4

Businesses have to collect information about their clients, and clients often want assurance that their information is secure. What is the accepted way to concisely and clearly communicate how secure the systems are that are transmitting and storing the client's data? From what I can tell, it sounds like citing compliance with a security standard (such as ISO27001) is the way to go when speaking with a security professional (is that correct?), but does anyone have any experience with successfully explaining "how secure" your system is to a "lay" person with little-to-no understanding of information security? Just "Our business meets or exceeds the accepted security standards for our industry"? Is that enough information? In your experience, how much detail do most people want?

Background information: our business collects sensitive data about our clients as part of an accreditation process for services they want to qualify for with a third party. Most of these clients are small business owners, e.g. plumbers, dentists, restaurant owners, etc.

This question might be subjective, but it falls into the realm of "good subjective."

Edit

This is a not a duplicate of How to get top management support for security projects?. That post deals with communicating with others within your organization, while this question is about communicating with people outside your organization, which is much more sensitive. You can explain to a superior why your system isn't "100% secure", but you have to be more diplomatic with a client, while still being concise.

Community
  • 1
browly
  • 2,100
  • 2
  • 12
  • 21
  • possible duplicate of [How to get top management support for security projects?](http://security.stackexchange.com/questions/56530/how-to-get-top-management-support-for-security-projects) – RoraΖ Aug 05 '15 at 17:54
  • 3
    @raz I don't think so: that question is about internal communication, and you can generally include more detail when communicating with people inside your company. In communicating with clients, you have to be more careful because there are things people outside your company shouldn't know about your security policy. – browly Aug 05 '15 at 18:00
  • Businesses tend not to react to standards they don't need to comply with, like ISO27001. In my experience, they're only willing to invest in compliance they absolutely need, e.g. HIPAA, PCI, SAS-70; in order to do business. Security professionals I talk to know about ISO27001, ITIL, etc to pass the CISSP, but rarely invoke it. – Herringbone Cat Aug 05 '15 at 18:01
  • @Herringbone_Cat Good to know. We actually already use systems that are ISO27001 compliant; I should have mentioned that. – browly Aug 05 '15 at 18:16
  • @browly I retracted my close vote, I misread the meaning of the first paragraph. – RoraΖ Aug 05 '15 at 18:20
  • 1
    It can easily be explained, if everything is worded correctly. For example, let's say you're storing social security numbers, and you're encrypting them via AES256. You would say: "When we store a customer's social security number, it is encrypted with the AES256 encryption algorithm. The National Security Agency has classified AES256 as a Suite B algorithm which means that the United States government uses it to protect US-only classified information. It is extremely secure." – Sakamaki Izayoi Aug 05 '15 at 19:10

1 Answers1

9

The answer to your question depends on a number of factors including,

  • "Who are your clients" - Different companies will want different levels of assurance, for example a bank sending financial data will (hopefully) want more assurance than a coffee shop sharing menus.
  • "What data are you processing for your clients" - Again this will affect the answer, if there are regulations in play those may lead you to have to provide specific forms of security attestation.

With that said there's a number of strategies you can use, none of them (in my opinion) perfect.

  • ISO27001. This is a common one as it's internationally recognized. As you've done it you'll likely have found that the devil is in the detail, things like the scope of which bits of your business you certify will greatly affect how easy it is to achieve. Also note that ISO27001 is perhaps more about documenting what you do well rather than necessarily doing all the right things, and that point is quite well known, I'd say.
  • 3rd Party Assurance. You can get a 3rd party to do security reviews and provide summaries of these which you can give to customers. this is commonly seen in the technical security world (e.g. Pen Test Reports) and also to an extent elsewhere (e.g. SAS-70). How convincing these are may depend on what testing you actually have done and how savvy your customers are (i.e. can they tell the difference between a detailed test and a quick superficial test)
  • Let your customers audit you. Can be appropriate (or even mandated) for large clients. has the upside of them being able to test exactly what matters to them, and the downside of having sets of auditors trooping through regularly asking awkward questions.

Ultimately however none of these really work with non-savvy customers. There is a massive "market for lemons" in security where consumers cannot tell the difference between two companies, generally 'cause they all claim perfect security (ever see a site say "hey security isn't that important to us, but give us your data anyway") and there is no mandated effective impartial standard.

With a savvy customer, I'd recommend asking them what's important to them about security and how they would like to see that proven.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 1
    Thanks, any specific experiences with using these techniques or how well they generally work? Our clients are small business owners and we are collecting information about them, their employees, and the business's finances, so the concerns are employee confidentiality and privacy. – browly Aug 05 '15 at 19:34
  • 1
    For non-savvy customers, I'll honestly say I doubt there are any specifics that would work, as realistically it's unlikely that they would be able to tell between a good certification with a solid ISMS in place and a "security seal" that had minimal benefit. The only thing I could say is that if there's something with decent brand recognition in your country (e.g. cyber essentials in the UK http://www.cyberessentials.org/ ) that would be worth considering, as it's more likely your customers will have heard of it. – Rory McCune Aug 05 '15 at 19:37
  • 1
    I read your Wikipedia link. To clarify, by "market for lemons", do you mean that the "fake" security certifications are so successful that they tend to destroy the market for real security standards and certifications? – browly Aug 05 '15 at 20:10
  • 1
    yep it's hard to charge money for a real certification (proving security is expensive) if clients can't tell the difference between a good one and a bad one. – Rory McCune Aug 05 '15 at 20:12