How Secure is Your SaaS Platform?      4 Questions You Need to Ask

How Secure is Your SaaS Platform? 4 Questions You Need to Ask

In today’s world, we must capitalize on data to provide personalized customer and employee experiences. And what is the only thing more vital than the collection and activation of that data? It's security.

Customers and employees expect you to protect the data they’ve shared and maintaining that trust is critical to your company’s success. That means you need a Software as a Service (SaaS) platform that doesn’t treat security as an add-on. You need a platform — and partner — that approaches security as a priority.

To ensure the technology you use values security as much as you do, it’s essential you ask the right questions. Start here with questions for your vendor:

No alt text provided for this image

How do you assess risk?

If a vendor doesn’t have an immediate answer to this question, consider it a huge red flag. In general, security risks stem from threats (the potential dangers to your data) and vulnerabilities (the flaws in your operations and/or programs that could allow threats to become real). While no risk (large or small) is welcome, it’s important to note that some have a greater impact than others. The vendor you choose should perform regular risk audits and assessments. A risk assessment takes into consideration potential qualitative and quantitative effects, including harm to a brand’s reputation, financial impact, and time lost to resolve the issue. The greater the risk, the more resources the vendor should allocate to it.

How do you manage your own data?

One of the biggest indicators as to whether a vendor prioritizes security is how it handles its internal data. A solid platform vendor will have the technical defenses in place that you expect for your data (detailed in the next question), as well as internal security training to educate employees on expectations for managing sensitive information. Most importantly, the right vendor will be able to clearly communicate the security protocols and measures they have in place. They will understand how important data security is to your brand and take whatever steps necessary to prove their internal data is protected with the same care yours will be.


No alt text provided for this image

What are your defensive layers?

It’s not enough for a vendor to just say they have security measures in place; they need to show you specifically how they will guard your data. A layered defense, which should include firewalls and servers that check for malware and viruses, puts various measures (or layers) in place to keep data secure. No single method on its own can fully protect data. And while it’s impossible to have 100% security, these layers get you closer to it. At the most basic level, the platform should include access control, like role-based authorization. Users should only have access to the information essential to carry out the responsibilities of their job. SaaS solutions should have their own layers built within the program and allow for you to integrate your own.

Pro tip: When you’re talking layers, listen for words like multi-factor authentication and encryption.

Multi-factor authentication: In addition to a username and password, this requires another verification step. Look for a platform that has an automated password reset feature, which requires all users to change their password every several months.

Encryption: Simply put, encryption translates information into a scrambled code, which can only be opened and accessed by those with the associated decryption key. At a minimum, the platform you select should offer encryption at rest (e.g., when data is sitting on a hard drive) and in transit (when data is moved to a third-party location outside of yours or the vendor’s company).

When does security come into play during implementation?

If they’re not talking security with you from the start, beware. Data security is a serious issue for companies today and should be treated as such by the vendor you select. It should not be “bolted on” as an afterthought. Security and privacy should be “baked” into the program.

Executive involvement in the security process is also a testament to a vendor’s priorities. With their years of experience and knowledge, security leaders truly understand the value of data protection to an organization’s overall success. They should be present for initial conversations and available to engage with any questions or concerns moving forward.

For most companies, they don't want to ever talk about security unless it's an absolute emergency and they've had a breach. And I think that's a mistake. Alex Stamos


No alt text provided for this image

The threat of data breaches is real and can cause serious damage to any business. You know how important it is to secure your customers’ and employees’ personal information. That’s why the SaaS platform you choose needs to give security the respect it deserves.

Asking the right questions before you sign on the dotted line can help ensure your data is protected by your brand and the tools you use.

_________________________________________________________________________

No alt text provided for this image

Patrick Benoit

Patrick is an Advisory CISO. He is a Security & Privacy Executive, Writer, Speaker, Knowledge Provider, and Seeker. He currently provides Advisory CISO services with Secutor Consulting and has been a Deputy CISO at Cheetah Digital; Executive IT Business Partner at Experian; a Customer Delivery Executive at Dell; and owned a technology consulting company. He is certified as C/CISO, CISM, CISSP, CRISC, PMP, ITIL Expert, and Lean Six Sigma Black Belt. He is a pilot and flight instructor, studies and teaches Aikido, rides motorcycles, and his favorite teaching is “From Chaos Comes Greatness,” a loose translation from the “I Ching”.

        

Scott Thomas

Trusted Advisor and Customer Advocate | Helping to Transform and Secure Digital Experiences

5y

The castle analogy/example helped drive home your points. Good article Patrick!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics