Security and privacy issues can often be important considerations for customers, but these issues may not be obvious from the outset of a customer engagement. Further complicating the situation, the customer may understand their compliance obligations and requirements, but not be in a position to map these requirements into specific security or privacy controls (features and capabilities). The net result is that the topics of security and privacy may not come up in the discussions and both parties may walk away with very different expectations: the customer assumes the controls will be adequate and the supplier assumes that security or privacy controls are either not an issue or possibly not needed.
To help avoid such misunderstanding, it is important for customers to identify their security and privacy issues and concerns. When this does not happen, suppliers can help initiate the security/privacy dialogue with a few strategic question like:
- Are there specific statutory, regulatory, or legal requirements/obligations in the area of security and/or privacy that prevent or minimize your organization’s use of [fill in the blank]? If so, can you share the primary ones with us?
- What geo-locality or multi-jurisdiction issues influence your organization’s use of [fill in the blank] (e.g., privacy regulations, DR/BC solutions, etc.)?
- When considering [fill in the blank] what are the threats and/or risks that cause your organization the most concern? Do you believe they can be mitigated?
- What role does security and/or privacy play in your organization’s decision making process for [fill in the blank] technology and services (for example, do you negotiate custom SLAs)?
- How important a role does encryption and key management play in your organization’s adoption of [fill in the blank]? If important, how do you envision it will be implemented and used (e.g., at-rest, in-motion, under user control, etc.)?
- Does your organization have specific Identity, Entitlement, and Authorization/Access Management (IdEA) expectations or requirements for [fill in the blank] implementations and offerings? If so, can you share them with us?
- Does multi-tenancy play a role in your existing and/or future infrastructure? If so, what are your expectations or requirements of the associated security controls, and do these expectations and requirements change for “secure” multi-tenancy?
The goal of such questions is to foster a dialogue that can lead to an understanding of customer's security and privacy needs and ways that a supplier can possibly meet them. In addition, this dialogue should not be so complex that it requires both parties to be certified security experts.