This article recaps CEO Ray Kruck’s live workshop of the same name at SaaStr Annual 2021.
Many executives see cybersecurity as a cost center—and understandably so. On average, it accounts for about 15% of your IT budget and it doesn’t really contribute to revenue, does it? It’s a little like insurance: You don’t really notice it until something goes wrong.
Here’s the thing, though: Cybersecurity can significantly impact your top line. We’ve seen businesses 3X win rates all thanks to a solid security posture. And the good news is you don’t have to be an enterprise with a huge budget to kickstart your information security program. Startups can cheaply (and cheerfully) start benefiting from a solid security posture today simply by implementing the five security must-haves we’ve outlined below.
Being able to achieve ISO compliance with Tugboat unlocked $6,000,000 in pipeline revenue for us. That’s only just a few clients, but those were clients we literally could not have landed without the Tugboat platform.
– Adam Jaggers | CTO, XOi Technologies
1) Transparency
You heard me right. Must-have number one is transparency, which doesn’t cost a cent.
If you can’t prove your SaaS products are secure, eating up market share is going to be a real struggle for you. That’s because 71% of businesses require vendors to prove their systems are operating in a trusted state. And how do you do this, you might be asking?
Transparency.
It turns out being transparent isn’t all that difficult. To start, you can:
- Build a culture of transparency. Emphasize failing fast and recovering faster. Become obsessed with solutions, not mistakes.
- Put a privacy and security page on your website. Grammarly has a solid example if you’re looking for inspiration. Here, you’ll want to outline how you collect and use customer data, your security capabilities, certifications, any relevant associations you’re a member of (like the Cloud Security Alliance) and by all means, show off your internal security expertise. Some businesses even include downloadable privacy and security white papers and links to security reports. The point here is to put everything on the table and project confidence.
- Share your privacy policy, cookie policy, ESG policy, etc. Some of this stuff is required by law, depending on what jurisdiction your business is in. Some of it isn’t, but it matters to your customers. In either case, sharing is caring.
- Create security collateral to support sales. This is a biggie, and it’s too often ignored by startups. Make sure your sales team has documentation that speaks to your security posture and provide it to prospects before the tech due diligence phase.
At the end of the day, these tips aren’t nice-to-haves. They’re absolute must-haves. I’d go so far as to say that they’re table stakes in today’s SaaS economy and critical to building trust in the marketplace.
2) A Security Champion
Company privacy and security websites love using the line: “Your security is our priority.” You’ll see this message or some variant of it a lot and while the sentiment is admirable it can be difficult for businesses to actually deliver on.
That’s where your security champion comes in.
They empower your team and make sure you’re walking the walk.
Now, you might be thinking: Hold up, I don’t have the budget to hire a dedicated security professional.
Well guess what? You don’t need more budget. Appoint one of your existing employees. It could be you, your CTO or a dev. It could be anyone, assuming they’re passionate about the cause. Just be sure these new responsibilities are reflected in their job title. It creates accountability but also reassures customers and prospects.
Security Champion Roles and Responsibilities
- Security awareness training. Don’t shirk this. 54% of startups do, and it ends up costing them big time. If you can’t invest in a program, there are plenty of free resources that offer comprehensive training. We cover some of them here.
- Documentation. Your security champion will help you document your information security program—from your policies, to your controls, to evidence proving those controls are working. They’ll also socialize your documentation to ensure employees are aware of your policies and know how to support them.
- Security questionnaires and RFPs. Chances are, you’ve already gotten a security questionnaire from a potential customer. These things contain 300+ questions and no two questionnaires are the same. Your security champion will help you streamline the response process, so that you can spend more time selling (and closing deals).
- Privacy requirements and contracts. Someone needs to make sure your information security program reflects what you’re promising customers.
- Audit readiness and compliance. You might not be looking at a security standard like SOC 2 or ISO 27001 yet, but you will be. Your security champion can help you manage the process, from preparation to audit.
3) A System of Record
If you haven’t documented your information security program, then it might as well not exist. That’s because it needs to be provable—to internal stakeholders, customers and prospects.
Information security programs consist of three things: your policies and procedures, controls, and evidence that proves those controls are working. So you need to document everything and ensure that documentation is centralized in a system of record where it’s easy to access for all stakeholders. This might sound like a lot to manage, but the earlier you start, the easier it’ll be.
The benefits to a system of record are threefold:
- Improves your security by providing you with much-needed visibility into your program (and any gaps that might exist)
- Makes your program sharable, which is critical if you want to build trust
- Simplifies compliance and streamlines security audits
Thankfully, your system of record can be as simple or as sophisticated as you need it to be. Some businesses might opt to store their documentation in the drive, with defined access privileges to shared folders. Others might decide to adopt software like Tugboat Logic, which handles everything for you. Whatever the case, make sure you have a system in place.
4) A Vendor Evaluation Process
51% of businesses have experienced a third-party data breach. In other words, there’s a one-in-two chance your sensitive data will be exposed by a vendor you work with. This is why it’s so important to give your vendors the gears when it comes to information security.
Remember, all vendors you work with must be able to deliver on the same quality of security you do. In a sense, your vendors are your business.
The vendor evaluation process doesn’t need to be complicated. It simply needs to exist. Believe it or not, but prospective customers will need to see proof that you’ve actually vetted your vendors.
So, how do you do it?
First off, if you haven’t evaluated any of your current vendors, I’d get your departmental leaders to list out every cloud-based application their teams use. Everything.
Then, find out whether or not you’re actually sharing sensitive information with these vendors. If it isn’t anonymized, then it represents a risk to your business. You can effectively think of these vendors as your business, like I mentioned above, because they basically are.
Next, you need to decide what level of security assurance they should be providing you with to prove they’re offering the same level of security to your customer information as you are.
This could honestly be a conversation and a handshake. It could be customer references. You might even draft up your own security questionnaire for them to respond to. Or maybe all you need is their SOC 2 report. Whatever the case, this process should be formalized and maintained regularly by your security champion.
5) A Standardized Contract
From a security perspective, contracting is often overlooked, and it really shouldn’t be. If your contracts are a mess, forget about an exit.
So if there’s something you really should invest money in, it’s a good lawyer. Your contracts should have clear terms of services and SLAs. You should also include realistic security and privacy commitments and expectations. Make sure you have a data processing agreement (DPA) and don’t make promises you can’t keep!
Finally, set guardrails for your team on what’s negotiable and what isn’t. Don’t accept unlimited liability on, say, data breaches. Terms like these absolutely will impact your exit. Resist the temptation to think in the short term, even if it means signing on your first big enterprise deal.
Final Thoughts
Okay, so to recap what we’ve already covered:
- Transparency = Trust. Show off your InfoSec program at every opportunity.
- Empower your team with a security champion. Someone has to take the reins. Who will it be?
- Create a system of record. If your InfoSec program isn’t documented, it doesn’t exist.
- Your vendors are your business, vet them! Make sure they can deliver on your security.
- Simplify contracting (and don’t make promises you can’t keep)!
By adopting the five cybersecurity must-haves outlined above, you can get secure, build trust and sell more without breaking the bank. If you’re looking for a low-lift way to implement these must-haves, we can help. Tugboat Logic’s accessible Essentials package is designed to help SMBs launch an InfoSec program. And it costs as little as 45$/month. Think about it. And feel free to get in touch with us if you have any questions.