A number of our current clients, especially in the technology and SaaS sector, are startups or spinoffs with very exciting products. Prospects—including large enterprises—are lining up to evaluate them. But when the discussion turns to security and compliance attestation, which established firms often require, these young companies don’t have a lot to talk about.
What can a business in this position do to stay in the game?
After all, every company is young at some point. Most such firms understandably aren’t mature enough from a process standpoint to hold information security certifications like ISO 27001 or SOC 2—though they may be actively working towards obtaining them.
If your business is in this position, embrace it! It’s OK and expected you don’t have security (yet). This doesn’t mean you can’t provide products and services to major enterprises or regulated businesses like banks or healthcare institutions. You may just need to communicate differently about your evolving security posture.
Start by telling prospects what you’re doing on the security front.
If your company is “an ISO 27001 candidate” and actively working with a security consultancy, say so.
Hopefully your security advisory partner can help you with this “positioning.” For example, at Pivot Point Security we offer a “Letter of Engagement” that documents what a client has engaged us to do, including a project plan, timelines, etc. That’s a lot better story than “no story.”
If you’ve got a killer product that could really energize an aspect of a prospect’s business, they might very well accept on a provisional basis this kind of upfront, nonformal “attestation.” In fact, there’s a longstanding precedent for this in the security industry. We call it “alternative assurance.”
This level of assurance can be helpful when a client or prospect asks if a vendor has a formal security attestation and they don’t. What they do have is “alternative assurance,” in the form of documentation and/or penetration test results or whatever, which helps the requestor feel a little (or a lot) better about their evolving security posture.
It’s about both parties knowing where things stand and verifiably moving in a positive direction that will shortly culminate in more formal assurance.
The idea that young companies can’t penetrate GM or Google or Walmart because they can’t comply with their vendor risk management requirements is unnecessarily limiting. Ditto the belief that big companies aren’t “allowed” to buy your offering because they can only work with established vendors that have compliance strategies in place.
If your product or service adds enough value and you’re moving towards compliance with the support of a solid security partner, you may very well be able to interest the big guys. What are you supposed to do, put your offering in a freezer while you put InfoSec programs in place?
To talk with a proven, forward-looking partner about how best to move your security posture forward, and how to represent that positive momentum to clients and prospects, contact Pivot Point Security.