In the past weeks I have been talking to a number of small software providers. Most software these days is no longer shipped (CD-ROMs are really oldskool, aren’t they?), but is delivered as a service over the internet.
These software providers are starting to realize that this means they are a SaaS provider. This also means that they have to do risk management like a cloud provider.
Among the companies I work with are an email/shopping cart provider and an e-learning provider.
With these companies I started by going through the CSA “Treacherous Twelve” list of top cloud risks. It does not matter much if you are a provider or a consumer, all risks can be relevant to both sides. The consumers have to protect themselves, and the providers have to enable them to do that.
In working with them I came across a number of interesting observations.
One guy stated: “only after reading through the Treacherous Twelve did I gain a more solid understanding of risks”.
Another guy said that he now started to understand how his security was essential to his customer’s security. In fact, being more explicit on what he did on risk management and security could actually be a selling point towards his customers.
He also said that the investors in his company would probably worry about this.
These companies start to realize that their customers are actually outsourcing some IT to them, and that these customers require some governance and risk management support. A simple case of that is that there is often some personal data of the customer’s employees or clients involved. If the provider messes up in managing that sensitive data, the customer gets burned.
At the same time, these software providers are often cloud consumers themselves, as they outsource their hosting and other services to other cloud providers. So the risk analysis cuts both ways.
Does some of this apply to your company? In that case you might want to look at the Treacherous Twelve study yourself. To dive deeper into that or if you need help, you might consider my cloud security training, which can also earn you the Certificate of Cloud Security Knowledge.