A cybersecurity assessment like a SOC 2 or an ISO 27001 certification is a statement about your commitment to protecting information. This post looks at examples of how leading companies give that report a permanent home on their websites and provides best practices so you can do the same.
A cybersecurity assessment like a SOC 2 examination or an ISO 27001 certification is much more than just a document – it’s a statement. Specifically, these reports communicate to your customers, prospects, and business partners that you take cybersecurity seriously, and you can be trusted with their sensitive information. So, it’s a great idea – in fact, a competitive advantage – to spread the word.
In my last post, I talked about that first step – announcing your assessment with a press release. But your report lives beyond that initial announcement, which means you need to give that report (or some form of it) a permanent home on your website where it can be accessed any time it’s needed. We’ll look at some real-world examples of how companies do just that.
Isn’t my compliance report a “need-to-know” document?
You might say, “My compliance report should only be given to a customer on a need-to-know basis after an NDA is signed. It’s too much information to put on a website.”
There’s a lot of truth to that – in a literal sense. Some documents are meant to be public (like a SOC 3 report, for example), but in general, compliance reports are reserved for specific situations where a non-disclosure agreement is in place. You may even find explicit instructions on what the report should be used for, such as the Restricted Use section of a SOC 2 report.
However, none of that precludes you from talking about the fact that you have completed cybersecurity assessments and discussing the security principles and policies behind them. Today’s companies, surrounded by a barrage of reports about breaches and data leaks, want to trust the companies they transact with. Your reports are the meaningful, widely accepted evidence that backs up your claims.
Let’s look at some examples
I think one of the best ways of understanding how you can feature your assessments on your website is to look at examples of some great companies who have done an excellent job at this. Let’s check out four.
Example 1: Snowflake
Snowflake is a fast-growing data platform company that made news in September 2020 as the largest-ever software IPO (SNOW). As a company that provides customers with a cloud-based data warehouse, you can imagine how important it is for Snowflake to demonstrate trust to all its business partners.
Snowflake has created a Security and Trust Center, with several different options for learning about various aspects of Snowflake’s approach to security throughout its platform, including a dedicated page listing its security and compliance reports. From here, a short description explains each report, with instructions on how to obtain them – specifically, acquiring an NDA and filling out a contact form. Note the following:
- Snowflake displays all its certification badges proudly across the main trust center page
- Includes simple, clear explanations of each of the certifications they go through
- Provides a straightforward process for requesting a report, conditioned on meeting specific criteria
Example 2: Salesforce
Salesforce, the original SaaS company, is the 800-pound gorilla when it comes to anything related to customer relationships. Those relationships are sacred, so obviously Salesforce needs to demonstrate to their customers how seriously they take security.
Salesforce has a much larger library of certification reports given the breadth of their business and has taken a more direct approach to presenting their certifications. Looking at their site, one might assume they expect visitors to know what they are looking for, so all the certifications are laid out in an easy-to-navigate grid form, with little additional context, so the user can drill down and get exactly what they need. Some observations:
- The Salesforce compliance center sits on its own domain: compliance.salesforce.com
- Each report is broken down by product, date, and infrastructure
- Access to most reports is protected with your Salesforce credentials
Example 3: Asana
Asana is a popular project management application – in fact, my marketing team here at A-LIGN depends on Asana for almost all our projects! Since Asana’s customers, like us, rely on the tool every day to coordinate teams and keep work moving, we need to know that our information is protected.
Asana’s approach is to communicate a message of trust to their customers. Personally, I’m a big fan of customer-focused messaging, and I appreciate how Asana has laid out their story. They place their certification badges at the bottom of their page, providing links to publicly accessible reports. In particular, they provide a link to their SOC 3 report, which as the AICPA states, is “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.” Some things to notice:
- Everything, including the URL asana.com/trust, speaks directly to their customer commitment
- They use clear language and graphics to explain their entire approach to security
- They focus on publicly available resources to instill confidence in their security program
Example 4: Freshworks
Finally, let’s check out Freshworks. Freshworks is an engagement platform for employees and customers, so like some of our other examples, it’s pretty clear why protecting information related to those groups is so important.
Freshworks has a very advanced Security Center on their website, with multiple pages for different audiences (customers and developers), a trust center, best practices, resources, and even an area for responsible disclosure. What I like most about their site is how thought-through it is, with so much information and such a high degree of transparency. In website terminology, we call this a microsite – an entire area devoted to one concept, with a defined purpose and its own navigation and structure. Here are some things worth pointing out:
- The microsite contains a rich FAQ area with answers to common questions
- It includes a breakdown of many of their security processes and how they impact different audiences
- They include a bug bounty hall of fame to promote responsible disclosure
Putting it all together
Hopefully these pages gave you some good ideas for how to use your compliance reports on your website. My biggest takeaways:
- Share your approach to security and relate it to your customers and business partners
- To whatever extent you are comfortable, be transparent with some of your core security and compliance processes
- Include some of the best practices you follow (encryption, penetration testing, etc.)
- Guide your visitors through the process of requesting a report
- Feature your auditor, as their credibility will translate to your customers
Compliance is all about the customer
When you put your cybersecurity attestations on your website, you can frame a message that’s all about your relationship with your customers. There’s plenty you can talk about without giving away the details of your security program to your customers, so finding that balance is important. And remember – most people don’t natively understand security, so be clear and simple in your language and explanations.
Most importantly, remember that your assurance program is an opportunity to engage in a dialogue with people who are interested in how you do business. It’s much more than just the document – it’s a representation of who you are as a business and how you treat your customers.
I’m always happy to speak with people about how to best market their cybersecurity attestations. If you are interested in a conversation, or anything A-LIGN has to offer, please drop us a line!