A common thread between car purchase and deploying a third-party service

Years back, when we decided to have a family station-wagon, my wife chose a European car. Her reason was simple, the car was highest rated in road-safety. Honestly, the looks of Volvo 240 were not great, and it had high maintenance cost. But it did not matter much. Safety won over everything else.

Additionally, we got two back-seats installed in the car that overlooked the rear-view. Now, our car had two USPs: one for safety and another for its two unique backseats overlooking the rear-view. Our car became an instant hit with kids. Our car-pool kids always preferred our car instead of their fancy SUVs.

So, what the above story has to do with making information security a unique selling proposition? There are some parallels. A high road-safety metric for a car has been a USP. It is perceived as an indicator of the robustness of the car and an assurance of less damage to human lives in case of an accident. Likewise, for any business services, such as cloud, mobile or web services; or any software product a high information security metric can become a USP.

Third-party Risk Management (TPRM)

If you are a buyer, and deploying any new software service or product, your biggest worry is that it should not increase your information or cyber risk, bring in any new threats or vulnerabilities that may cause a major security incident, data breach or worst of all a business disruption. If the vendor demonstrates a high security metric and build trust with you, will it not make a positive impact in your purchase decision?

If you are a software product or service company, you know how much time, money and energy you are spending in going through the fates of a large corporation’s third-party risk management (TPRM) process. A few weeks back, I met a dashing entrepreneur, who was telling me his pain of filling up a 300 questions long security questionnaire. He was describing his process of painstakingly going through his security controls, collecting evidence of their effectiveness, and filling in the questionnaire. In his opinion, this process was unreasonably long.

Vendor-side of TPRM Story

I sympathized with him, and then asked him a simple question, “Did you ask your prospect what risks he is trying to mitigate by asking you to fill that unreasonably long questionnaire?”

He looked at me with blank expression, shook his head and said, “No!”

I asked him further, “Don’t you think it is your right to know. Besides, don’t you think your prospect’s response on risks may give you a clue, or even help you shape up your response that may resonate with him better?”

He thought for a moment and said, “Probably you are right!”

I met him again recently. As a matter of fact, he came to my home-office with a gift-card for a movie for two. Apparently, he saved a lot of time by executing my advice and was thankful for it. He also had a copy of the filled questionnaire that he wanted me to review. I reviewed a few responses and realized there was something wrong with the tone of his answers. He was trying hard to defend his service question by question as if he is a part of a criminal interrogation and pleading, “I am a good guy, my behavior is good, and believe me my service is secure.” In my opinion, the tone should have been assertive, “Based on the evaluation of our controls against your risks, we assure you our service is secure and will not bring in any addition risks to your organization when deployed by you.” When I told him that, he agreed with it, Now, as we speak, I am helping him reframing his responses, turning them from being defensive to a defensible position.

Converting Security in to a USP

Why I am telling you this story? Just to illustrate that having security controls for cyber defense and information protection is one thing. Having a third-party validation and showing compliance is another. It is entirely a different thing to turn it in to a USP and win customer’s trust.

In today’s world, information and cyber security has taken a central stage, and it is no longer just another technical detail. It is a business driver and a USP. Thus, it is important to understand the difference in the three facets of security and leverage it for business.