The evolution and set up of a security program has been traditionally defined by the software development lifecycle or well known maturity models. There are various software development security frameworks and industry standards that can be referenced to understand how an organization performs its security functions, however they are seldom described from the perspective of a customer. Transparency into the cloud product/service provider’s security functions builds customer trust, and understanding those functions helps customers to effectively perform their functions as defined in the provider’s shared responsibility model. So, how should a provider describe its security functions so they are easily understood and related to, by their customers?
Our security team members at Guidewire have had the privilege of leading security programs at cloud companies that were born in the cloud and also at ones that have gone through an on premise to cloud transformation. While leading these security programs, we were constantly faced with the challenge of effectively describing these programs to customers for them to have enough assurances about the security of their data and in turn their businesses. Below is a framework we have structured our security program around, to explain how we are set up and execute security programs, as mapped to our customers’ journey of using and operationalizing our cloud product/service(s).
How security at a cloud company can be viewed as a customer?
A typical customer journey, while using a cloud product/service, starts with Awareness when the customer identifies potential solutions to solve business problems, and then Considers various options to determine the best fit. Once the acquisition decision is made, customers are Onboarded through product overviews and implementations. This is followed by the longest period of this journey where customer satisfaction influences their product/service Retention. Throughout this process, the product/service provider proactively leads Advocacy by staying current on industry trends, innovations, and customer feedback. But all through this journey, what should the product/service provider do from a security perspective, and what should a customer expect so that they understand what the provider offers and how to hold them accountable to it?
How should security activities be aligned with customer journey phases?
Below are a few common security activities, mapped to the above described customer journey phases. All the activities listed here are described based on Guidewire’s customer security use cases. These activities can be modified based on the security team’s industry of focus, to make it more applicable to their organization.
1. Product Awareness
-
Launch and maintain a Trust site on the company website, that lists values and security principles to drive transparency
-
Research geographical security and compliance requirements, and develop toolkits to help customers navigate, as partners
-
As a vendor, ensure that your risk scores on some of the heavily used vendor risk management portals (that evaluate security of publicly visible assets), are in the top tier
2. Consideration/Acquisition
-
Deliver a live (in-person or virtual) walkthrough of the security features and operations to expect from the product/service
-
Respond promptly to any request for information (RFIs) related to security, and over time build intelligence into it, to scale as the business grows
-
Review security and privacy exhibits in customer contracts, and be available for any detailed discussions on deal sensitive topics
3. Customer Onboarding
-
Document and publish security best practices for product implementations and service configurations, review and maintain them periodically
-
Evaluate security risks and provide guidance if customer implementations deviate from previously defined secure reference architectures
4. Customer Engagement/Retention
-
Ensure secure product/service operations, including secure software development lifecycle processes, vulnerability management, and incident response
-
Based on the nature of the business, attest to security and compliance industry certifications
-
Assist customers with their security audits, for requirements not fulfilled by your attested security and compliance industry certifications
5. Advocacy
-
Participate in private trusted forums with peer companies to share insights and collaborate on collective defense
-
Invest in security research within your industry and publish results on blogs
-
Conduct business advisory council meetings with select customer representatives to align on a cumulative security strategy
Conclusion
The general tendency is to look within one’s own organization and align with industry guidance to implement and mature our security programs. Building customer empathy into your programs by looking at them through the customer’s lens can go a long way towards executing on business defined objectives and delivering customer success. Leverage the above described framework to align your own security functions, and/or require that your third party vendors use it. Doing so, will provide you with a better understanding of your shared security responsibilities versus operating with a perception of what those security responsibilities might be.