Security Control and your clients, the 4 Most Common Questions

Does your system have the right security controls to be trusted with another company’s data?

It’s a fair question.

In 2018, the Ponemon Institute found that 59 percent of companies had experienced a data breach caused by one of their vendors or third parties. These attacks targeted the company by going through a weak link in the supply or vendor chain. Third-party breaches have since increased during 2020.

It’s like a bully picking on your friend to get to you. It often works.

As a result, businesses have become much more concerned with the security posture of their potential partners or the services they choose to use.

Has a potential client or partner started asking difficult questions about your security posture that leaves sweat beading on your brow? Take it as a good sign. It means they’re serious about security.

Answer These Common Questions About Security Controls Like a Pro

These days, cybersecurity is rapidly becoming much more formalized. As a result, it’s becoming more likely that potential clients and partners will ask you about your security controls.

Having answers ready shows that you’re proactive and competent. Here are a few pointers for the four most common questions that we see fielded by clients, as well as a few of the worst answers we’ve seen that you should never give.

1. What Data Security Measures Do You Have in Place?

Data security covers a lot, so if you’re confronted with this question, be mindful that your answer is specific and relevant.

In our experience, “data security” can often be a catch-all term for general security policies. While it does include things like password practices, authentication methods, and what antivirus you use, be on the lookout for instances where the client seems to be fishing for something else, like whether you’re compliant with certain regulatory standards.

When confronted with questions about data security, do:

• Be specific about what data you collect, how you store it, and what you do with it (and how you know). Having visibility into your network is one sign of a secure security posture. You should have this information ready to discuss and stored in the form of a data privacy document.
• Discuss specific data security tools or policies you have. This is especially important if you’ve gone remote like many companies and your employees are telecommuting on company devices from home.
• Emphasize the security of your cloud. You must be able to prove that you can protect data not just within your office, but also as it moves between devices or from device to cloud. Take the time to mention the data security measures you use for your cloud services.

Things to avoid when confronted about data security:

• Don’t tell them you “don’t store any data.” Unless this absolutely is 100 percent true (in which case it’s a good answer), you risk sounding like you don’t know what you’re talking about.
• Don’t reassure them that your passwords are secure and as such, you’re golden. Password strength is a part of data security, but it shouldn’t be your only control. Even if it’s not, providing more detail on other areas of the security program helps prove you know what you’re talking about.
• Don’t use your physical locking file cabinets as a selling point. Unless you operate in an industry that requires physical copies of certain documents, you’ll just look like you’re behind the times.

2. How Do You Keep Your Software Secure?

Would you install an app or a program if you’re unsure it is not a vector for malware? If there was even a question in your mind that it was dangerous, you wouldn’t.

With third-party and supply chain attacks becoming more common, potential clients and business partners are now asking hard questions about things like software security.

When you are asked about software security, positive things to do include:

• Talk about security automation in your DevOps. Whether you’re running automated pentests or leveraging threat modeling software, make it clear that security is an integrated part of the design, not an afterthought.
• Explain what pentesting or red teaming is if you use those services (or do them in-house). Both are good strategies for hardening your software’s security posture. They both also require considerable time and energy to carry out, which emphasizes your commitment to security.
• Mention your regular security code reviews. A security code review is the process of combing through an application’s code to find weaknesses in the code itself. Having regular reviews indicates that you emphasize writing secure code.

Things to avoid when asked about your software security include:

• Don’t tell the client you have a security expert on your team when you actually don't. It’s a set-up for failure if there is actually a need for a security expert down the road, and you don’t have the promised resource available.
• Don’t redirect the discussion to system security. An excited spiel on firewalls tells them that you either don’t know the difference, or don’t have any software security. Even if you have strong perimeter defenses, your applications need to be secure, too.
• Don’t say you’ll “check with the developers for those details.” Developers are experts in code, not security. That’s why there’s such a big gap between the two. Offering to check with the developers is another way of admitting you’ve got nothing.

3. What Physical Security or Access Control Measures Have You Implemented?

Things may happen on the cloud, but physical access control still matters. This is especially true if you operate in an industry like healthcare, where the law requires you to have physical security controls.

Cyber breaches don’t just happen over Wi-Fi. Should a malicious actor gain physical access to a device with sensitive data on it, the end result will be just as bad.

When presented with questions about your physical security or access control measures, do:

• Discuss specific access control for your server rooms. Is accessibility via key card, where only certain key cards work? Do you use advanced biometrics for access control? Those are very important factors to mention.
• Include any specific services designed to improve observability or visibility into your cloud ecosystem. Services for cloud platforms like AWS exist to standardize things like account permissions, file encryption, and more. Don’t be shy about mentioning these because they’re a step beyond an off-the-shelf cloud security solution.
• Let the client know if any data is stored off-site. It’s common for businesses to store backups with a managed services provider off-site. That can be a tremendous advantage during a disaster.

Things to avoid when asked about physical security or access control measures:

• Don’t let the conversation focus on how secure your facilities are. It might sound like a good talking point, but it ignores the reality that 30 percent of data breaches are conducted by internal actors. It also runs the risk of making it seem like you don’t have a solid grasp on the topic.
• Don’t tell them that “everything is digital.” Even if it’s digital, it’s stored on a server somewhere. Likewise, computers and mobile devices need physical access control, too.
• Don’t blow off the question. Physical access control is an important part of cybersecurity, even if it doesn’t seem like locking your office doors has anything to do with preventing hackers from accessing your data.

4. What Security Training Do You Provide Your Staff?

Providing your employees with the proper training is crucial for maintaining a strong security posture. Your employees are the first line of defense in many situations. When they’re able to recognize phishing attempts or spot unusual account activity, they’re better prepared to thwart threats. Asking about the security training a company provides its employees is also a great way to get a look into their culture.

Things to avoid when asked about your security training:

• Don’t tell them how you have very experienced staff, so you don’t feel they need any more training. Even the best of us need refreshers every so often.
• Don’t tell them that your system or software security is enough to prevent a breach. The best and most secure tools are only as strong as the employee’s knowledge of how to use them correctly.
• Don’t provide a vague explanation that “the developers have their own thing for training.” This reveals a gap between you, your development team and your security.

Preparing Security Controls Early Saves In The Long-Term

Answering questions about your security controls can seem like a chore, but it’s becoming an increasingly more important vetting mechanism for potential clients or partners. By answering questions thoughtfully and thoroughly, you demonstrate that you’ve not only got a strong security posture but also take the topic seriously.

Preparing for these questions early means that you can speed through this process quicker and help your business land more deals. Spending less time on each security questionnaire as it arises also means that you’ll provide yourself more time for other priorities.

We’ve covered four areas where you’re most likely to face questions. We’ve also covered our best tips and shared some of the worst answers that would create doubt for a vendor. The next time a client has questions, you’ll be ready.

Wondering how secure your software is? Start a conversation with us and discover how pentesting can help your DevOps team securely ship more code.