Why You Should Publish Your Security Posture Publicly
Written by Whistic
Over the past decade or so, the way InfoSec teams manage data security and privacy standards has changed dramatically. From managing on-premises hardware security access to the online-driven security efforts of a decade ago, things have become more and more flexible. Today, cloud-based security controls, compliance safeguards, and other risk mitigation efforts are in place to help protect customer and proprietary data from malicious threats. So why would you want to tell those threats publicly how you’re going to stop them?
What publishing a security posture actually means
First and foremost, publishing your security posture does not mean sharing your entire catalogue of risk controls down to the wire for anyone to see. It typically consists of a list of industry-leading standards that your team is compliant with. This also means that if you do list a standard in your security posture, you most likely already have the answers to the associated questionnaire ready and available for a vendor.
Why you should publish your security posture publicly
Here are some reasons why you should be publishing your security posture publicly:
1. It can establish your team as a security leader in your space.
By discussing data security and making a conscious effort to post your posture for vendors, customers, and partners to see, your team is making it clear that you realize the importance of data security and are going to do whatever it takes to prevent a breach.
2. It can help speed up inbound questionnaire requests.
When potential vendors can access at least the start of your security profile before the official vendor assessment process kicks off, they can do some of the preliminary heavy lifting for you, which can speed up the questionnaire process.
3. It gives potential vendors a place to start to see if a partnership would be compliant.
Instead of getting halfway through a vendor assessment to realize your security controls are not compliant, any potential vendors can do preliminary due diligence to ensure a vendor partnership is mutually beneficial and possible.
4. It gives your internal sales and/or procurement teams a place to point inbound questions before coming to your team.
And, finally, publishing your security posture publicly will give your internal sales and/or procurement teams a place to point questions about InfoSec efforts without looping in your team, giving you the space to focus on more critical efforts.