As a customer-first company, Horangi spends a lot of time engaging with companies of all sizes and talking with executives and salespeople. Of late, increasingly I have seen a growing sentiment that cybersecurity is becoming a strong sales enabler and accelerator, especially in Asia. I sat down and wrote this article to help demonstrate why it’s important to spend time and money on your organization's security. Whether you are a CEO, CTO, or an executive, I hope this information helps to clarify the added benefits beyond data and reputation protection.
Establishing Third-Party Trust: An Important B2B Component
Cybersecurity has a huge effect on the B2B sales process. No large organization will work with you if your internal security is not in a good place. What requirements do you actually need to satisfy? Here are some top ones that can be found in most third-party security questionnaires:
- An Incident Response Plan
- Internal Security Policy and Data Protection Policy
- Regular security assessments
- Third-Party Information Security Questionnaire (TISQ)
- ISO 27001 or SOC 2 certifications
Meeting Local Security and Privacy Regulations
With frequent news of data leaks and Personally Identifiable Information (PII) being sold on the dark web, consumers today are a lot more educated about security. Demonstrating that your website and payment gateways are secure will provide customers with a lot more trust about putting their data and financial information in your hands. In most cases, using a trustworthy website builder can help avoid such issues and provide good site maintenance.
Regulators are also doing their part to ensure a consistent level of security with stringent requirements and hefty fines for breaching those mandatory requirements. In Singapore, which is the country where Horangi is based in, for instance, the Personal Data Protection Act (PDPA) requires companies to establish secure data management practices to avoid financial penalties of up to 10% of a company’s annual turnover.
Here are some resources that we’ve created in relation to PDPA and data privacy:
- How Will PDPA Affect Your Business?
- DPO Guide Pt 1: Master Data Protection
- DPO Guide Pt 2: Gathering Management Support
- DPO Guide Pt. 3: Forming A DPO Team
Taking the example of Singapore again, the Monetary Authority of Singapore (MAS) also maintains the MAS Technology Risk Management (TRM) Guidelines that all financial service institutions (banks, insurance, fintechs, payment firms) are expected to abide by, especially if your organization wishes to acquire specific business operating licenses.
For more resources, you can refer below:
We have written many articles on the MAS-TRM and Cyber Hygiene requirements, but if you are a regulated entity or provide software or services to a regulated entity the bar is even higher.
Procurement & Marketing
As a B2B company ourselves, we are constantly asked about our internal security posture, especially when we work with big organizations. And this alone is a big reason our customers turn to Horangi to improve their security posture — to put themselves in a better position to work with other organizations.
In many cases, an organization cannot bid for a government or enterprise tender if it doesn’t have a proven internal security standard. However, when the company has a robust security posture and can show it with compliance, it becomes an added bonus that helps win tenders. These high security standards can also be a means of marketing, to stand out against competitors.
A company’s CISO becomes another selling channel to generate high-quality leads when they can connect with potential customers through their CISOs or CIOs. CISOs and CIOs often play a deciding role in the procurement process. In fact, they are likely more willing to recommend vendors with a higher security standard. This is especially important for clients that have stringent security requirements, such as those falling under the financial services umbrella or other regulated industries. Moreover, for a SOC 2-compliant company, it is actually a requirement to use a SOC 2 compliant vendor.
What Does Horangi Do Now?
Horangi is currently in the process of pursuing SOC 2 complianceSOC 2 compliance. It is a challenging journey that we believe will ultimately pay off. Instead of spending a week to fill a Third-Party Information Security Questionnaire (TISQ) for a client every time and still risk losing the contract because of perceived inadequate security requirements, Horangi will soon be able to show a universally accepted SOC 2 report.
Not only does this help us satisfy standard security requirements, but it also provides that competitive edge over other similar companies.
Depending on the initial state of the company’s security posture, the size and complexity of the company, the resources of the Internal Security and IT teams, SOC 2 compliance may take as long as a year or two to achieve. The journey starts by understanding the current state through a cybersecurity assessment (a.k.a gap analysis) and creating a remediation plan. Automated tools can help achieve compliance faster. At Horangi we are targeting to achieve compliance before the end of 2021.
While working on achieving compliance, Horangi’s internal security team regularly receives questions from clients about how safe their data is with Horangi. To keep client’s data secure, Horangi operates continuous cloud monitoring, EDR, and DLP solutions. To verify the effectiveness of controls, Horangi regularly undergoes security assessments internally and externally.
What’s On Horangi’s Horizon?
In conjunction with us achieving SOC 2 certification by the end of the year, we plan to launch a media campaign to announce this achievement that demonstrates our security posture and credibility as a security provider. We see it as our mission to improve the level of cybersecurity in the region and to help companies innovate without fear.
At the end of this arduous journey, we look forward to sharing our experience with the community to help others accelerate their own SOC 2 certification process.
Ultimately, even as we continue to mature our internal CSIRT and secure product development process, we are seeing cybersecurity gain recognition as a powerful sales and growth enabler. From the perspective of a security company like ourselves, that always is something great to see.