At last we've reached the end of this ramble around common challenges
to building trust between competing but complementary goals.
I want to close by
sharing alternatives to a few of the Seller strategies I've
experienced over the last 14 years. My hope is and has always been
to try to help my peers on the seller side answer their biggest
question: "So what can the Seller InfoSec leadership really do
in this mess of conflicting priorities to make the due diligence
conversation more efficient?"
Dealing with weak
skills
No matter what size you
are, don't accept a bad partner in the due diligence conversation.
If your future partner’s IS team are not able to understand your
tech and choices, the process will be too expensive for both. Call
out the efficiency impact created by their knowledge gap. Ask for
someone more experienced. Sure, you may not get the replacement you
would prefer but at least you will get recognized as more
experienced. Helping the other’s leadership see your thought
leadership is a win-win if you are respectful. A weak collaboration
is impacting to both your visions for a strong partnership. Weak
collaboration always results in longer discussions, executive
confusion/frustration, and delays.
Dealing with small
budgets
Budgets will always be
tight for your IS in the early days. If you run into a giving,
strong Buyer I wouldn't suggest as a recipe for success to be obtuse
and try to avoid the discussion. Acknowledge
the experience as an outside challenge that assures your team
has done a reasonable job. Of course it
can be challenging to have your weaknesses identified But
this should only happen if someone above you let greed win out over a healthy balance toward compliance. The buyer's advice may even help
you figure out what you missed that has already been exploited
too. At best they may find where your metrics weren't accurate.
Best of all, it will
feel good after when they
confirm you are already on your most optimizing path. The customer
feedback to justify the priority of investment in your road-map will
be the big win.
Is the “Op risk”
defense really worth it?
Should I hide my
details and push back hard to reduce my cost of sale or to avoid "Op
risk"? These tactics will see diminishing returns. Do not use
this as a first or even second response even though it seems like a
strong position to claim. Do acknowledge when you've reached the
limit of your response budget though. These assessments should be a
collaboration. Every assessment should make you better and more
efficient. Why do you have an NDA if not to support information
sharing? The NDA should allow you to build trust and protect your
valued information. It should empower you to collaborate. If you
claim you can't trust the assessor, why should they trust you? If
you resist it makes it hard for them not to think that you are hiding
something. If you think about it, are there that many permutations
of possible IS technical controls? What if you turn this around
and see it is an opportunity instead of a risk? What happens if the
buyer's leadership can't adopt you because of a gap? If it was
something you knew needed attention and already told your leadership
then they would have provided more weight for your argument. If it is something you
didn't know about then you learned something useful. The worst thing that
happens is you get to grow by a job change. The best occurs when
you have been open and transparent with leadership so they know the
limits of you and your team. In this state, everyone takes the news
and grows from it.
What about the big
suppliers with a lot to lose?
But what if the Seller
is HUGE? What if they have a long history and a lot to lose by
revealing their secret sauce? What if they have not deployed that
latest gadget or Managed maturity across the board? What if they
have thousands and thousands of clients? What if they are always
changing and evolving so it isn't practical to answer every Buyer
inquiry?
Many big companies try
the third-party certifications. This will address the majority of
your target market if it includes small and mid-size risk takers of
course. If you skip/avoid/fail a test or don't cover a recently
added product what happens? There will be low risk tolerant whales
who need to know more. If these whales are not willing to cover the
cost of assessment, then you lose them. It is critical to get the
right balance of testing and transparency to avoid this. Customer
feedback is essential. Don't only aim for "No exceptions
noted". Honesty is your best policy. Every good security
leader will acknowledge you are on a journey. They will take the
details and exception information and use it for trust and tracking
instead of doubting for a win-win.
How about this evolving
idea of Continuous Compliance? One advantage of being bigger is your
ability to invest in maturity. Dashboards are often created for IT
and business leaders. You already spend time monitoring IT
leadership to stay on point for the most valuable IS metrics, right?
It was already an agreed-to primary goal for us anyway, why not share
them with some clients to build trust? If you already had the
discussion, you can cut off the majority of escalations. Involve
Sales in the presentation to avoid unexpected escalations. This is
building relationships that improve trust instead of worrying about
hiding secrets. And the extra win is that the knowledge of the
sharing helps keep eyes on your most critical IS metrics.
If you don't want to lift the curtain for multiple customers then a fall back would be some other independent service provider you could direct customers to where you provided continuous compliance data.
I want to end with an
example I experienced again recently. I have seen this approach only
twice in the last 14 years working as a Buyer's IS guide. I am a
little surprised that this isn't chosen more often. It seems hard to
miss the huge leverage opportunity it brings for a lower cost of
sale. This approach also provides for a justifiable homogenization
of your security road map. The solution is the collective, on-site
visit. Yes, I actually mean invite all your customers to stop by
together. This may sound a bit nerve racking or hard to pull off but
bear with me. First you need to get your team together. This is
going to impact them on specific days and at specific times and they
must attend so plan for backups. Next you need to get everyone clear
on the goal. Is your management only interested in keeping cost down
for this process? Or is customer satisfaction and feedback the real
goal? Next you won't get much value if your client's IS attendees
don't have a few details and ground rules. You should provide your
last SOC2 several weeks ahead of the onsite. If your management
wants feedback (and you want some leading indicators) send the SOC2
with a request to provide written feedback. Make sure they send it
well ahead so you can improve your presentation. When they come on
site, don't skimp on the days of information sharing unless you want
them to worry. The frequency
and volume of post visit requests depends on it. You do not
want this to appear to be about your needs. (That is unless you have
a strong position in the market.) Provide the agenda well in
advance. If you can afford it, provide separate tracks. You will
have customers who had their questions answered already. Some will only need
to read policies and see evidence of execution--which they should
have identified as feedback to your SOC2. Lastly, I'd suggest you do
this quarterly. This will give your Sales team a mechanism to keep
their eager, bigger customers happy. It will provide a schedule for
your partners to orient to for double value from the checkup. Don't
forget to take care of your internal team though. Spend time after
the visit on optimization of metrics and delivery to reduce the cost
of the next assessment. Then kick off your quarterly strategic
planning meetings for right after the visit. This will keep those
customers’ needs visible to enable the business.
(Breathe) Wow!! This
has been a lot of rambling and I think it's past time to wrap up.
To wrap up, please
recall that a reasonable check and balance system is a win-win from
the Federalist Papers. I hope you have seen the similarities in my
re-frame of the vendor trust problem space. We all could do better
together instead of only seeing each other as opponents focused only
on our own win.
Publius the assessor
No comments:
Post a Comment