A successful business capitalizes on opportunities while minimizing risk. We in Information Security, Risk Management and Compliance know that our job is to minimize the risk allowing the business to maximize opportunities.
This perspective is one of the foundations of OCEG GRC Principled Performance1 framework. The benefit of the opportunity (i.e., the ROI) is often reduced due to the Information Security ‘cost burden’ of pursuing the opportunity. That is the high-level Information Security investment can detract from the return.
At Katabat our approach is to provide the same uncompromising level of information security to all our clients. This is the baseline and is ‘the cost of doing business’ and it is built into our pricing models. Clients are seeking to maximize their opportunity to collect more and spend less with Katabat – and they are succeeding.
However, we have found that the compliance, security and vendor management teams at our clients’ are asking for and sometimes demanding more and more from us in terms of reporting and oversight. As a SaaS provider – we focus on managing all aspect of security for our clients.
Many clients now, in response to huge downstream supply chain compromises, are demanding – not more security – but more assurance. That is – more transparency in the back end of the SaaS Information Security management.
Initially we saw this as an unpleasant burden. The Information Security team was not generating data based on individual clients but rather on the underlying infrastructure & technology. This makes it difficult to provide additional assurance to individual clients.
We were not focused on providing transparency to our clients Information Security but rather meeting the requirements of the SOC & PCI auditors. Our focus was on securing all of Katabat which of course secures every client. We provide our SOC report and our PCI DSS Attestation of Compliance (AoC) to clients to assure our clients that Katabat is keeping their PII & CHD secure. Providing one-off reports or off-cycle scans for one or two clients was difficult to manage and error prone.
If you’ve read my article on partnering with clients for security2 you’ll know that Katabat strives to establish a partnership with our clients to promote a win-win outcome for the client as well as Katabat. I found myself, however, risking a good first impression with potential clients’ assurance teams by pushing back on their request for more assurance for them.
Our internal security oversight practices encompassed all clients so sharing confidential information such as vulnerability findings for a different client (maybe even a competitor) is of course unacceptable, so we enforced the policy that no clients receive our comprehensive info sec data. Being the contrarian is often the motus operandi of a CISO but personally, I do not enjoy being a CISNO.
To satisfy those clients that demand more transparency – Katabat has created the Katabat Added Assurance package as a value-added option to our standard SaaS subscriptions.
We have predefined a collection of service offerings for those clients that require a higher level of transparency and assurance.
By standardizing the offering – we can work to created well document and automated processes and provide each client the visibility and assurance for their instance. The package aims to increase the frequency of vulnerability scanning, provide client-specific reporting and attestations of scan compliance. In addition, the service allows for a quarterly Information Security review with members of the Information Security team as well as the client success executives.
The package includes info that we are already collecting and managing for all clients the package just contains a subset of the activities we are already doing – tailored to an individual client.
- More frequent scans of just the client’s targets/resources with transparency in reporting and remediation efforts. (Such as internal & external vulnerability scans with reports and attestations of scan compliance form a PCI ASV)
- Configuration monitoring transparency
- Accounts & Access review of the SaaS application
- Partnering with our Security partners for Dedicated Penetration testing, reporting and remediation for the individual client
- Quarterly assurance meetings with the client, Information Security and account management & relationship execs.
As a predefined, packaged service offering we are able to standardize the processes, understand the real costs of the value-added offering and then monetize it. This allows Katabat clients to collect more spend less and receive the level of assurance they require.
Arthur Haigh is the Chief Information Security and Privacy Officer at Katabat.
References:
- OCEG Principled Performance: https://www.oceg.org/about/what-is-principled-performance/
- https://katabat.com/debt-collection/security/our-commitment-to-security/
=
Arthur, a Certified Information Security Manager, is responsible for the strategy, oversight and management of Katabat’s Information Security, Privacy & Technology Risk programs. Prior to joining Katabat in 2012, he was Vice President, Technology at BlackRock. His diverse background includes enterprise systems administration and management, consulting as well as academic research. Arthur is a member of the Information Systems Audit and Control Association (ISACA) as well as the International Association of Privacy Professionals (IAPP). Arthur received a Bachelor of Science degree in Engineering at The Pennsylvania State University and a Master of Science Degree in Engineering at the University of Pennsylvania.
More from Arthur Haigh