Information security is all the 21st-century rage, and as the bad actors continue to get more adept at cybercrime, its importance increases. If your product or service is hosted in the cloud, it’s critical to understand what security is, why you’re hearing more about it from your customers, and how to leverage it offensively.

What does it mean to be “secure” if your product or service is hosted in the cloud?

Information security refers to the set of practices intended to keep data secure from unauthorized access or alterations – both when its being stored and when it’s being transmitted from one location to another.

Cybersecurity, also a common term in today’s cybercrime-laden environment, is a subset of information security. It is the practice of defending and protecting your organization’s networks, computers, and data from unauthorized digital access, attack, or damage.

Both types of security are important. And the external threats are largely the same whether your products and services are in the cloud or an on-premise IT environment. The primary difference is that risk is sometimes shared between you and your vendors rather than resting solely on your shoulders. For example, if your host environment is public, such as AWS or Azure, you rely on that vendor for the security and environmental safeguards of your physical infrastructure, such as server stacks.

Why do customers continue to bring up security during the sales process and contract negotiations?

The short answer: due diligence and a shrinking appetite for risk.

If you are in the business of hosting or processing confidential information as stated in your service agreement, your customers have a responsibility to perform due diligence and maintain compliance with regulations and standards such as GDPR, CCPA, HIPAA, FFIEC, NIST, PCI, ISO, SOC 2, and HITRUST.

Because of these requirements, vendor risk management has become a very common unit within most procurement and risk departments. Companies need assurance that the use of service providers does not create business disruption or have a negative impact on business performance.

These vendor risk management units often perform a vendor risk assessment (a.k.a.  a third-party risk assessment), which identifies, monitors, and evaluates the potential risks of working with a vendor. Vendor monitoring procedures include the request of a security questionnaire or, sometimes, the request to provide an independent examination of your security controls. This independent examination is most commonly done through a System and Organization Controls (SOC) 2 examination by an independent Certified Public Accountant (CPA).

Security questionnaires are becoming commonplace. The level of questioning depends on what service you perform, the types of data you have access to, and how important you are to your client’s business. The questions often include an understanding of the policies and systems your organization has in place to protect itself when – not if – a data breach occurs.

Data breaches are now a real threat to all businesses and organizations. Your ability to respond quickly and accurately to your clients’ security questionnaires  shows that you value the data you are entrusted with and that you will be a good, long-term steward.

How can you prove security in a scalable fashion?

From formalized security policies to penetration testing and security awareness training, there are many best practices in the security arena. But in order to prove your security to external parties, a SOC report is the gold stamp of approval.

In 2009, the American Institute of Certified Public Accountants (AICPA) introduced the SOC examination reports to serve the needs of companies that required an independent audit opinion on internal controls. The first reports created – still the most common to this day – are called SOC 1 and SOC 2. The benefits of these assurance products are vast, but the most important might be the scalability factor. After only being audited once, results can be presented to management, investors, clients, and prospects, enabling them to feel confident in a company’s internal controls and providing the ultimate stamp of security approval.

A SOC 1 is a report on controls at a service organization relevant to user entities’ internal controls over financial reporting. A SOC 2 report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.

As cyber threats and the need for assurance grow synchronously, so too should your company’s security playbook.