RFS: Request For Security!
Rick Lawhorn, CISA, CISSP, CHP, CHSS
As the industry prepares for increased regulations and compliance requirements from state and federal governments, businesses are taking a harder look at endpoint security.
This emerging trend is starting to require businesses to re-evaluate their solution provider relationships and is potentially become a key market differentiator in forming new relationships.
Traditionally, service provider pre-sales activities have access to non-public or confidential data that is necessary to provide the customer the best solutions possible. When we hear the term “confidential data”, we normally think of customer data, financial transactions or personal health information. In light of the increased endpoint security scrutiny, this term can take on many other forms of data that service providers encounter on a daily basis, such as infrastructure diagrams, network architectures, business workflow, or simply a detailed request for a product or solution that would fill a gap or enhance a customer’s security posture.
Normally, the providers’ sales process is the first customer touch point where requirements and analysis data are gathered in order to identify and create potential solutions, Many times the information being shared by clients to the providers’ sales force circumnavigates costly security controls that would normally protect the information from unauthorized use. Clients are now starting to become aware of the engagement risks and are starting to insist on fundamental, demonstrable security requirements in conducting business with many service providers …customers just plain expect it now!
So what can providers’ sale force implement to market their security maturity and demonstrate that they care about their client’s security expectations? Service providers should establish the rules of engagement proactively with clients prior to sharing any information electronically. By establishing secure communications with client early, providers are presented a wonderful and natural opportunity for the sales force to represent their leadership in the security market space and to demonstrate that they are knowledgeable about their customer’s data, even if the data is not currently regulated or the client is unaware of the risks.
One method to demonstrate this discipline is to encrypt or password-protect electronic proposals, contracts, and working projects such as architecture designs and plans. In addition, providers should be aware of the type of information they send and receive with their clients across email or other Internet based resources. Service providers should Implement the appropriate level of security to protect shared data and use any identified opportunity to further educate the client about the importance in protecting information during the sale cycle. Another method that demonstrates this is for providers to be conscious of items thrown away or discarded that relate to the client’s requests or interests. The information that is tossed in the dumpster can provide a great deal of insight to malicious attackers or competitors, especially the client’s competitors in regards to intellectual property. By proactively establishing the rules of engagement early in the pre-sales process with a client, the service providers can differentiate themselves from the competition and begin to establish or enhance a trusted advisor relationship with the client.
Overall, the approach taken does not need to be complicated or burdensome to the existing RFP/RFI process. It should be viewed as an enhancement and/or awareness opportunity to meet the client’s expectations and to provide education as needed. In return for this extra effort, providers can properly protect client data throughout the entire sales lifecycle and differentiate themselves from other competitors by being a security conscious company that implements the proper due-care with client data.
Service providers could be missing a great opportunity if they do not internalize this expectation and transform it into a market differentiator.
About the Author: Rick Lawhorn, CISSP, CISA, CHP, CHSS has over 20 years of experience in information technology which includes an extensive security, compliance, privacy and legal background.