Ultimate Deal Security Part 6: Cybersecurity of the platform
Learn how to achieve ultimate deal security in part 6 of our 8-part series for advisors, written by Ansarada CTO Owen Senior.
By AnsaradaMon Apr 20 2020Security and risk management
“It’s so specialized…but I need to know it’s good enough!”
How do you as an advisor assess whether the provider of your Virtual Data Room - or any other system you use - is secure?
This is hard because the field of cybersecurity is specialized. Moreover, it is rapidly changing; it is not static. The questions of five years ago are insufficient today.
There are a few things you can do. You can look for certification, and you can ask for compliance frameworks like ISO 27001. We cover that in a later part of the blog. ISO 27001 is an excellent wide-ranging framework which covers many areas including cyber, but for cyber specifically you may wish to drill deeper. So how?
If you want to drill deeper, you could write your own detailed security checklist. The challenge is that you are going to have to maintain that to keep up with the changing security landscape. How do you know you’ve covered all the bases now? And do you have time to keep your list up to date?
One good option is to ask the vendor to answer this detailed questionnaire, maintained and watched over by the Cloud Security Alliance, because this does the work for you. If you have specific requirements beyond these, they can be layered on top. This will save you a lot of time and requires little work to keep your assessment up to date.
Ansarada maintains the highest levels of ISO 27001 certification and has done so for well over a decade, which is why we’re trusted by some of the world’s largest institutions. When you come to us, you can ask for our latest CAIQ under NDA and see the details of how we provide the deep defence you need.
In the old days, the vendor would install it on your premises. Now, everything is on the cloud.
In the 2000s it was common for a new version of your software to come out every 6 months or so, but that has all changed. As McKinsey notes here, two decades ago in the bowels of Silicon Valley a movement called ‘continuous delivery’ was born, and it’s entered the mainstream with CIOs picking up on it (more on this here).
The great news about this movement is that it brings innovation and pace. You get more features faster than ever before. The software is updated daily or even more frequently than that. That’s a good thing.
The challenge is this: the security processes need to change too. The fact you had a penetration test 6 months ago says little about how secure the software is right now. You need to recheck the security as frequently as you change it. Unless that is happening, what the penetration test from 6 months ago says is no comfort.
Ansarada employs true continuous delivery and continuous security. Every change we make is automatically subject to a penetration test as well as many other technical measures (code-scanning, script inspection, 3rd party risk detection and advanced developer training in security), so we can deliver rapid innovation, but keep you safe as we do it.
So how can you ask vendors about this, when choosing a VDR or any other system? Maybe it sounds complex.
Well it’s as easy as this 3 step process:
Step 1: Ask your vendor: How often do you deliver to production?
Step 2: if they answer infrequently (e.g. monthly or longer), go back to those McKinsey articles and ask yourself if you’ve hitched your wagon to the right train. Innovation doesn't operate at pace in that kind of environment. Silicon Valley gave up on that 20 years ago.
Step 3: if they answer frequently (e.g. weekly, daily, or best of all, continuous), then you are likely to get rapid innovation. Great! But ask them how often they penetration test the software. How do they check the security of every change before it goes live? See what they say.
It’s as easy as that. You want innovation and you want security. Demand both.
Ansarada can give you confidence via wide-scope, deep certification and via transparency under CAIQ of the details of the defences we provide. Demand this from every provider.
In the next, and final part of this series we consider a wider lens. Cybersecurity of the deal platform itself is one thing - what about the people who work in customer service there? What about the people in finance? This wider lens of protecting your data follows next.
How do you as an advisor assess whether the provider of your Virtual Data Room - or any other system you use - is secure?
This is hard because the field of cybersecurity is specialized. Moreover, it is rapidly changing; it is not static. The questions of five years ago are insufficient today.
There are a few things you can do. You can look for certification, and you can ask for compliance frameworks like ISO 27001. We cover that in a later part of the blog. ISO 27001 is an excellent wide-ranging framework which covers many areas including cyber, but for cyber specifically you may wish to drill deeper. So how?
If you want to drill deeper, you could write your own detailed security checklist. The challenge is that you are going to have to maintain that to keep up with the changing security landscape. How do you know you’ve covered all the bases now? And do you have time to keep your list up to date?
One good option is to ask the vendor to answer this detailed questionnaire, maintained and watched over by the Cloud Security Alliance, because this does the work for you. If you have specific requirements beyond these, they can be layered on top. This will save you a lot of time and requires little work to keep your assessment up to date.
Ansarada maintains the highest levels of ISO 27001 certification and has done so for well over a decade, which is why we’re trusted by some of the world’s largest institutions. When you come to us, you can ask for our latest CAIQ under NDA and see the details of how we provide the deep defence you need.
Innovation and security - happy bedfellows?
The way you get given the software you use has changed radically.In the old days, the vendor would install it on your premises. Now, everything is on the cloud.
In the 2000s it was common for a new version of your software to come out every 6 months or so, but that has all changed. As McKinsey notes here, two decades ago in the bowels of Silicon Valley a movement called ‘continuous delivery’ was born, and it’s entered the mainstream with CIOs picking up on it (more on this here).
The great news about this movement is that it brings innovation and pace. You get more features faster than ever before. The software is updated daily or even more frequently than that. That’s a good thing.
The challenge is this: the security processes need to change too. The fact you had a penetration test 6 months ago says little about how secure the software is right now. You need to recheck the security as frequently as you change it. Unless that is happening, what the penetration test from 6 months ago says is no comfort.
Ansarada employs true continuous delivery and continuous security. Every change we make is automatically subject to a penetration test as well as many other technical measures (code-scanning, script inspection, 3rd party risk detection and advanced developer training in security), so we can deliver rapid innovation, but keep you safe as we do it.
So how can you ask vendors about this, when choosing a VDR or any other system? Maybe it sounds complex.
Well it’s as easy as this 3 step process:
Step 1: Ask your vendor: How often do you deliver to production?
Step 2: if they answer infrequently (e.g. monthly or longer), go back to those McKinsey articles and ask yourself if you’ve hitched your wagon to the right train. Innovation doesn't operate at pace in that kind of environment. Silicon Valley gave up on that 20 years ago.
Step 3: if they answer frequently (e.g. weekly, daily, or best of all, continuous), then you are likely to get rapid innovation. Great! But ask them how often they penetration test the software. How do they check the security of every change before it goes live? See what they say.
It’s as easy as that. You want innovation and you want security. Demand both.
You are right to be concerned
Bloomberg notes that cybersecurity and climate change were two of the top concerns in 2019 at Davos when world leaders met. The quantity of breaches of major software providers continues to grow year on year, so you are right to be concerned.Ansarada can give you confidence via wide-scope, deep certification and via transparency under CAIQ of the details of the defences we provide. Demand this from every provider.
In the next, and final part of this series we consider a wider lens. Cybersecurity of the deal platform itself is one thing - what about the people who work in customer service there? What about the people in finance? This wider lens of protecting your data follows next.
Owen Senior has been working with software product companies for over 20 years and with secure SaaS products since 2004 - working with business stakeholders, technology and information security experts to ensure systems are both easy to use and secure.Owen Senior, Chief Technology Officer, Ansarada