As part of the 2021 Y Combinator Founder Bootcamp, Christina Cacioppo, Vanta CEO and co-founder, led a talk with a focus on Security and B2B sales. Read on for a deep dive into security reviews, vendor questionnaires, and how SOC 2 can put your company on a strong footing with customers and prospects when questions of security arise. At the end of this post we included some of the questions Christina received during Q&A and consolidated the answers for your reference.
Vendor, meet your first security review.
If you haven’t yet had a customer or prospect ask for your company’s SOC 2 or a customized security questionnaire, this scenario is on the horizon. Picture this: your company is about to close an important deal. Everything is moving along swimmingly — and then your prospect mentions the security review. If you’ve anticipated this moment, you’re positioned with resources to demonstrate proof of your company’s security policies and practices. Meanwhile, if you’re coming up against a security review for the first time — you may find that your deal is on hold while your company determines how best to prove its security.
Security reviews are becoming common practice in the sales cycle. If you’re a B2B software vendor that stores customer data, you should expect that enterprise clients will be focused on ensuring the security of their customers’ data within your information ecosystems. Enterprises are particularly attuned to the risk of a data breach, and are seeking ways to understand if your company can be entrusted with sensitive data.
How can your company create trust through the security review process?
The security review is an opportunity for your company to explain the measures you take to maintain data security. A successful security review can take a number of forms: You could spend time explaining to your prospects the security measures your company takes. You could share documentation of the security policies you’ve developed and adhere to. You could answer a vendor questionnaire developed by your prospect (and another questionnaire developed by another prospect, and so on). Or you can take the most proactive and arguably the best method of demonstrating your company’s security, embarking on a SOC 2 audit. The results of this audit will showcase your company’s security practices in a consistent format that you can share with each of your prospects.
What is a vendor questionnaire?
A vendor security questionnaire is an enterprise tool used to assess a service organization’s security practices before signing on to use their product. A vendor questionnaire can be extensive — think anywhere from 30 to 300 yes/no questions exploring the ins and outs of your company’s security program — and there’s no requirement for enterprises to utilize a standard format. (An enterprise will be better served by asking more questions of potential vendors up front, rather than learning down the road that they failed to thoroughly examine their vendors’ practices.) Your company’s CTO will usually be the party responsible for answering vendor questionnaires.
When and why should my company get a SOC 2?
Observe how your company is allocating time to proving its security, and you will understand when the scales tip toward getting a SOC 2. If you’ve been asked for proof and have been leaning on workarounds, you may eventually find that the workarounds are more time-consuming than simply going through an audit. As a startup, your time is your most valuable resource. When putting your CTO on the phone (again) to explain your company’s security practices to a new prospect turns into one time too many, then you may find it’s time for a SOC 2.
We also like to say that the best time to get a SOC 2 is as soon as you possibly can. If your company is proactive about security and audit preparation, you’ll be ready with a SOC 2 when you need it. If you’re on the road to closing a deal with a key prospect, SOC 2 can pave the way for a smooth security review and point you toward the finish line. For a deeper dive into when and why to get a SOC 2, how long it will take, and how much it costs to get SOC 2 certified, check out our Recap on SOC 2 for Scaleups.
How to turn security into a sales strategy?
Building a strong security program for your company will serve you well as you grow, no matter what. It can be more challenging to retroactively build security into your roadmap if you haven’t tackled it as a core business concern from the start. One key upside of leading with security is that you’re positioned to communicate your company’s security practices as part of your sales strategy. In whatever form your proof of security takes shape — a readiness to respond to customized vendor questionnaires, to share your policies and documentation, to put your CTO on the phone, or to let your prospect know that you’ve already conducted a security audit and are able to share your SOC 2 report then and there — your solid security practices and documented proof of security become key components in your company’s marketing toolkit.
Let’s dig into a few of the great questions that came up in the Q+A session:
How early in the life of a startup should we be looking into compliance auditing and certification?
- Your customers and prospects are your best guide on this point. When you’re in the early stages (and beyond) of building and selling a product, listen to your clients and customers to learn what they want from you. Remember that approaching security in a proactive way is a solid way to demonstrate the stability and trustworthiness of your business.
What industries can benefit from completing a SOC 2 audit?
- If your company gathers, stores, or works with any form of customer data, no matter the industry, SOC 2 certification can support your security goals. In today’s business environment, as more and more enterprises store and process data using third-party providers, a broad range of industries — from fintech to healthcare to hospitality and everything in between — now require that their vendors obtain a SOC 2 report to prove their security practices against a shared and accepted standard.
How often might a startup be asked to present a SOC 2 when dealing in the B2B space, given the wide range and type of customers?
- There are a few guiding principles to consider here. The larger the business your company is selling into, the more likely it is that security and SOC 2 will become a focal point. If the company you’re selling to has itself gone through a SOC 2 audit, they may also be more inclined to ask for and expect your SOC 2 certification as well. You’ll most likely be asked for your SOC 2 or proof of security depending on the type of data your tool stores, and the sensitivity of that data. Products seeking to operate in fintech or healthcare and to be entrusted with the sensitive data common to those spaces will find that proof of security is high on prospective clients’ radars. In other spaces, if your tool requires email access, for example, prospective customers will be eager to understand how your company will guard and preserve the security of that access.
Does Vanta or other compliance software help automate processes for HIPAA?
- Vanta includes HIPAA compliance support, and we offer guidance, information, policy templates, tracking features, and more to help your company prepare for its HIPAA audit fieldwork. We can help you utilize Vanta’s feature set to help track a range of HIPAA tasks and to further customize your HIPAA compliance approach.
Vanta is “security in a box” for companies of all shapes and sizes, trusted by hundreds for their SOC 2 preparation and more. Vanta provides a set of automated security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts. Vanta also offers a suite of tools streamlining the non-technical components of security tracking and audit preparation, so gathering and consolidating audit evidence is easier for both your company and your auditor. Ready to get started?