Measuring and Communicating Security for SMBs and Large Enterprises
The glut of data breaches over the past few years has called for stricter rules and regulations that implement the right frameworks to protect data access and ensure privacy and confidentiality. For enterprises, large and small, the consequence of a data breach not only amounts to the cost of a lost or compromised asset, but often comes at the expense of losing customers. With the recent implementation of the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), many companies are forced to revisit their security posture and ensure that they adhere to the proper security and compliance guidance.
The stakes and business implications increase exponentially for organizations as they scale and partner with a wider number of third-party vendors. As the amount of data under your purview increases, so does your ownership and legal commitment to protect that data from unauthorized access. From a compliance standpoint, in order for a large enterprise to safeguard its assets and demonstrate proof of GDPR compliance, it needs to be able to prove its commitment in protecting user-centric data, and evaluate each of its vendors that also have access to its data to ensure that they are also compliant.
For many, this means getting a SOC 2 certification to assert the operational effectiveness of their current infrastructure and IT systems detailing the policies that they have established to ensure data security, availability, confidentiality, and privacy. Of note, the SOC 2 certification is mandatory for businesses that provide SaaS and other cloud services and store information on the cloud.
The SOC 2 audit is a multi-stage process, meaning that vendors would either need to hire an external engineering consultant or dedicate bandwidth from an engineering team for the purpose of evaluating the current state of its IT infrastructure, assessing and fixing existing security gaps and submitting clear documentation to the auditors. Alas, SOC 2 is not a one and done process and organizations constantly have to re-evaluate their security postures and prove that they remain compliant throughout the business’ lifecycle. Depending on the scale and complexity of the company’s infrastructure, this process can be tedious, time-consuming and expensive. Vendors selling into Fortune 500 banks and into other highly regulated markets face a similar challenge as they are subject to even stringent infosec requirements and have to navigate a far more complex process to ensure that they have the right processes in place and comply with the rules and regulations that apply to those industries.
In a time when security and engineering talent need to be heads down focused on building and scaling a business, it is almost counter-intuitive to have them spend a considerable amount of their time doing the grunt work of filling out security questionnaires. We are beginning to see an emergence of tools that:
- Automatically scan the company’s security policies and process security workflows, enabling faster audits and certification
- Implement compliance right into the developer workflows, empowering DevSecOps teams to adhere to the best software practices
- Programmatically scan the organization’s IT infrastructure to discover, manage and secure all assets, controlling who has access to what data, software and hardware entity
- Provide larger enterprises with a unified view of all their vendors, and the risks they pose to the business, improving vendor management
These tools broadly fit into the following seven categories:
Governance, Risk and Compliance (GRC)
Governance, risk and compliance is responsible for ensuring that organizations have the appropriate IT controls and policies in place to effectively manage risk and comply with regulatory requirements. Today, the tools that have emerged out of this category, and that are being widely adopted both by the Fortune 500 companies and SMBs, provide a comprehensive way for companies to establish that their internal processes are well aligned with the business’ goals, manage identified risks and audit processes to ensure that they adhere to the laws impacting the organization.
- Resolver is an internal audit and incident management tool that meets the security needs of corporate customers and IT security teams.
- VComply simplifies and delivers risk and compliance management in the cloud by streamlining auditing protocols, IT operations and vendor management and delivering complete visibility into the organization’s security and risk posture.
Vendor Risk Management
New age, third-party risk assessment and containment tools are used by the enterprise customers to automate the process of evaluating, documenting and emailing sensitive security questionnaires to third party vendors. These tools connect the buyer to the vendors on a two-way platform which enables the buyer to collect vendor responses, compare the risk profiles of each of the different vendors and select the lowest risk business partner.
- Aptible automates compliance fieldwork and deploys audit-ready applications and databases.
- Tugboat Logic enables the buyer to upload its own security questionnaire onto the portal through which all the different vendors can respond to the questions which remain stored on the platform as proof of compliance.
- VISO Trust provides an intelligence platform that automates and shortens the vendor due diligence process.
Process-driven tools serving SMBs are focused on helping the individual vendor pass its compliance audit at a much faster rate. These tools build an actionable guidance that helps the company secure its assets and automates security questionnaires.
- Laika offers concierge services that guide companies through understanding their security controls and building security best practices to help them get security certifications and become compliant.
- Shujinko specializes in cloud regulatory compliance and facilitates IT audits by automating the process for users.
- Vanta provides a suite of tools and integrations that fits right into the company’s cybersecurity framework to help the company achieve compliance.
Security Questionnaire Management
The purpose of security questionnaire management tools is to help customers fill out their security forms and documentation with ease and accuracy. These tools digitize security questionnaires as well as technical content and security policies onto a platform that provides stakeholders with all the tools and resources they need in order to complete popular assessments such as the SOC 2 and ISO 27001. Security automation tools also offer smart integrations to export existing workflows from sources such as Word, Excel, Powerpoint and Outlook and offer smart dashboard, reporting, answer intelligence and knowledge management capabilities to help the users get through audits and achieve certifications at a much faster rate.
- Whistic scans every single vendor and converts their security postures into a biographical snapshot that enables the buyer to assess their riskiness at a glance.
In the wake of high-profile data privacy issues such as the Cambridge Analytica scandal in 2018 and the Equifax data breach in 2017, more and more companies realized that they needed to rethink their approach to data privacy. Specifically, companies were concerned with the ways they were collecting and storing data from customers to ensure that they adhere to the new privacy regulations such as the GDPR and the CCPA that were enacted to protect user data. This in turn led to a growing demand for tools that can safeguard customer-centric data by delivering accountability and transparency, and maintaining compliance.
- BigID enables companies to manage their sensitive data such as PI and PII by measuring risk KPIs, automating data access and operationalizing compliance for privacy regulations around the GDPR and CCPA.
- Transcend is a data privacy infrastructure tool that tracks and fulfills access requests in an automated way, enabling users to control their data.
- Very Good Security collects sensitive user data and replaces it with an aliased version before securely storing the data away. It also automates the processes for the following compliance frameworks: PCI, SOC 2, CCPA, HIPAA and the GDPR.
Audit management tools are used for the purpose of helping companies execute their audit processes in a quick and effective way by providing assurance that risks are being correctly evaluated and that the existing risk management processes comply with the organization’s internal control framework.
- Sym integrates right into the developer workflows and enables developers to seek access right from the command line. On the operations side, access is granted through API calls and the whole process is documented in an auditable workflow fit for compliance.
- Temporal is an open source workflow as a code engine that enables the user to perform business transactions in a reliable and secure way.
- WDesk by Workiva connects data from disparate sources and unifies processes from cross-departmental teams in order to increase trust and transparency and streamline internal audit and reporting.
The rapid rise of SaaS applications has transformed businesses, but at the same time made it harder for IT admins to have complete visibility into the SaaS stack. SaaS operations tools make it easy for teams to oversee and manage the consumption of SaaS applications scattered across the organization and uncover security blind spots created by the clutter of tools.
- Blissfully tracks the usage of SaaS applications in the IT stack and builds processes for companies to embed compliance and security into their IT operations
- BetterCloud empowers IT admins to onboard, offboard and provision user accounts and manage user access to cloud SaaS and Google Apps in an automated way.
If you’re a startup or corporate executive working through IT compliance and security automation issues, please reach out or sign up for our next enterprise playbook lunch on the topic. And stay tuned for more content on SOC 2 — Work-Bench is in the midst of creating a tactical SOC 2 playbook (see our other playbooks here).