Selling to the Enterprise in the Age of GDPR
Part 1: Was it always this hard?
“What’s taking them so long to sign that contract?” You wonder. You are about to seal your startup’s largest enterprise software deal yet. This took months. They LOVE you. “Ummm, our security team has a few questions,” they say when you finally call. Several weeks and dozens of questionnaire pages later, you wonder if there’s a better way. That “better way” will be the subject of this series. But first, let’s understand why selling to enterprises just got much harder.
56% of companies surveyed by Ponemon Institute in 2017 experienced a data breach caused by a third party (up 7% from 2016). For two prominent examples, look no further than the Target and Home Depot breaches, costing over $500,000,000 between them. But those stories are half a decade old. Why is third party risk finally top of mind now? You’ve already guessed that GDPR has something to do with it. But GDPR is one of many factors shaping your enterprise customers’ approach to the security/privacy risk you introduce. Let’s review the top 4 factors, including GDPR:
Before proceeding, please note I am not a lawyer, and this is not legal advice. You should seek professional legal help to understand the extent to which GDPR and other laws apply to your business.
GDPR:
The General Data Protection Regulation is an EU law governing data protection and privacy for EU individuals. It became enforceable in May 2018 to the maximum tune of 4% of global revenue (or €20 million Euro, if greater). If you or your customers have past, current, or future users, suppliers, partners, or employees in the EU, then it most likely applies to you. Regardless, it’s the right thing to do: some global enterprises have gone the extra mile to apply GDPR policies globally to all personally identifiable information (PII).
In the past, many companies thought the risk could be outsourced to third party vendors along with the data and the work. However, GDPR clarifies that “data controllers” (your enterprise customers) cannot pass the buck to “data processors” (you). Both have obligations. But assuming you represent a small startup, who do you think the regulators will pursue?
It’s also important to note that GDPR is merely the first and most hyped of new, globally proliferating data security and privacy regulations (in China, California, India…) Therefore, limiting your business to customers outside of Europe (or going dark in Europe as the LA Times and others have done) is likely neither viable nor sustainable for most companies.
The cybersecurity personnel shortage:
Cybersecurity Ventures predicts 3.5 million unfilled cybersecurity positions by 2021. Stretched so thinly, your customers’ security teams can’t possibly closely vet all vendors. Instead, they will employ technology (e.g., SecurityScorecard & Bitsight), process (e.g., long questionnaires), and legal protections (e.g., data protection agreements), all of which encumber your sales process. The greater the perceived risk you represent, the closer the vetting.
Your challenge is clear: you must seem less risky than other vendors. Can you reduce your actual and perceived risk?
On-prem to cloud migration:
IT professionals now believe their data is safer in the cloud than on-premise. Your service runs on AWS, so you’re good. Right? Wrong. Gartner predicts that through 2022, at least 95% of cloud security failures will be the customer’s fault¹.
In fact, leading cloud vendors are explicit about customers’ shared responsibility. Vendors provide a secure cloud, but it’s your job to operate securely within their cloud, and more importantly, to convince your customers that you do. Further, while these clouds give you a head start on security, you’re on your own for privacy and compliance.
Which explains why many enterprises still prefer protecting their sensitive data behind their firewall, as outdated as that approach may seem. If your solution processes sensitive data, you might consider offering an on-prem version, though this option isn’t for everyone.
Bring Your own Technology, AKA Shadow IT:
It truly is a new dawn of IT when I can set up an event in Meetup.com, sell tickets on Eventbrite.com, store the attendee list in Box.com, and share it with my team on Slack.com. Corporate IT neither helped nor interfered. It’s great for me and these vendors, who may later convert my company into a paying account.
But there’s a downside. According to Gartner, by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things (IoT)². Clearly, my employer must control this “shadow IT” risk that my (otherwise positive) initiative introduces.
Are you a shadow IT vendor, employing “grass-roots marketing?” Do your systems potentially touch European individuals’ data? Congratulations! Under GDPR, you might be a “data processor.” Not only are you potentially liable, but your enterprise customers’ DPO/CISOs are paying attention. Will you be transparent with your data privacy practices and sign data protection agreements with thousands of free customers? How likely are your customers to prefer your inferior — yet enterprise-friendly — competitors?
But there’s a silver lining. Enterprise security teams are becoming “service enablers” instead of “blockers.” If you are popular and flexible, your customers’ security teams might work with you.
Until next time…
Hopefully this high level overview of trends impacting 3rd party IT risk was helpful. Please follow me to be notified of my next couple of blogposts:
- Part 2: Talking the talk: how to engage enterprise security teams in the sales process
- Part 3: Walking the walk: how to become enterprise ready on cybersecurity and GDPR
1. Gartner, Is the Cloud Secure?, 25 May, 2018
2. Gartner, How to Respond to the 2018 Threat Landscape, 28 November, 2017
