Why should security attestations be different from clothing, shoes, bank accounts and, well, a lot of things… You may not like it but you can’t get around it. The simple fact is that going after big clients means you need big attestations.
If you’re selling software as-a-service or as a component of a broader offering, the size of your company is not what matters. What determines whether or not you need a full-on security attestation like ISO 27001, SOC 2 or CSA STAR is the size of your clients and prospects.
The lack of a security attestation is a potential barrier to entry with major customers, which often creates a major driver towards a compliance certification or an attestation. Pro Tip: Be sure to consult with your sales and marketing teams about security attestations. If you want to become ISO 27001.
“The simple fact is that going after big clients means you need big attestations.”
If your company is small and your target clients are also SMBs, then maybe you can afford an “uncertified” information security posture. But if you dream of working with Google or Chase Bank, you when they inevitably ask, “OK, show me your SOC 2.”
Of course, industry also matters. Clients in regulated industries, whatever their size, may have no choice but to insist their vendors have a robust, verified security posture. And if you’re selling something non-physical like software—especially new software—then practically any stakeholder might want to see an attestation to confirm that it’s safe and secure.
If your business needs to prove its product, service and/or processes are secure and compliant, contact Pivot Point Security. That’s what we’re all about.