Passing Enterprise Security Reviews
Lisa Hawke, VP of Security and Compliance for Everlaw, demystifies the enterprise security reviews and vendor risk assessment processes. She covers topics including identifying internal champions, navigating enterprise security orgs, when and how to work on security policies and compliance (SOC 2, ISO/IEC 27001, etc.), and the secondary benefits that certifications present to your startup.
- Passing Enterprise Security Reviews
- What is at Stake and How to Approach It
- Business Context: Products & Targets
- Program Frameworks
- Certs and Compliance Assessments
- Navigating Enterprise Security Orgs
- Navigating the Security Assessment
- Finding an Internal Champion
- GRC: Governance, Risk, Compliance
- People, Process and Resources
- Considerations and Benefits
- Lessons Learned
Hi everyone, good afternoon. I'm Lisa Hawke, and I lead the Security, Privacy and Compliance program at Everlaw. Everlaw is a series B legal technology startup, and we are in the B2B SaaS space.
Passing Enterprise Security Reviews
The reason I'm here today is because security questionnaires, vendor security reviews, and the enterprise security assessment has been a big part of my life for the last 3.5 years, at least at work. I'm here today to hopefully share some of the learnings that I've experienced over the last three and a half years, and some of the things that I think have helped Everlaw pass these types of security reviews as we've grown from 25 people when I joined the company, to around 180 right now, and as we've increased our presence in the enterprise space. I've broken this talk into three parts, and there are a lot of resources out there on enterprise security reviews and vendor questionnaires, so hopefully I can build on that material that's out there. A lot of it from the Heavybit community, with again, some of the learnings from Everlaw over the past three years. So, part one.
What's at Stake and How to Approach It
You may notice a theme here. It's partially because I'm a big nerd, but it's also because when I thought about preparing this and getting through a vendor security assessment and the questionnaire process it resonated with the story of Lord of the Rings, and the journey really resonated with me also. I just spent two weeks in Middle Earth touring around New Zealand, so it was fresh in my mind, but for a part one of this talk I'm focusing on what's at stake for your company and how you should approach it. Or, some ideas for how you can approach it. Because in order to sell software or products and services to enterprises in the B2B space, you are going to have to go through some type of procurement process. Increasingly, I'm seeing it involves a big focus on security as well as privacy.
Business Context: Products & Targets
The first thing I think it's important to think about as you're entering this phase as a company is your business context. When you get to the point where you're trying to sell to an enterprise, your business context is going to be really important, and it can mean a few things. The first thing I like to think about is your product. What is it? Are you collecting data? If so, what type of data is that? Are you storing it or are you processing it?
At Everlaw, like I said, we're a B2B SaaS product and our platform is a litigation platform, and our clients upload lots of documents, files of all types, and we host it in our platform while they're using our service. That involves a lot of sensitive documents and a lot of confidential documents, so for us that's a big part and a big focus of the vendor security process. Whereas there's a lot of folks in this room and your product may not have a need to collect any data, or maybe that data collection or capture is ephemeral. Those things are important because they're going to come into play during that vendor security review.
Another thing to think about is "What does selling to enterprise mean to you?" Your go-to market strategy for selling to enterprises could be really different from other founders in the room, so are you targeting specific verticals? Are those verticals regulated? Think about the financial industry or the healthcare industry, or does it involve government?
Then the last one here is target jurisdiction, so where are you doing business? Are you only in the US or have you already expanded into other regions like Europe or [inaudible]? Because again, those types of considerations will come into play when you are being assessed by the target enterprises that fit into those types of categories.
It's important to understand this business context, even if you're a small or an earlier stage, even if some of these pieces of the puzzle are still in flux for you.
The reason that is because it's going to come into play when you're trying to figure out how to build your security program and what framework you can apply. I put a couple of examples up here. Everybody's heard of ISO, you've heard of SOC. At Everlaw, when I joined the company we were only 25 people and I was the first one in on the security, privacy or compliance side. I picked a different framework, which not a lot of people are too familiar with, but the Department of Justice's guidelines on an effective compliance program. Which you might think is a little odd, but because the company -- We were so early and the company was not that big, so I actually needed something much broader. We've heard today about how culture is important in security, and we've also heard about how important it is to build security into your business thinking. Because we were so small, I needed a program framework that would help me stand up in enterprise risk program, a code of conduct, as well as the broader business type things that you need when you're building a company as well as security. Using that framework really helped me at that stage, again when we were less than 30 people, really embed a risk framework mindset amongst the company as well as a security mindset, and start the seeds for that security culture.
What I'm getting at here is if you don't understand what your business context is and what kind of enterprises you're targeting and what the factors are that are going to impact you, it's harder to decide what kind of framework you might want to choose. If you're a later stage or if you're a more established company and you're standing up your security program, it might make a lot more sense to focus on the ISO 27001 or the SOC-2 type 2, or the frameworks that are a bit more focused on security.
Certs and Compliance Assessments
So now that I showed you SOC-2 you're thinking "But wait, do I need to get that certification? And if so, when do I need to get it?" I'll get into that in a second, but first I just wanted to touch a little bit on the certification versus compliance assessments. You might think this is a bit of splitting hairs, but I think it's an important distinction to make because it ties back to that business context. Depending on the types of enterprises that you're targeting in your strategy, you may need to also think about regulatory compliance.
I know that some folks today have already touched on this, but it's something to consider as you're building out your security program. Because regardless of whether you decide to pursue a certification or not, depending on your business context, regulatory compliance might be really important to you.
I'll give you an example. At Everlaw, we do not collect protected health information. Like I said, where we sell software we sell a SaaS platform. But part of our strategy is to sell to the large enterprises, and some of those enterprises are insurance companies, and insurance companies may deal with protected health information that they need to upload into the platform to use our service for. Or we may sell to a large law firm that's representing a hospital on some type of malpractice case, so for us we have to think about HIPAA because it makes us a business associate even if we're not the ones collecting that protected health information.
Regardless of the security certification strategy we might adopt, we still have to think about HIPAA when it comes to privacy and security. It's worth pointing out that there are some regulatory regimes or frameworks that don't even offer a certification, and I think there are a lot of consultants out there that will sell you any certification that you call them up and ask for, but it's worth pointing out that HIPAA-- The Department of the Office of Civil Rights in HHS, they don't actually recognize a formal HIPAA certification. However, you can engage either a consultant or an auditing firm if you have the appetite to have them come in and do a gap assessment, or give you some independent assurance that your programs and controls do meet those requirements.
The reason I'm mentioning that is because sometimes those independent engagements or validations of your program from a regulatory standpoint can help you when you get to the enterprise security assessment with a company that really cares about HIPAA. So, now you can understand the difference between a certification and a compliance assessment, but back to the certification. When should you do it? I don't think there's a great answer for that. I've heard some folks today talk about going through SOC-2 type 2 and how that's really pushed them forward, but when I started at Everlaw they had already done a SOC-2 type 1 in security and availability. When I joined and was standing up the program, I pushed us to do a type 2 and add confidentiality. Then over the past couple years we've continued with the type 2, and also added the privacy criteria as well. I'm not saying there is a great time to do a certification, it just comes back to your business context in some cases, because there are some companies that you can sell to without having a certification. But it's going to be a lot harder if you have not stood up a holistic program that touches on things like your security, governance, your policies and procedures, your training and your operations. You can proceed without certification, but some companies will require it as a gate, and sometimes it's a good catalyst to get the internal support you might need to really build out that program.
Navigating Enterprise Security Orgs
All right, so now we're headed to Mordor. You understand a little bit more about getting ready for a security assessment. Getting your program together, making sure it's holistic and understanding your business context. But now you actually need to navigate through the assessment. So in this part, I'm going to talk a little bit more about the players and priorities and things that might happen during that assessment. Because this is what we don't want to happen, you don't want to do all of this work and build your program and then get to the point where you're in sales conversations with an enterprise and be told "You shall not pass."
Navigating the Security Assessment
We don't want that. How to navigate the security assessment, some folks today have already touched on the security questionnaire and I do know some folks in the room who deal with these. The fact is, they are a pain. I'm not going to mince words. But there are some things you can do that will help you prepare for them.
Of course, building that holistic program at the start is the number one thing, but there are various questionnaires out there. These are a couple. Cloud Security Alliance, the SFG. One of the reasons that security questionnaires can be painful is because there really isn't a generalized industry standard, and a lot of times you may be presented with a questionnaire that the enterprise has been using for a very long time for on premises and IT solutions that they have in place. You may think it doesn't really apply to you, so when it comes to the questionnaires be aware that they're going to cover more than your product. You may be expecting to answer things that you would expect to be asked about the cloud B2B product, but you're probably going to be asked about things like personnel security. Do you have confidentiality agreements that all of your new hires? signed during onboarding? Do you do background checks? Things like your incident response processes and your disaster recovery? How long are you retaining backup? Just be aware that during the security assessment the questionnaire is going to cover things that are much wider than just your technical product infrastructure. That's why it's important for your program to be holistic, and then next, when you get to the point that you're having conversations which may not happen.
The best scenario is when you do the work and you fill out the questionnaire, and the next thing you know, you're getting a win notification from your sales team. That's the best. But more often than not, depending on what stage you are in your growth and how mature your program is, there's a good chance that you're going to have to be getting on the phone with folks at the company that you're trying to sell to.
That can vary pretty widely, how that conversation goes, that is . Depending on who's actually on the line, you could end up on the phone with a person in their procurement department who doesn't even really know what your product does. In that case, you need to be ready with your business context so that you can explain to them what your solution is, talk about your program as a whole and make sure that they understand that you do have a security program and you do have dedicated personnel and you are covered.
You also want to make sure that if that conversation happens, that you have the right folks in the room on your side. Because maybe you're talking directly to their security team, and if you know that they've already raised a concern about an aspect of your either corporate security infrastructure or maybe something related to your product, you want to make sure that you have the folks in the room that can speak to your controls in place. Whether they be the exact control that the prospect is looking for, or it may be a compensating control where you do something else and you need to convince them that meets their bar.
When it comes to addressing gaps, be ready with your roadmap because a lot of times you will have gaps and there may be things in that questionnaire that you answered "No" to that they're looking for a "Yes." And that's OK, you shouldn't be afraid of that. You should be ready to talk about your program as a whole, your roadmap, and how you can address their concerns even if you're not addressing the exact control that they're looking for.
Finding an Internal Champion
So now that you have a better idea of what the assessment involves and some of the pain points, you're probably thinking "Who's going to do all this work?" We've heard some great comments from other presenters today, and you want to be able to leverage folks on other teams, especially on the sales team if you've got sales engineers that can answer these for you. That's great, but if you're really small you may be thinking, "I don't really have a security team," or "I don't have people in the organization that are knowledgeable enough to help me do this."
GRC: Governance, Risk, Compliance
I have a few thoughts on what I think makes some traits of people that might already be on your team, or people that you can hire to help you do this kind of work. I think of them as GRC folks, and someone else here mentioned today about culture. When I think of security GRC, this is about building a holistic approach in your organization and your program with the ultimate goal of creating that culture of security.
These are the flag bearers in my mind for that, where it can really embedding that culture At Everlaw, this is the team that runs point on all of our vendor security questionnaires, and we only recently started calling this team GRC. It was just me for a very long time until pretty recently, so I understand that if you're earlier stage or not, you probably don't have a GRC team. But that doesn't mean that there aren't people on your team or in your organization that can do this kind of work, so if you're working on identifying somebody on your team, there's a few traits that I think whether they're in security or not make them a good fit. I did talk about this recently, and I know there's some folks in the room who listen to me, so I'm just going to give you a brief snippet of that.
But I'm going to give you my top three, and the first one are "Risk sentinels." This is my term for people who I think are the ones that are really good at thinking of a situation or looking at a scenario or a question, and thinking 3 or 4, or 10 steps ahead to the consequences of that answer, or the consequences of that scenario. This is important when you're dealing with vendor security questionnaires, because you need to have folks that are looking through the questions and they understand that if they answer "Yes" to this question that it's going to impact something else in the questionnaire, or it's going to impact how the prospect views your posture on that specific topic.
The next one is "Curiosity," so I think personally that curiosity is a really good sign of people that are proactive. You're going to need proactive folks to help with these vendor security questionnaires, because there's going to be a lot of hunting for answers and gathering information, and when somebody is curious and proactive they're usually game to do that kind of work.
Then the third one here is "Puzzler," so Puzzlers like to take messy things and put them in order. These security questionnaires can be really puzzling depending on who's giving them to you, so you want folks that are willing to look at the big picture and look at that security questionnaire that you're thinking "This doesn't apply to us at all," but then be able to zoom back up to your business context and figure out a way to get that prospect the answers they want in the context that they're looking for so that they want to move ahead with your products.
People, Process and Resources
Speaking of spinning up the resources to be able to do this, there's a couple of things just to touch on based on what stage you are in. In an earlier stage company, you're definitely going to be in the building process where you're looking for folks and you are looking for resources, where if you're a later stage you're going to be much more in the maintenance and continuous improvement mode.
Generalists vs specialists, again if you're earlier stage you're probably going to have someone who's doing a bit of everything. So somebody who might be working on your security policies and procedures, also these vendor security assessments. Whereas when you get larger, and depending on the market you're in and the demand for your product, this could be somebody's full time job at a certain stage.
Then "Mo' money, mo' problems." As you mature as a company, there are going to be additional considerations that you need to think about that will then impact the vendor security assessment process. As you get much bigger, maybe you're subject to new regulations. Maybe that changes your business context a little bit, or if you're just going really big and you're going after those four fortune 500s and the biggest companies out there, then if you want more money then you should expect that when it comes to the security assessment questionnaires and the security assessment process, that you're going to have to go through some more hoops because they will expect more.
Considerations and Benefits
But there are some benefits to this process, I know it sounds like a lot of work and it is, but I think it's worth pointing out that there are a lot of positive aspects that your company can-- Or, positive benefits your company can reap.
One, of course, is commercial. That MRR you want selling to those bigger companies, getting those deals. Another one is reputational, so being known as a vendor in your space that can get through these rigorous security assessments can be a good thing. Maybe that matters less to you, but if it matters more, being known as someone or a company that can actually pass this bar can be really useful and beneficial. But that's not to say that getting through a security assessment and being able to check a lot of boxes on a questionnaire means you have good security. I think we all agree that doing a security questionnaire is not going to tell anyone necessarily that you are 100% secure because that doesn't exist.
But my point is, if you've done all of the work to build a holistic program, to show that you are able and set you up to be able to pass these things, that can translate into a stronger reputation around security. Then the last one is scaling. I like the focus on culture earlier, and the earlier that you can start building this holistic program and really get your folks on all teams thinking about security and how important it is to your commercial success, it will help you later on. Because if all the folks understand how important security is when you're only 25 people, when you're onboarding a lot of people and going through those hiring sprees, it will permeate the organization better because you'll have that tribal knowledge and people will tell each other that it's important. You won't always have to be the one telling everybody why security is important.
So, a couple of final thoughts here. Focus on the program, keep the certifications in your mind but really focus on your program. Make it holistic, focus on culture, and make sure that you're not just checking those boxes. Then when you have the questionnaire, the conversations as it relates to the assessments and questionnaires themselves, be as prepared as you can.
Try to find out in advance what the prospect's concerns are, if there are any. If they've raised any flags to your salesperson make sure you have that open line of communication with your salesperson, so that you know before that call what they want to talk about, so that you can have the right people in the room. Then be flexible and creative, there are going to be gaps. You are going to need to be ready with your roadmap, so get your sentinels and get your puzzlers, get your curious folks helping you with those compensating controls and being able to describe those. Thank you so much. It was a pleasure.