So, you're thinking about upgrading your security program?
What's stopping you?
Not only could you be getting hacked as you read this, but your security compliance could be selling your product to customers who are considering purchases.
Many companies still aren't compliant with the PCI Security Standards Council's latest standards in Web app security, including 42 percent of businesses that handle up to one million Visa transactions per year. How can following the rules make you stand out from the crowd?
Yo! Can't We All Get Along?
In the post-Heartbleed world of cybersecurity, customers are increasingly aware of the need for rigorous security solutions. No industry or application is safe from malicious attacks, as proven by a health-care provider in Tennessee, a major shipping and logistics company, and a one-word messaging app. Though customers are unique, their security needs are universal.
And if they use your software, they trust that every app — not just the ones they use — in your network is secure. Target's December 2013 security breach started with poor Web-security compliance at an HVAC provider's office. If you're on the fence about a comprehensive program that protects internal and external applications, imagine the peace of mind you can sell when your entire network is held to the same rigorous standards. When your whole office is compliant with all major regulations, customers don't have to worry that you'll be the weak link in their networks. Offering security compliance that meets all criteria expands your customer base and your credibility.
The only thing more complicated than readying one product for the global market and its various regulations is readying thousands of products and background apps and constantly ensuring their compliance. Companies employ hundreds of teams who build and operate thousands of applications — keeping each one compliant is impossible, right? Wrong.
Instead of simply offering a service or product, executives must ensure that development teams consistently go above and beyond the most exhaustive compliance standards.
The PCI Council's online credit-card payment and similar banking regulations are some of the only current standards that are actively enforced. And it's a struggle for them to achieve widespread compliance among medium-sized businesses.
Think of it this way: Would you leave priceless family heirlooms in a safe-deposit box inside a bank that simply locks its door, when the bank down the street has a safe-deposit box, a time-delayed safe, steel-reinforced doors, and sharks with laser beams on their heads? (Obviously, Dr. Evil was on to something.) Software-as-a-Service (SaaS) customers feel the same way. So offer them the sharks. Even if their apps and data are protected, it's better when everything around them is safe, too.
To some, ensuring the constant compliance of thousands of apps managed by multiple teams seems like an excessive expense. Then again, one untested app built by that team of interns could allow hackers a way into every app in your network. If you aren't running a comprehensive and compliant security program, you might as well not even buy a basic antivirus. Okay, that's probably going too far — but my point is, you have to constantly look out for the tiny mouse hidden in your houseguest's pocket (aka your developer's code).
As if that weren't a tall enough order, clients are learning that even if your client-facing offerings are compliant, weak back-end security can grant hackers access into their systems through yours. Onboarding third-party applications is a real leap of faith. Make it less scary by offering proof of compliance for every product you offer and every app you use in-house.
Sell Capability, Not Necessity
If you're selling a Web service, you and your customer both hope that the capability of your security systems will never be tested — but in reality? They will likely be attacked. Are you doing everything you can to make sure that attack fails? Comprehensive security compliance is easier than ever before. The latest services roll everything from app inventory to testing to third-party verification into one offering, meaning that the only work you have to do is implement the service and educate your teams. Scale is no longer an excuse for lax security, and customers know it.
Can't Buy Me . . . Cred
Falling victim to a major security compromise can cost you millions before customer reparations are even taken into account. The one thing money can't buy in business, however, is reputation, and losing your trustworthiness in the eyes of consumers can be more damaging than any financial loss.
Being a leader in security compliance isn't just selling peace of mind; it's saving the customer future expenditures. Your service is only valuable if it really does save the customer time and money. No number of efficiency gains can offset one security breach, so when you're selling a service, don't forget to sell safety — your laser shark — right along with it.
Photo Source: Flickr