It used to be that SaaS providers could deal with security and compliance related items a couple times a year with limited focus and effort while attempting to check the most common customer-facing Information Security check boxes. This learned behavior evolved more out of necessity than anything else. Many SaaS providers can’t afford the cost to hire dedicated security personnel so existing IT staff are expected to take on Information Security responsibilities, in addition to their existing duties, with little to no further training or mentoring. This is “that” topic neither side wants to talk to the other about. Management fears the discussion could lead to additional staffing costs, while IT staff let their job insecurities get the better of them. Fearing any push back will lead to their employer replacing them. These unspoken expectations only lead to more ambiguity around security obligations, scope and responsibilities. Another factor has been the widening Information Security skills gap which has further contributed to this “don’t ask, don’t tell” culture where SaaS Provider customers and their employees end up on the losing end of a preventable security incident or worse, a data breach.
To overcome these adopted biases, senior management will need to openly acknowledge and socialize that Information Security requires specialized skills that demand practice and nurturing to keep up with the ever changing threat landscape. Responsible management of an organization’s Security Program is fundamental to organizational health and involves a particular set of skills, knowledge and experience. This is even more crucial for Service Providers due to the additional responsibility to securely host business-critical data for external paying customers with contract specific compliance requirements. At the same time, those buying SaaS products are becoming more informed and as a result are demanding evidence of good security practices from Service Providers rather than just taking their word for it. When revenue begins walking out the door because a particular SaaS provider has a sub-par security program then it would reason they would be forced to tackle those security program challenges that are acting as roadblocks for sales. For example, some customers require their Service Providers go through an annual SOC 2 Type II review. This helps to provide assurance that the Service Provider is following best practices and has implemented reasonable controls to protect customer data. This sentiment is being echoed by new laws and regulations that help drive stronger security standards for service providers. What was once considered ignorance, is now being viewed as negligence. Consider the upcoming EU Data Protection Directive that goes live in May of 2018. Most worth-while leads for SaaS providers will involve a global workforce and is why most Service Providers will be required to comply with GDPR or risk paying large fines and losing customers. The good news is that there’s plenty of great freely available resources online to help those unfamiliar with GDPR learn more about it. There are also many quality 3rd party services that offer advisory and assessment services to help companies navigate these complex compliance requirements. Ensuring these critical obligations are maintained, is the crux of any security program, and ensuring that, at a fair and reasonable cost, is why our vCISO Program exists.