The CISO surprise that will block your first enterprise contract
You’ve been working on the app with your team for months. The pitch, the seed funding, the MVP, it’s all coming together. There’s interest from decision-makers at a few Fortune 500 companies that would look great on your website. You’re sensing urgency and budget available with the prospect. You can almost taste the first revenue as you draft a proposal. The presentation goes well, the prospect says it looks great and promises to get back to you later this week … and then you get the email. Excitement builds as you read a few bureaucratic details. This deal is almost complete! At the bottom of the email there’s an attachment. It’s a gift from their CISO (Chief Information Security Officer), an eleven-page infosec questionnaire.
It starts with some general guidelines in legal speak, “The Provider acknowledges that security is a fundamental requirement for the framework of performance of the Services. To this end, the Provider undertakes to implement appropriate technical and organizational measures in accordance with industry standard practices.” and starts to rattle off familiar acronyms like ISO27001, PCI-DSS, GDPR, HIPAA, or SOC 2.
Security Controls
The infosec questionnaire gets granular on page 2. Now you’re into the details with specific security controls such as MFA (multi-factor authorization), password policies, encryption, data centers, backups, logs, intrusion detection, vulnerability scans, pentests and protocol for communicating any security events.
Here are links to the security compliance standards that are called out above:
At this point, you’re starting to sweat because there are a number controls which are not in the product. An MVP is the minimum viable product. These security controls only seem obvious once a SaaS is managing live traffic with paying customers who expect a SLA (service level agreement). Only a few of these controls have been implemented.
In the roller-coaster ride of startups, you’ve gone from fist-pumps & high-fives to nail-biting in a matter of three minutes.
Now what?
Things can go many different ways from here depending on your situation, but somehow your MVP has to transform into an enterprise-grade application in order to sign this deal.
- How much time will be required to make these modifications?
- What are the options?
- Who can help?
- How soon can we do what’s required to sign this deal?
How long will it take?
The AWS PCI-DSS compliance document is 3400 pages. This covers all AWS many services, but you can imagine that mapping security controls to your application can get weedy. If you’re planning to DIY, expect two engineers to spend at least 4–6 months mapping a set of security controls to your application. Skill level with DevOps and Security Compliance and the complexity of your application factor into this range. DIY takes longer and your team will be responsible to manage it going forward.
Partners who can help:
- Cloud providers (eg. AWS, Azure, GCP) offer information for DIY
- General security and compliance subscription services (Drata, Vanta, Tugboat, A-LIGN) help gather evidence of high-level security controls such as employee MFA.
- DevSecOps partners such as DuploCloud (author) improve the security and scalability of your cloud environment by using IaC (infrastructure-as-code) and building dashboards of consolidated performance data so that you can run your app more efficiently.
- Pentest (penetration testing by firms such as Stratum Security, Prescient, FinStrides)
- Security Compliance auditors. Countless options to provide independent verification.
DevOps as a Service — A faster approach
Partners such as DuploCloud can accelerate your compliance to a few weeks. Traditional cloud migration consulting firms have the skills to do this work. A SOW (statement of work) will be drafted, an estimation of time & materials, contract signed and the clock starts. Expect $200 up to $500 per hour for a professional firm. Applications are dynamic and need to be maintained. Each project can become a negotiation. And outages are not the time for negotiation so a managed-service may be worth considering. There will be incidents that require continued updates to the cloud infrastructure, especially with the ephemeral nature of the move toward microservices.
Low-code/No-code platforms that offer a DevOps-as-a-Service have the advantage of efficient, repeatable Infrastructure-as-Code platforms, consolidated dashboards of important performance metrics and the cloud expertise of DevOps tech support to help with decision-making. Expect a fixed rate of $3–6k/month depending on the size and complexity of your application. These are the benefits of a partnership that will help your company scale.
Impediment or stepping stone?
Although this infosec requirement can seem like a blocker at a critical moment, it is also a right of passage. If you’re bulldogging your way through it, you may end up with technical debt that will slow growth for years to come. If you find the right partners and build the proper infrastructure, your company will be in a position to grow into its full potential.
These are the moments for great leadership. How will you respond?
By Matt Warren, account engineer at DuploCloud
