Security for B2B sales
As part of the 2021 Y Combinator Founder Bootcamp, Christina Cacioppo, Vanta CEO and co-founder, led a talk with a focus on Security and B2B sales. Read on for a deep dive into security reviews, vendor questionnaires, and how SOC 2 can put your company on a strong footing with customers and prospects when questions of security arise. At the end of this post we included some of the questions Christina received during Q&A and consolidated the answers for your reference.
Vendor, meet your first security review.
If you haven’t yet had a customer or prospect ask for your company’s SOC 2 or a customized security questionnaire, this scenario is on the horizon. Picture this: your company is about to close an important deal. Everything is moving along swimmingly — and then your prospect mentions the security review. If you’ve anticipated this moment, you’re positioned with resources to demonstrate proof of your company’s security policies and practices. Meanwhile, if you’re coming up against a security review for the first time — you may find that your deal is on hold while your company determines how best to prove its security.
Security reviews are becoming common practice in the sales cycle. If you’re a B2B software vendor that stores customer data, you should expect that enterprise clients will be focused on ensuring the security of their customers’ data within your information ecosystems. Enterprises are particularly attuned to the risk of a data breach, and are seeking ways to understand if your company can be entrusted with sensitive data.
How can your company create trust through the security review process?
The security review is an opportunity for your company to explain the measures you take to maintain data security. A successful security review can take a number of forms: You could spend time explaining to your prospects the security measures your company takes. You could share documentation of the security policies you’ve developed and adhere to. You could answer a vendor questionnaire developed by your prospect (and another questionnaire developed by another prospect, and so on). Or you can take the most proactive and arguably the best method of demonstrating your company’s security, embarking on a SOC 2 audit. The results of this audit will showcase your company’s security practices in a consistent format that you can share with each of your prospects.
What is a vendor questionnaire?
A vendor security questionnaire is an enterprise tool used to assess a service organization’s security practices before signing on to use their product. A vendor questionnaire can be extensive — think anywhere from 30 to 300 yes/no questions exploring the ins and outs of your company’s security program — and there’s no requirement for enterprises to utilize a standard format. (An enterprise will be better served by asking more questions of potential vendors up front, rather than learning down the road that they failed to thoroughly examine their vendors’ practices.) Your company’s CTO will usually be the party responsible for answering vendor questionnaires.
When and why should my company get a SOC 2?
Observe how your company is allocating time to proving its security, and you will understand when the scales tip toward getting a SOC 2. If you’ve been asked for proof and have been leaning on workarounds, you may eventually find that the workarounds are more time-consuming than simply going through an audit. As a startup, your time is your most valuable resource. When putting your CTO on the phone (again) to explain your company’s security practices to a new prospect turns into one time too many, then you may find it’s time for a SOC 2.
We also like to say that the best time to get a SOC 2 is as soon as you possibly can. If your company is proactive about security and audit preparation, you’ll be ready with a SOC 2 when you need it. If you’re on the road to closing a deal with a key prospect, SOC 2 can pave the way for a smooth security review and point you toward the finish line. For a deeper dive into when and why to get a SOC 2, how long it will take, and how much it costs to get SOC 2 certified, check out our Recap on SOC 2 for Scaleups.
How to turn security into a sales strategy?
Building a strong security program for your company will serve you well as you grow, no matter what. It can be more challenging to retroactively build security into your roadmap if you haven’t tackled it as a core business concern from the start. One key upside of leading with security is that you’re positioned to communicate your company’s security practices as part of your sales strategy. In whatever form your proof of security takes shape — a readiness to respond to customized vendor questionnaires, to share your policies and documentation, to put your CTO on the phone, or to let your prospect know that you’ve already conducted a security audit and are able to share your SOC 2 report then and there — your solid security practices and documented proof of security become key components in your company’s marketing toolkit.
Let’s dig into a few of the great questions that came up in the Q+A session:
How early in the life of a startup should we be looking into compliance auditing and certification?
- Your customers and prospects are your best guide on this point. When you’re in the early stages (and beyond) of building and selling a product, listen to your clients and customers to learn what they want from you. Remember that approaching security in a proactive way is a solid way to demonstrate the stability and trustworthiness of your business.
What industries can benefit from completing a SOC 2 audit?
- If your company gathers, stores, or works with any form of customer data, no matter the industry, SOC 2 certification can support your security goals. In today’s business environment, as more and more enterprises store and process data using third-party providers, a broad range of industries — from fintech to healthcare to hospitality and everything in between — now require that their vendors obtain a SOC 2 report to prove their security practices against a shared and accepted standard.
How often might a startup be asked to present a SOC 2 when dealing in the B2B space, given the wide range and type of customers?
- There are a few guiding principles to consider here. The larger the business your company is selling into, the more likely it is that security and SOC 2 will become a focal point. If the company you’re selling to has itself gone through a SOC 2 audit, they may also be more inclined to ask for and expect your SOC 2 certification as well. You’ll most likely be asked for your SOC 2 or proof of security depending on the type of data your tool stores, and the sensitivity of that data. Products seeking to operate in fintech or healthcare and to be entrusted with the sensitive data common to those spaces will find that proof of security is high on prospective clients’ radars. In other spaces, if your tool requires email access, for example, prospective customers will be eager to understand how your company will guard and preserve the security of that access.
Does Vanta or other compliance software help automate processes for HIPAA?
- Vanta includes HIPAA compliance support, and we offer guidance, information, policy templates, tracking features, and more to help your company prepare for its HIPAA audit fieldwork. We can help you utilize Vanta’s feature set to help track a range of HIPAA tasks and to further customize your HIPAA compliance approach.
Vanta is “security in a box” for companies of all shapes and sizes, trusted by hundreds for their SOC 2 preparation and more. Vanta provides a set of automated security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts. Vanta also offers a suite of tools streamlining the non-technical components of security tracking and audit preparation, so gathering and consolidating audit evidence is easier for both your company and your auditor. Ready to get started?
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC