As greater number of enterprises transform their products and services into a manner that allows delivery to clients directly, the increased dependency creates obligations to both parties. Specifically as technology services are adopted by enterprises and greater dependency is placed upon the relationship, regulations and customer requirements will be pushed to these service providers. This typically does not occur immediately, but only after the delivered services begin to become more integrated and reach a material state within the enterprise. (An example would be leveraging a cloud service provider for farming specific servers that then become the financial reporting servers which introduces SEC, IRS, and SOX requirements)
The establishing of a developed security compliance program is paramount to meeting customer requirements in a timely manner, actually having appropriate security and compliance safeguards, and ensuring the business maintains a profitable service.
The maturity, responsiveness, and adequacy of the security and compliance controls are discussed by me before, so they will not be a focus on this article. Instead I want to highlight the third requirement – which the business may consider MORE important and that is profitability.
The common program experiences the following scenario:
The growth is great and responding to customer requirements is expected. The surprise for most businesses is the direct 1:1 relationship that exists and the lack of scalability without some program in place. As the business sells more, and the clients become more dependent the need and requirement to keep the customer increases. To the point that such inquiries will begin with simple SOC / Certification confirmations and evolve to questionnaires and detailed on-site audits in some cases. These activities also generally impact the engineers of product and service development directly.
Instead, establishing a centralized program improves the visual above to show a more staggered growth rate on level of effort and FTE costs associated with the security program. Therefore providing better margin and sustainability through scale and coordination.
This is a singular example of the value of a security compliance program that is developed. What other attributes exist?