As a customer, selecting the right solution in the wide SaaS world can be a journey. The choice available is huge and solutions compete with features that provide more or less innovation. Just like many of you, I did it in my career as a customer and as a provider. Usual business: defining needs, selecting range of solutions, understanding scope and functional coverage, understanding tech and deployment. And of course, understanding the value and what it will bring to the users and for the business, as nothing should be done without business in mind.
But then comes the security. And everything is about security.
Security matters switched rapidly from on premise to cloud. This was a major gap in security. No more servers to manage, to upgrade with latest security patches, no more backup or disaster recovery plan. Gone are the administrators who had rights to life and death on your applications and data. Cloud brings reliability and security.
Does it, really?
Cloud security became more or less the Holy Grail of security, an idea enforced by massive communication from major cloud providers. And it was true at some point, a valid statement regarding administrative tasks and technical tasks. But many missed the truth and forgot the Achilles’ heel: the human factor.
Humans are the final decision makers on security and humans are its worst and ugliest weakness: private interest..
In fact, in this new cloud world, you won’t only delegate admin to a third party… You will delegate what you should consider as the most precious thing: your data. Your users’ and employees’ data. This data deserves more than security standards and compliances.
These days, closing the security chapter with a partner deserves more than being GDPR and ISO.
Of course, ask your provider for more than ISO and certifications. Ask for their internal procedures. Ask about how data is managed and who has access. Ask about how these accesses are made. More importantly: this information should be proactively discussed and made available by your provider. If everything’s transparent and there’s nothing to hide, they should offer you a security deep dive, describing how day-to-day life will be, how they will secure your data with what they have today and what they will get tomorrow. Meet the CSO, the CTO, the CPO. Meet the team that built the product and that will manage it for you. And ask the hard questions: How? What? When?
Because it’s all about trust and trust must be earned. Security has nothing to do with promises and light answers.
We’ve already seen many public examples about security and trust and how business partners and suppliers handle this with their customers.
In B2B, the enterprise business, would you trust a SaaS provider whose main business lies in B2C? Why not, of course. But with an enforced security review. Because as written above, private interest is never far away. Everyone is looking for gold, and in this case, the gold is your data.
One of the most currently discussed examples is Facebook.
First came the Cambridge Analytica privacy scandal (among multiple sources, Techcrunch reported on this), where it came to light that data was used by a third party under the supposed security control of Facebook. Such a case should raise the most important question: should I trust such a giant to manage a crucial part of business and data, based only on its reputation? A very important question, as Facebook is in the B2B business with its Facebook Workplace solution.
Some said yes. What a disillusionment.
Second came a bug in the password management system: this cloud major stored millions of users’ passwords in clear, plaintext, and accessible to thousands of its employees (source: Wired). An explanation has been released (Facebook newsroom), but it’s just another excuse for misunderstanding security and customers. As a professional, think about what would have happened if you had selected such a provider for your B2B needs.
Would you trust a company with this kind of security track record as a trusted provider? Would you run the risk of being exposed during the next scandal?
In consumer business, there’s room for these practices to be acceptable. There will always be users who won’t worry about security, or will tolerate the risk because the solution brings enough value. In B2B, it’s simply unacceptable because professionals are buying solutions for their users and employees, on their behalf, and become responsible for their business’ safety.
I expect my customers to ask the hard security questions. I invite our teams to engage proactively on this. Not only in giving security certifications (required of course), but also in describing in detail how accesses are made, how data is stored, by who and under which control. Procedures and processes have to be explained and described. Even if our solution is built on top of a major cloud provider, we can’t rely only on its certifications and reliability.
It’s a tough job, but trust has to be earned and security is all about trust. This trust is based on risk management, and this risk should then be an open-book discussion with your provider.
My advice and “mantra” about truth for security
- Reputation and past behavior on security should be part of the main decision criteria
- Ask for certification, but not only: go deep on security. It’s all about working jointly with your provider, not about checking boxes
- Meet key people that will manage part of your solution and data, ask for a commitment from top management, grow a personal connection with them
- Simply run away from a provider that pushes back on any of these things: aim for simple and open, no compromising.
You can select the best business solution in the world. But in the end, if it’s not secured, you will crash its value. At worst, you’ll put your company at risk.
So get tough on security, get tough on questions, get tough on reviews and discussions with your partner and provider.
Get the best out of your SaaS: ask for an uncompromising truth for security.