis, and procedures to re-use each year. By using Tugboat Logic’s Virtual CISO Platform, you can reduce the prep and readiness time by 30%, and reduce the cost of the entire certification process by up to 20%. DIY Proof of Compliance
What if you don’t have 3-5 months to get a SOC-2 audit completed? What if you’re already in the miles of broken glass hell that is the procurement department of your customer? You can take control of the procurement process, prove compliance and do it yourself.Tugboat Logic’s RFP/Audit Response solution can help you organize your response by gathering your proof of compliance in one hub, and create key reporting documents like the Tugboat Logic’s Security Assurance Report and Information Security Policy Document. These pre-formatted docs will allow your company to both communicate your InfoSec program to prospects but also enable you to tell the entire story of your company’s security and compliance posture with additional data about your company, solution architecture and privacy compliance (like GDPR readiness) that will support your sales proposals and help close deals faster. Even if you don’t have a SOC-2 audit completed yet, providing your clients with proof that you do have a security program in place and that you’re getting prepared for a SOC-2 audit with a defined time frame can sometimes be enough to get you past the procurement hurdle.
Remember - your customer is just trying to shift as much risk and liability as possible onto you, so your champion doesn’t get fired should things go awry.Conclusion
Security requirements management does not need to be painful. With Tugboat Logic, you can prepare yourself to answer the toughest client questions in minutes not months, making you a hero to your sales team.