You’ve probably seen it before, you are courting some customer and they actually have a security team who actually audits their partners and vendors and who actually insists that security be important to the company. This customer wants to perform a security assessment of your organization – this might be an automated web scan, or it might be a full blown ISO assessment. Your sales/marketing/whoever person sends off an email like this:
Subject: Fwd: Security Assessment for widget services
Hi Guys, this is a huge opportunity for us but the customer would like to perform a security assessment before we move forward. It sounds like a great opportunity to get some free ethical hacking done and know what kinds of issues we have. What information do you need to allow them to move forward?
So, when you get this (and you eventually will) here are some things to think about.
Stop calling it free, there is always a cost
I don’t care if you didn’t hire this customer to perform this assessment, there is a cost associated with the assessment. Best case, this is only a network based web scan and it requires nothing more than permission from your team. Worst case, this is a full blown assessment where you have to answer questions, provide evidence, accomodate interviews, perform your own information gathering, and possibly allow an onsite team to assess your infrastructure. The costs in this case can be significant, and not knowing up front what the scope of that testing will be is an open door to cause all kinds of problems.
Then there’s the cost of having a customer you are trying to close a deal with getting the upper hand, knowing your systems and infrastructure in and out before you are even doing business with them. Most companies have the same “hard on the outside, soft on the inside” problems and these make for fantastic material to produce a huge list of audit exceptions that only work to your customers advantage during negotiations.
So, First rule – it’s not free, stop calling it that.
If your company wanted to know what their security problems were – they would pay someone to find out
Your customers are the last people you want learning about your security problems before you do. If you want to learn about what problems you have, hire someone. It’s not that expensive to find out what problems you have, or to at least get a starter list that should give you 12 months worth of stuff to work on. Fixing the problems is where the real cost can be. Some problems are easy and inexpensive to fix, some problems are more expensive. Either way, you need to decide, as business owners, which security problems are a priority for your business. When customers start dictating what problems you fix first – as much as it may eventually improve security – it removes control from you to put your resources into projects that earn money. A secure business that is cash flow negative is NOT more valuable than an insecure business that is cash flow positive – the latter is simply living with more risk.
Second rule – pay for your own damn security assessment if you want to know what problems you have.
A good 3rd party assessment that you pay for should tell you what puts your business at risk
So, you get an assessment by this big customer. They hand you a report that shows you all the ways in which you are not compliant with their security requirements for their partners. You have to have an IDS at every site. You have to lock your engineers out of production. You have to encrypt all your sensitive documents and communication. Wait – there are 10 of you in this company? Oh, the Engineers are the Sysadmins? What do you mean “who’s going to monitor the IDS?” – don’t you have a security team? How do I encrypt my voice over a cube wall?
Yeah, chances are good that at the end of the day this assessment is going to find some security problems and suggest some good remedies. However, rest assured, those remedies will not be taking into consideration the needs of your business. They will take into consideration the needs of the customers business, the risks that you pose to their business, and ONLY the risks you pose to their business. Do they care that someone could break in and falsify your financial statements? Not if it doesn’t affect theirs. Do they care that someone could come and steal your customers credit card data? Not if it doesn’t affect theirs.
Third rule – that free assessment will be incomplete at best, and completely inappropriate at worst.
Oh, you have an NDA – that’s nice.
What do you think one of the largest sources of information disclosure is these days? Lost backup tapes? Hackers breaching borders? How about some half awake, exhausted auditor who forgets his laptop in the airport? Nah, never.
It’s great that this company will not intentionally disclose information about your security. The problem however, if what happens if they (or your employees for that matter) unintentionally disclose it. So you’ve got this NDA that says that if they disclose information about your company you can sue them. Does it cover any 3rd parties they may use for assessments? Do you sue yourself if one of your employees loses the information?
Once you collect security information about your business, once you create that documentation, you have to protect it. If you have a 3rd party you are going to hire, you can ask them how they protect it. Try asking Miss Big Customer how she intends to protect your information. Who else does it get shared with? Who could audit THEM and be handed information about YOUR COMPANY. You might get a good answer – you might not. Point is, as part of this assessment there is information about your security posture floating around in someone else’s hands and you do not control it.
Fourth Rule – Understand how information that is gathered will be protected & what risk disclosure will impose on your company.
Lastly, is this really a customer you want?
This isn’t so much a question of security, but a question about how you run your business. It’s fair for a company to perform security testing of a partner they are about to do business with. The more risk you, as a partner, pose to the customer, then the more appropriate it is for them to have concerns and want to understand how you will impact their security. That said – be honest with yourself. If you haven’t done any assessments, you are a small company with applications that aren’t coded and tested with security in mind. If you have no policies, no standards, no security infrastructure and you KNOW you would fail even the most modest audit – why would you let a customer come in and tell you all your problems?
I think if a customer wants to assess your applications and let you know if they find security problems that’s probably not a big deal and in the end, it’s information you want to know about. I do not think you should invest any more effort in this than the email you send to them providing permission. Beyond that, if you know you don’t have good security, don’t let some customer drag you and your employees morale through the mud telling you what you already know. Let them know that you would be happy to review their security requirements and let them know if it makes sense to move forward. If it doesn’t make sense, if you aren’t committed to meeting those requirements, put some of the important ones on the roadmap and say “thanks, but no thanks – lets talk in a year”. Chances are, if things are starting out this way, the customer will be high maintenance all the way and if you cannot afford that, then stop now. If they are really interested in doing business with you – you should now have the negotiating power, not them.
Fifth Rule – Be realistic, if your security sucks don’t let a customer be the one to tell you.