Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory

View Original

Compliance as a Cost of Customer Acquisition

MAKING THE BIG SALE


If you're like many of our clients, you're in customer acquisition mode. You've spent a bunch of money to build your product or service, and the marginal cost to support a new customer is relatively small. They're buying the same thing everyone else is, so there's some additional load you need to meet.   
You get contact from a large client who wants a significant number of licenses or seats. There's a sales rep who is excited to get a call from a Fortune 500 client, who we'll call BigClient from now on. 
 
Recognizable clients would be nice. Marketing would like to put a BigClient's logo on your web page. Everybody likes money so there's a buzz around the office. 
In this light, the sales rep takes a break from pricing out options on their new car to send you BigClient's contract and exhibits. Maybe there's a terse note about 'any concerns before we sign'?
As your eyes glaze over reading through contract language, you may notice a set of security requirements. These can be explicit or implicit.  
  
Explicit ones will refer to a set of security controls in the contract, in an exhibit or appendix or refer to a common framework, such as ISO 27002 or NIST 800-171. 
  
Implicit ones can be harder to talk about, since they're unclear and open ended. Here's an anonymized version of my favorite:
17(a): Vendor (you)  warrants that Vendor meets all legal and regulatory requirements for holding BigClient's data.    

This is annoying for two reasons. First, you have to determine and understand all of BigClient's regulatory requirements, then get ready to talk about them to the rest of your company. 
 
Either puts you in an ugly spot- you've either got a bunch of requirements you can't meet right now or you've got to figure out what the requirements are before you know you can meet them.
And there's pressure for you to not raise objections because it's a big deal for your company. 
  
You've got two answers : 
  
"No". You can't meet those requirements so they should walk away from the deal.  That is a decision, just not one that will win you allies. This is a business decision, not a technical one and not (just) yours to make.  
  
"Yes, but it's going to cost us some money." This option is the non-career limiting one. 
Read the requirements and figure out which ones you are doing, which ones you can do and the ones that are going to cost money. If you can, drop in the rough costs and times as comments in their contract. I'll explain why in a minute.  
  
This way, you include the cost of compliance into the cost of acquisition and servicing the customer. This will sting the people already counting the profits and debating the merits of the Sport Chrono Package. But it leaves you open for later negotiation. You're going to be called on the be a part of the solution. You (and I mean the royal you, now) have a couple additional options now:

  1. Sign and assign the cost of compliance to this contract.This may make the contract unprofitable. Again, this is a business decision that you can assist with, but it's not exclusively yours to make.

  2. Ask to negotiate the expensive, burdensome requirements away. For example, perhaps you note three requirements you can't meet right now. The first is a change of your policies, the second requires some re-design of your application and the third requires you to locate assets in another country. You estimated costs of $1,000, $100,000 and $50,000 for these requirements. You may find that your client will be willing to pay more than your 'regular' customers in order to get the controls they need.

  3. Consider making these costs a capital expenditure to enter BigClient's industry. This will require asking your sales people how much interest they've seen from other companies in the industry. Perhaps the costs of compliance can be spread over the other potential clients.

  
With this approach, you're a part of the conversation, not ending it. You're also making allies within your company to get what you need to do your job.
  
There are some more advanced techniques, such as regulatory stovepiping, that I'll describe in a later post