Data breaches are more common than ever. As a result, companies are scrutinizing their vendors’ security posture and compliance standards. The initial vetting of any 3rd party typically begins with a comprehensive security questionnaire, the dreaded “supplier cyber security checklist”. To tackle this in an effective manner you should seek to mature your security program, fulfill compliance requirements, and be questionnaire ready, all at once.
Success! Your sales leader tells you that the team has landed a massive deal. But, to close and start reaping the rewards, there is one last hurdle – compliance. How do you break this barrier to unlock your businesses growth?
Start by picking a core standard
Think about your sales targets and your geography, and pick a core standard that can act as an anchor for your organization. Here are some rough guidelines, reach out and we can help you finalize a choice:
If you handle credit card data, it could be PCI.
If you’re a service provider, SOC2 Type 2 is often a good choice.
Sell a lot to US companies? NIST.
If you’re active in the EU/globally, ISO27001/27002 is a good foundation.
All standards have some overlap, so if you tackle one of the big standards, you’ll likely hit most of the requirements of other standards. The Compliance Cheat Sheet can give you a hand on deciding which standard suits your business best.
Designate a lead
Every critical project needs to be managed properly. It’s important to choose someone senior enough so they can manage the work and budget and champion the initiative. Often you can rely on 3rd party expertise such as that provided by Kobalt.io’s team. Outside professionals experienced with the standard can accelerate the process and lower your costs.
Perform a gap assessment
It’s important to know where you are and what’s required to get you to your desired state. For example, if a 3rd party carries out a SOC2 Type 1 Readiness Assessment for you, completes a security questionnaire to build a holistic understanding of strengths, weaknesses of your security program and compliance requirements, you will end up with a bird’s-eye view of your security roadmap and recommendations that are focused on SOC2 or other compliance standards (e.g. NIST and ISO 27001).
Recognize that it’s a process
In early days, it may be enough to “align” with a standard and have a goal for achieving compliance/certification or an attestation. Eventually, you’ll want to fix a date – driven by an audit, 3rd party agreement or some other external requirement – that your team aligns to and rallies behind. Once you’ve completed the audit and achieved your status, you’ll need to periodically reassess and update your workflows and process to deal with changes to the standards and your environment.
Prioritizing cyber security can help you unlock business potential by expanding your ability to fully serve clients’ compliance needs and security concerns. Contact us when you are ready to tackle this and take advantage of our team’s deep expertise.
RESOURCES
Webinar: Navigating Security Questionnaires, Compliance and Closing the Deal
If you’re selling to large enterprise, government or other regulated industries, you’ll have come across the dreaded “security questionnaire” or complex security contractual terms. It’s a chasm you need to cross in order to be able to close the deal and take your business to the next level, but for those who aren’t immersed in security, the technical terms can be complex, the costs uncertain and risks high.
This webinar explores the cost effective ways to address specific client needs and how to best address the dreaded compliance questions (SOC2, ISO27001, NIST 800-53, HIPAA, GDPR or others), and more.
