Avoid Revenue Friction

Are Security Questionnaires & Requirements in RFPs and Contracts Creating Revenue Friction?

It’s a story we hear often. Your sales team gets a prospect all the way to the closing point, and suddenly a security questionnaire is required. The sales person can’t fill it out, so they send it to the Information Technology (IT) group. The IT group can address half the items, but the other half are policy or contractual issues. They send it to Legal or Human Resources (HR). More friction. More delay.Security is not a technical issue, it’s a human issue
Meanwhile, the revenue is stalled until you can work through each component, and identify which “control” aligns with which “requirement”. And every effort the sales person puts in to expedite the process, and navigate the response through multiple departments is time lost from their core job: Selling.
It’s enough to drive the sales person… and the executives, crazy. It’s what we call“Friction” in the revenue pipeline.
Why is this happening more and more? 
Because increasingly our clients are facing regulations and addressing their own security vulnerabilities. Whether it’s HIPAA, GDPR, PCI or CCPA, the regulations increasingly are passed through to service providers and vendors in the supply chain.
Sales Friction  
What’s a sales leader or business owner to do? Start by identifying the baseline security policies and procedures and creating a link between the most common requirements and the corresponding security control. By automating a substantial part of the process this pre-designed security response not only reduces the friction, but it becomes a reusable asset. As new questions or requirements come through, update and improve the process, thereby accelerating revenue recognition, and keeping the sales team focused on selling. Does any of this resonate with you and your sales team?

Managing Your Employees’ “Return to Office” Process

Governments at all levels are evaluating their timeline and policies for lifting quarantine restrictions.  Similarly, business owners and executives should be planning now for how they will proceed with returning employees to the office (RTO).

The shift to working remotely was very abrupt and rapid.  Fortunately, we have a little more time and consideration to manage the return to the office.

Like business resiliency plans, bringing your employees back to the office, and re-opening your business requires planning and execution.  It’s a multi-disciplinary approach, crossing functions such as:

  • Communications – Internal and external
  • Human Resources
  • Information Technology
  • Legal
  • Management

The processes and policies that we define now are not without risk.  We have to respect our employees and customers, but we must also consider meeting regulatory requirements, as well as limiting liability and legal risk.  Having written policies is key.  Here’s a couple primary considerations:

  • What source will trigger your “Return to Office”?  CDC, State, Local?
  • Is the RTO comprehensive across our employee base, or incremental?  If incremental, what is the criteria and timing
  • What safety and preventive measures will we put in place, and how will they be enforced?  Masks, temperature checks, distancing aids and signage
  • How do we balance information sharing with privacy for employees who get sick?
  • How do we manage outside vendors, visitors, and other non-employees?
  • Are all our plans reviewed for regulatory and legal compliance?

Like most formal business processes and plans, we should follow definitive steps:

  • Identify requirements and vulnerabilities
  • Develop plans and policies accordingly
  • Deploy processes and resources to support the policies

Managing the process well is a key element in keeping the employees and the company safe and secure, and sustaining our brand and reputation.

Phishing Your Remote Workforce

in Today’s Changing Business Environment

We’re several weeks into our new work-from-home environment. For many workers and businesses, working remotely is commonplace. Yet, most businesses are now supporting a far greater percentage of the workforce working from home (WFH) than ever before. The shift to WFH, accompanied by a broader set of dramatic workforce changes has opened new opportunity for bad actors to exploit a key cybersecurity vulnerability: Phishing your people.

Same as it ever was- People are your soft target

Phishing attacks remain a key threat, only now bad actors are using the current whirlwind of terminology and change to their advantage. Our WFH workforce is rapidly adapting to new technologies, new applications, and new policies.  This creates a huge level of uncertainty, that is ripe for exploitation. The cyber criminals are using all the new terminology in their rapidly evolving and sophisticated phishing attacks.  

Targeting the uncertainty around new technology and applications, phishing expeditions offer help with setting up your work-from-home access, or accessing your zoom meetings.

Similarly, they are camouflaging their phishing behind “Covid Bait”, including posing as the CDC or WHO, or local health agencies. 

And now with new government economic relief packages emerging, they are promising to help secure financing, aid funding, and finding employment.

People have always been among our biggest vulnerability in securing our critical IT infrastructure. The prescription for keeping your organization safe is similarly the same, but needs to be refreshed and updated to the current environment.

Audit, Plans and Policies, Processes and Technology

  • Audit to determine your vulnerabilities
  • Develop plans and policies to address the vulnerabilities
  • Deploy processes and technology to support the policies.

For the latest wave of phishing attacks, that means reminding your employees of your policies. If you don’t have policies, develop them. Be sure they are aware and cautious of the new attacks cloaked in today’s terminology. Don’t click on a link or an attachment from any unknown source. Verify the source, and ask for help if anything looks suspicious. Report suspicious email based on your company policies.

Few of us anticipated a global pandemic would  resulted in a huge percentage of the workforce working from home and become,a potential threat to our business continuity. Now that the pandemic has triggered our business continuity plan, , be sure to capture the lessons learned and document them in your security and business resilience plans.

Need help with any aspect of your information and data security audits and plans? Let us know.