I read an article last week about Wal-Mart forcing some of their vendors off Amazon’s cloud.
Wal-Mart has an incredible amount of leverage over their vendors so my guess is that most SaaS providers probably went along with Wal-Mart’s request.
This type of thing isn’t uncommon in the world of vendor management. I have personally worked with high-growth companies and service providers who land a “dream” client, but, to move forward with business arrangements, have to change business processes or spend hundreds of thousands of dollars on security and compliance initiatives.
Most times these investments in security upgrades are well deserved (and sometimes not). Moreover, these companies are probably being audited for the first time and being asked for things like SOC 2 or ISO 27001 reports.
If you think a customer audit is in your future, here are a few things to consider:
5 Tips for Communicating with Prospects
- Complete and document an internal audit before anyone ever asks for it. This can be a simple checklist based on ISO 27001. If you have gaps, try to close them. If you can’t close gaps, prepare a statement for prospective customers and business partners in advance.
- Prepare and document an internal security evaluation report. One mechanism to effectively disclose your security posture to prospective clients and business partners is via an internally prepared report. This report can be modeled after any popular security framework, and provides context for effective conversations with prospects.
- Identify and document solutions in advance. Instead of waiting until the last minute to resolve issues, initiate relationships with potential technology vendors. Understand the timeline and cost to implement their product. Avoid the last-minute rush-to-compliance that costs your organization a lot of money. This also gives your clients assurance that you have begun the vendor selection process.
- Start building security and compliance initiatives into your project road-map and budget. While security and compliance are often an after-thought to developing and selling a great product, they shouldn’t be ignored. If you build security and compliance projects (even little ones, like writing policy) into a business-as-usual approach it makes the coming audit far less painful. It is also a great thing to be able to communicate to clients.
- Understand your client’s pain-points and specifically address them. Sometimes compliance isn’t all or nothing. There may be a specific item of concern for you to address. This may be the way you transfer or store data, or it may be your HR policies. Ask prospective clients specifically what they care about and do a great job communicating what you are doing to alleviate their concern. Often, this is enough to avoid further customer audits.
Let’s Get Started
If you are on the verge of a customer audit contact us, and we can help you with a plan to communicate your story.