How a two-year-old cloud startup beat its competition to win a leading oil & gas company’s business
In this article:
- What this cloud startup did to eliminate its competition
- How customers’ vendor evaluation criteria have changed
- What all this means for established security industry vendors
Just a year ago, one of the largest North American oil & gas companies decided to migrate to cloud-based physical access control system, which falls into the category of Physical Security as a Service offerings, known as PSaaS for short. The company had many reasons for wanting to deploy a PSaaS solution, including: lower TCO (total cost of ownership), mobile device support for distributed access management, high availability of report data for managers and supervisors, and strong support for integration to cloud-based HR and visitor/contractor management systems.
The company made a list of candidate vendors to whom they expected to send their RFP. Given that concerns about security in the cloud are the leading inhibitor to the adoption of cloud services, what happened next should have been no surprise to the PSaaS vendors—but it was.
Just prior to issuing their RFP, the company sent the vendors the latest version of the cloud security controls self-assessment questionnaire from the Cloud Security Alliance (CSA). (See the sidebar to the right.)
The company didn’t expect what happened then: all but two of the prospective bidders declined to participate in the RFP! Apparently they couldn’t answer, or didn’t want to answer, the security self-assessment questions.
Of the two vendors who did fill out the questionnaire, the answers in one vendor’s spreadsheet were much more impressive and so discussions began with that vendor, whose cloud service offering was selected due to the cloud offering more than fulfilling the capabilities the company was looking for.
The cloud startup’s number-one winning qualification was making the security of its cloud offering a visibly high priority. They applied leading standards and best practices to establish provably sound customer data security and application cyber security, and they were very transparent about their cloud security controls. For starters, they made “Security” the middle item in the website’s main menu. On the Security web page they listed their security and privacy practices, and included a summary of their security technical measures. No competitor websites had such information, and most competitors were not even aware of the good security practices they should have been applying..
They cloud startup also shared other important information, such as their software update policy, application development roadmap, software development practices, and service management practices.
Their standards adoption was not in name only. They wholeheartedly applied four major ISO standards and got themselves certified in Quality Management, Information Security, Software Engineering, and IT Service Management (management of cloud technology infrastructure and customer technical support services). That’s unusual for a startup company. Apparently they were serious about being a high performer, and winning over customers. As we might expect, they have a highly accomplished leadership team with in-depth experience, and impressive achievements, in information security as well as physical security planning and operations.
To summarize, this cloud startup beat its competition by providing proof of:
- Security of their cloud offering being a visibly high priority
- Well-designed security for customer data, for their cloud-based application, and for the cloud offering infrastructure
- Clear documentation of their security controls and practices
- Sound business practices for software engineering, quality management, and customer service management
- Sound technology roadmap
Thus they successfully addressed two main technology concerns of security practitioners:
- Security of cloud-based offerings
- Quality of cloud system engineering
How Customers’ Vendor Evaluation Criteria Have Changed
It used to be that any major security system project RFP had one standard requirement: “The system shall have proven itself for a period of at least five years in several similar customer applications.” Nowadays, given the accelerating pace of technology advancement, such a requirement amounts to a guarantee of getting obsolete technology.
“Best of breed” has been replaced by “best fit” to the customer’s needs and wants. Best of breed means nothing in a world of emerging technologies and continuous innovation.
“Feature set” is only a starting point, and a sound product vision and roadmap are expected in a world where technology evolves in place, and where customers expect it to evolve to meet their future desires.
Customers expect cloud-based offerings to be engineered for the cloud. This means vendors must be able to answer this question, “Exactly how are the Five Essential Characteristics of Cloud Computing being used to maximum customer benefit in your cloud-based offering?” Since these characteristics were defined by NIST (National Institute of Standards and Technology) five years ago, there is no excuse for not having very specific answers to this question.
Sales people must know and understand these answers and be able to speak to them in plain language, or at least refer prospects to web pages or other material that does provide more information.
What Established Security Industry Vendors Should Realize
The security industry does not have a high reputation for well-engineered software. Or for sound integrations. Or for getting IT right. After all, convergence was declared dead in physical security about six years ago. Yet we now find ourselves in an era of non-stop convergence. Add the fact that so far, the security industry has a very poor track record for computer, device and network security. (See a September 2016 article about the Botnet of 140,000 Cameras and DVRs Behind the Biggest Denial-of-Service Attack Ever.)
Customers are concerned about cloud security and the quality of engineering of cloud-based security products and systems.
What are customers to think of a vendor who doesn’t make these two concerns a top priority?
Vendors of physical security cloud-based services—for which verified cloud security and verified quality of cloud engineering are not really and truly top priorities—need an action plan to get there as soon as possible, and to effectively showcase their new position when they get there.