Do you deliver your software product as a service? Or do you offer another IT service online? Then you probably have found that your customers really need assurance that your service is good enough for their purposes. It has to be usable of course, but it also has to fit in their risk appetite and compliance obligations.
During the service, or even in the process of procurement, your customer needs assurance. If not, they won’t remain your customer for very long.
Here is a sketch of a process that helps you demonstrate your quality to your customers.
Step 1. Figure out how the customer typically does assurance. Ask them. What are they scared of? Are they looking for specific certifications, audit reports or such? Think ISO27001, Cloud Controls Matrix, or staff certifications. You also want to figure out through what process they do this, if they have a process. Who is involved on the customer side? The IT security department? Internal audit? Corporate Risk Management? Your objective is to make their work in assessing your service as simple as possible. For example, a lot of companies are using the CAIQ format from the Cloud Security Alliance.
Step 2. What proof of your quality do you already have? There is knowledge about your service, processes and assets, but also skills in handling these. How can you show that? You should also be honest about your attitude in service delivery. Is your company doing stuff because it is “the right thing” or because you are forced to do it? In particular you are looking for the things that you do well in a repeatable, documented way.
Step 3. Gap analysis. Based on the output of step 1 and 2 you can get going on a gap analysis.
- What are your big security holes? I.e. do you allow your customers to do rotation of all login and API keys?
- What are the evidence holes? For example: Is there logging missing, or not exposed well enough to the customer?
- What process holes are there in your system? I.e. you may not have a repeatable process for tracking new security bugs or new compliance obligations.
Step 4. Talk to your customer. The ideal situation is where you can bring the results of the previous steps back to your customers and have an open dialogue about their requirements, desires and priorities. You want to figure out what the value is that the service is bringing them that offsets any residual risk that your service still poses to them.
Step 5. Improve, rinse and repeat. Feed the output of the previous step into your software development, your system and support organization, legal and sales. Make sure that whatever improvement they realize, they also build in the evidence that shows how it is an improvement. Status pages, dashboards, and self assessments (e.g. published under non-disclosure agreements) are good examples of that.
It does not stop here. Ideally you are in constant conversation with your customers about their new opportunities and new risks. As your service become more important to your customers, their risk appetite will change. You will need to address that.
If you want to know more about this, download the cloud security 101 one-pager, and drop me a line with your specific question.