How you can center security in the software buying process

Every day, businesses are onboarding new third-party tools, services, and solutions. And yours is no different.

You’ve probably come across this scenario before: Your marketing manager wants to bring on a communications platform. So they ask their network for recommendations, research solutions, create spreadsheets, and list the pros and cons of the vendors they consider for their use case.  They sign up for free trials and sit through multiple qualifications calls and countless demos. And they believe they found it—the one vendor they must have right now.

You get approached after they get budget approval and have already circled it around to other departments. They ask you, “Hey, we are signing up with ACME company as a new communications platform. Can you sign off on them so we can sign the agreement?”

You start your security review process by seeing what’s publicly available on their site and finding nothing more than a privacy policy. You ask questions about their security posture, and it takes weeks to get answers back on it. And what you do get back is a pdf with a Privacy Shield logo on it. You remember the hearing about their recent breaches, so you block the agreement from going forward due to security concerns.

The entire process comes to a halt—everyone on all sides is frustrated, and suddenly you’re the bad guy at the center of it all.

Conducting vendor security reviews is necessary for your security team’s due diligence before you agree to onboard a third party, especially if they integrate with your business-critical systems. And yet, it’s common for it to be the last consideration when purchasing software.

Security shouldn’t finish last.

Vendor sales teams are rarely armed with security knowledge and information, so unless the vendor is transparently making trust and security a priority, it’s typically not proactively brought up in sales cycles unless asked.

But now imagine if, in that scenario, when that person at your company starts researching vendors, their security posture makes its way onto their pro and con list. Imagine that your entire team knows how to factor security into their selection process... so no more being the bad guy at the end. Security shifts from being a “roadblock” in the late stage of negotiations to being a key selection consideration, much like product features are.

Discover trusted vendors from the start.

So then, how can you find trusted vendors that make security a transparent priority without manually searching through thousands of companies?

With the Trustpage Directory, you can search for the most comprehensive and up-to-date InfoSec information, including first-party data from Trustpage users and third-party data from the web.

- Easily search the posture from thousands in our vendor network
- Evaluate and compare companies side by side for the most critical policies

Plus, you can encourage everyone at your company to use it in their vendor selection process – whether an end-user, in procurement, or a fellow InfoSec professional, anyone can quickly discover and compare trusted software and services for free.

Train, Educate, Eliminate Bottlenecks

You don’t have the time or resources to be on every vendor demo call. Give your team a list of critical security policies to ask about or find in their research process. These might not cover everything you would typically need to know in a formal security review, but they can help identify more trustworthy vendors.

1. Do they have a public trust center?
2. Where is their application hosted?
3. How do they encrypt data-at-rest and in-transit?
4. Do they have a current SOC 2 Type II and how do you get a copy?
5. Do they complete regular penetration testing?

You can even train employees of your company on standard security terms so they can begin to recognize them (and their implications) if they are brought up in the vendor selection process.

In today’s climate of complicated buying processes, you should question whether your InfoSec policies for vendor selection are being considered early on, or creating a bottleneck for your company.