The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.
Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:
- Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)
- Help desk pulling in engineers to respond to security / compliance question submitted online (roughly 1-3 hours of engineer time x # of customer requests)
- Annual queries directed at engineers, leadership, product managers, and sales teams demonstrating security and compliance programs exist or controls specific to customer request are satisfied. Such annual queries may involve questionnaires as mentioned above (30 hours approximately to address), on-site audits, and 3rd party audit reports.
The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.
Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:
- What is the unique number of security and compliance controls deployed within the products & services?
- What is the number of queries for each period?
- What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)
- What is the number of interactions the individuals have with the customers?
- What is the current central approach to meeting the needs and responding to such queries?
The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.