When it comes to building trust with your customers (and a big part of that is responding to customer security questionnaires), there are table stakes, and there are bids that up the ante. Conveyor has evaluated the security policies and procedures for over 150 leading B2B SaaS vendors, and from that analysis, we have identified what is a “must-have” when it comes to transparently sharing your security posture versus what helps an organization stand out from the pack. 

In today’s marketplace, having a strong security posture is a competitive advantage, so read along to understand what you need to do to keep up with the Joneses, versus what will set you apart.

What are Table Stakes in a customer security review?

After analyzing the security postures of leading SaaS vendors and comparing the information publicly shared on a spectrum of maturity scores, there is a clear baseline of security information that organizations are making publicly available either on a Trust page, public documentation, or other section of the website. Even with this ‘table stakes’ information, there are differences what level of information is the ‘bare minimum’ and what level of information is ‘great’; the latter of which is likely to fend off additional security questions. It’s not necessarily about the maturity of your security program, but more the transparency that you show up front to your prospects. 

When it comes to building trust with customers, many (if not most) companies are sharing the types of information below and you can expect your customers to evaluate you on these as well. :

1. Do you have a Privacy Policy?

This may seem like a no-brainer, but shockingly there are some companies that do not have a Privacy Policy published on their website. However, it’s incredibly rare to not find a public privacy policy (in our sample size of 150 vendors, everyone had some form of a privacy policy). That’s likely because, although it is not technically required in the US at the federal level, many state, international, and trade-specific laws will require you to have it. A basic rule of thumb: if you collect any personal information on your website visitors (i.e. IP address, personal information such as on a form), you need to have a Public Privacy Policy.

2. Do you share details about how you encrypt data?

Given the amount of data typically shared and processed by a SaaS product, it’s no wonder that any potential customer will care about how you encrypt data. Consider, for example, evaluating a SaaS product like Salesforce. If you’re a Salesforce customer, you would share your customers’ personal information as well as your company data like pipeline, revenue, etc. If Salesforce is breached, the impact to your business would be catastrophic.

To pass the most basic sniff test (ie, achieve baseline), you must share with your customer that you encrypt data. But in our evaluation, 74% of B2B SaaS vendors go beyond that — disclosing that they encrypt data at rest and in transit, as well as the specific encryption protocols used. 

Here’s an example of Airtable’s Data Encryption Policy, which scored “great” in this category.

3. Is there a simple system diagram? 

Part of the work your customer has to do during a security review is to understand what the heck the product does, what systems it integrates with, etc. Providing a basic system diagram to explain how the product works and how it’s hosted will go a long way in building trust with your customers (and saving them time). 

If you want to go beyond the baseline and into the good/great category, consider having more explanation on the various integrations and documentation on how to set them up (83% of the vendors in our Network have scored “great”, for having detailed documentation on integrations). 

Here’s an example of a system diagram from AppDynamics, who scored “great” in this category. 

4. Public Security Policy

Ah, another public policy! For this one, “Baseline” is just having a security page that describes steps the company takes to safeguard data, and 96% of the companies we evaluated had one. So, you should, too. Surprisingly, only 57% of companies scored “great” in this category. See below on how to improve your policy.

Here’s an example of Asana’s security policy, which scored “great” in this category.

What “ups the ante” when it comes to building customer trust?

If you want to move beyond just “keeping up with everyone else”, there are a few additional components of your security posture to shares that will help you ace the vendor security review and build trust with your customers faster. Making sure your policies on the below are transparent to current and future customers will help you avoid being asked the question again and again on vendor security questionnaires.

5. Do you have a SOC 2?

This is becoming increasingly important to customers who are evaluating you. According to Deloitte, the request for a SOC 2 accounts for at least 50% of the requests from organizations that are looking for security attestations. We debated putting this in the “Table Stakes” section, but given that Privacy Policies, Security Policies, Encryption, etc are all relatively easy to set up — whilst a SOC 2 audit is a legit undertaking — made us list it in this section. 

According to the vendors we reviewed, 21% only vaguely mention that they have a SOC 2 on their website, with no indication of how to request a copy. 22% make you manually request it. More and more companies (47%, in fact), are making it easier for prospects to get a copy of the SOC 2 through a self-service request flow.

Here’s an example from Freshworks, a vendor who makes it easy for prospects to request access to a SOC 2 through a self-service request flow.

6. Do you outline the identity management capabilities of the product?

Identity management is becoming more important than ever. This is not surprising, given that in 2020, 81% of data breaches were due to compromised credentials. According to Conveyor’s rating system, a “good” or “great” score is earned by vendors who provide clear documentation on how the platform is accessed, including documentation on MFA. To get a step ahead, include not just MFA but SSO/SAML. The more transparency you display upfront, the fewer questions you should receive on a customer security review.

Here’s an example of DialPad’s page with detailed information of their identity management protocols.

7. Do you have a public subprocessor list? 

Given the increased attention on third-party vendor risk (not to mention 4th party vendor risk), it’s a relief to see that 75% of vendors evaluated at least scored a baseline in this category (baseline being that they had a list of their subprocessors on their website). Many customers, however, will need to know more about the subprocessors you use. Providing the additional information recommended in our tip below will help set you apart as an open, transparent vendor.

Conveyor publishes a public subprocessor list, along with additional detail & a way to subscribe for udpates.

8. Do you perform penetration testing & share information about vulnerability data?

With supply chain vulnerabilities and business logic flaws rampant in SaaS today, companies that proactively identify vulnerabilities and report out to customers on the health of their patching program have a leg up when it comes to building trust. Conducting regular penetration testing is becoming a requirement during customer security reviews, and the most transparent companies are willing to share the results of those tests with some sort of NDA or other confidentiality agreement.

GitLab conducts regular penetration tests, and allows access to the results for their customers.

If you don’t currently have a strategy for penetration testing, this article from the Cloud Security Alliance gives some good basics and how-tos.

What will set you apart from the competition?

1. Be transparent

At Conveyor, we believe that the best way to build trust with your customers is through transparency. As stated above, it's relatively simple to go from baseline to “good” or even “great”, especially for things like a public subprocessor list and your data encryption policies. What will really set you apart from other companies in your space is to improve transparency with your prospective customers on what your security policies are. You could have the cleanest shop on the street, with the best products inside. But if you keep the windows boarded up, how is anyone to know? Be open. Be transparent. And make it easy for your customers and prospects to stay updated on the information that matters most to them. It will be a better experience for your customers and will reduce the amount of time you spend answering ad-hoc questionnaires.

2. Enable self-serve access

In addition to increasing transparency, another way to set yourself apart from the competition (and, just as importantly, increase efficiencies on your end), is to give customers the ability to gain self-serve access to the security information they need. Many organizations have a Security or Trust page on their website that they can direct prospects to. These pages typically include Frequently Asked Questions as well as a listed contact if they need info that typically would reside behind an NDA. 

Conveyor customers usually have a combination of a Security page on their website, with a link to their Conveyor Room. Customers and prospects can request access, the security team can review & grant access in near-real-time, and then the user has access to both documents as well as FAQs (and it’s automatically NDA gated and watermarked). If you want to learn more about how to use Conveyor to automate the process of building trust with customers, click here to learn more & sign up for free.