informa
/
Risk
Commentary

Are Security Attestations a Necessity for SaaS Businesses?

Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?
In 2011, Silicon Valley tech gurus predicted that software will eat the world. Today, we are living in that future, as most businesses use cloud-deployed software. It's not just in marketing or finance; IT security is also awash with software-as-a-service (SaaS). For perspective, nearly 90% of organizations use SaaS apps to run their businesses.

SaaS tools are popular because of advantages such as faster deployment time, minimal management hassles, no upfront hardware costs, and easy scalability. However, many business customers have deep concerns regarding the security of cloud apps.

Most organizations ask potential SaaS vendors to provide their compliance credentials, and some companies decline to even sit for a demo call if a SaaS vendor is not ISO certified or SOC 2 compliant.

Vendors, especially startups, have a somewhat different perception. Most bootstrapped startups either completely gloss over security attestations or get certifications as an afterthought. This is primarily because these certifications are expensive. Startups would rather invest money on product development or customer acquisition to make a profit. This got me thinking about a few questions:

  1. Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?
  2. If they're becoming the new business norm, which security attestations are a must?
  3. How can you validate SaaS startups that claim they are secure?

To get answers to these questions, I turned to my peers in the cybersecurity industry. I talked to several experts and recently ran a poll on LinkedIn to see what they thought about this topic.

Trivedi_LinkedInPoll.png


The poll is closed, but you can still add your comments.

Understanding Security Certifications
The most common security certifications are:

  • ISO 27001 tells which specific processes, services, systems, or departments you want to protect as defined by your information security management system policy.
  • CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best practices to help fortify your cybersecurity. You are usually required to map your CIS Controls to ISO 27001.
  • NIST offers a combination of existing standards, guidelines, and best practices. It is a prerequisite for achieving HIPAA or FISMA compliance.
  • Systems and Organizations Controls 2 (SOC 2) are criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

CIS, NIST, and ISO 27001 are good starting points for most SaaS startups, but they don't give the complete picture of an organization's overall security posture.

For example, if you're considering buying a certified app from a SaaS vendor, you still have to do the due diligence and audit other aspects of their DevSecOps. That kind of double auditing is a little extreme in the fast-moving SaaS world. Also, these certifications are only as good as the enterprise following them outside the audit cycle. Another caution is that some certifications are symbolic of compliance. Many security leaders have been sounding the alarm that compliance doesn't guarantee security.

Trivedi_TwitterComment.png


CIS, NIST, and ISO 27001 are great at the program level and are good, marketable endorsements; however, they often have little impact on an organization's actual security hygiene.

What is the value of being SOC 2 certified? First, it satisfies compliance with many security audits. It also assures that SaaS service providers handle users' private data securely. It's important to know that, unlike ISO 27001, SOC 2 reporting is not a certification. It's an attestation based on the examination service performed under the AICPA standards. SOC 2 offers wider coverage of your security status and meets ISO 27001 criteria by default. However, if you want ISO 27001 certification on top of SOC 2 reporting, you can do so at minimal additional cost.

There's one small catch if you are planning to get SOC 2 reporting for your organization. Most businesses think SOC 2 is the way to go for cloud security platforms. While that's true, I recommend SaaS companies become certified for SOC 2 Type 2. SOC 2 Type 1 is good when undergoing SOC 2 for the first time. But Type 1 certification won't provide the appropriate level of assurance over the operating effectiveness of controls like a SOC 2 Type 2 over the long term.

The SOC 2 Type 2 report covers security, confidentiality, availability, processing integrity, and privacy. It indicates maturity and is great for solution and service-level implementations.

From a client's standpoint, contracting with a SaaS vendor is easy if the latter can prove its SOC 2 readiness. SOC 2 attestation signals that a company is serious about handling customer data, and it attracts more customers and investors.

If you're a SaaS company evaluating SOC 2 certification, consider starting to create a strategy for implementing security controls and invest in your security awareness program. This will help you foster robust security by design without wasting time and resources.

A Final Word of Caution
Compliance is a formidable business driver; it induces trust and confidence and helps you to stand out in the highly competitive SaaS market. However, security attestations only go so far. Many companies victimized by security breaches have multiple security certifications and attestations.

Compliance and attestations alone won't protect you from a security breach if your vendor partners turn out to be the weak links in your SaaS security chain. If you want to assess the security posture of a SaaS company, talk to their security leader. Ask questions, such as:

  • Do they have a dedicated security leader or a virtual chief information security officer (vCISO)?
  • Who owns the security of their SaaS ecosystem?
  • How frequently do they perform penetration testing?
  • What is their incident response plan?

You will probably learn more about the organization's security posture from that conversation than from their SOC 2 or compliance reports.

Recommended Reading:
Editors' Choice
Kelly Jackson Higgins, Executive Editor
Robert Lemos, Contributing Writer