Building a Smart Trust Center: Best Practices from Security Professionals

Kevin Qiu
March 17, 2022

Al Yang

Okay, I will get started. So hi, everyone. Thank you so much for joining us today. I'm Al Yang, CEO, co founder of SafeBase. We help B2B companies close enterprise deals faster by helping companies share their security program and automate access to sensitive compliance information with a Smart Trust Center.

And today I have with me today two well known security professionals and thought leaders who happen to be early SafeBase users and were super excited about this. We're also really excited to hear Kristen and Kathy share their best practices for building a Smart Trust Center. Feel free to use the A&A section on the on the right to ask any questions throughout the webinar. I'll be keeping an eye out so that we can help answer any questions integrated into the webinar itself.

So first, I would like to do some introductions. First, I have Kathy Wang, CISO at Very Good Security. Kathy is well recognized as a thought leader in the information security world. She has a strong background in research and security leadership. She's worked in government, commercial technology, startup environments, and currently advise many security startups as well as just companies in general. I met Kathy early on in our in our journey and it's super exciting that she has given us so much guidance along the way. She's also an internationally recognized malware expert, done a lot of research, evaluated and operationalized various solutions for detecting and preventing client side attacks. And she is a co-author of the book Beautiful Security, so please go buy it and go read it. And she holds a BS and MS in electrical engineering from University of Michigan.

The other featured guests we have today is Kristen Deuel. Kristen is the Director of Cybersecurity Risk at Mindbody. Kristen is has been leading cybersecurity risk management for a global mid market SaaS marketplace with a diverse product vertical since 2018. And she also provides management leadership to the cyber risk team. She's accountable for continuous improvement and maturity of programs. Prior to leading cybersecurity risk at Mindbody she was a principal consultant at Kayardee consulting, where she served clients including Nike and Smarsh, and she has over 25 years of technology experience with a Master's Degree in Disaster Science.

So thank you both for being here. Wow, what a pleasure. Id love to kick it off by learning more about the role of security and how that plays out at each of your companies. Please tell me a bit about your company and the roles how school have secured.

Kathy Wang

Sure, I can start! Well, thank you, first of all all for having us here. It’s a pleasure and it's great to meet you Kristen as well. So I'm CISO at Very Good Security. Very Good Security is all about protecting sensitive customer data. So, customer data is tokenized before it’s stored. This helps customers to better meet their compliance requirements. And we have a lot of customers that are in the payment industry and also other enterprise customers. So security is a value for us. That is security first, right? That's the most important thing to us because we store sensitive data. So that said, our security team is very much focused on reducing the overall risk footprint, and also figuring out how to reduce the effects of a potential blast radius if there is an incident, so that's what my team focuses on.

Al Yang

And Kristen?

Kristen Deuel

First of all, thanks Al for having me. It's a pleasure to meet you as well, Kathy. Welcome everybody who's joining the webinar! I'm excited to connect with everyone. As Al said, I work for Mindbody. I'm the director of Cybersecurity Risk. It is a conversation stopper at dinner parties. But essentially, Mindbody is a privately held, mid-market, SaaS organization. We're global. We develop software. We're a marketplace for all of our wellness customers. So as such, we store, collect, and transmit personal information, personal health information, and cardholder data. So we are highly regulated, even though we are a private company. We're PCI certified and HITRUST certified. We also have our SOC certification. So you can imagine as one of Mindbody's customers, you will be interested to know how secure we keep your data. So, what is our security posture? What are we doing with your information? So as a marketplace, security is the foundation of everything we do. We use security policies and standards to drive how we develop our software, how we store your data, how we transmit it, and ultimately what we end up doing with that customer data.

Al Yang

Perfect, thank you two. So with that as context, clearly security is top of mind. Build trust with customers, maintain trust, and build trust with prospective customers and the community as you continue to serve those customers. It's not just a brand, but it's an intentional action. And you all have a team that's doing that. And security is also two sides, but what you've kind of spoke about is as the vendor who's providing value, right? But clearly you also are buyers for other tools. So that's a really good context. You've said so with more and more SaaS companies than ever before, we're seeing that people have been talking about going to the cloud. And that's really happening. Third party assessments can be time consuming and can be challenging. We're clear, we're always hearing from you, and from the Chief Information Security Officers and other security professionals, that they're just bogged down by these security questionnaires, emails, a lot of work around security reviews, you know, can we just talk about? Maybe start with Kristen, what are the biggest challenges you face when working with sales or people that are in the go-to-market department, you know, frontline. What are some challenges you face dealing with this and how do you enable third party risk assessment?

Kristen Deuel

Well you know that we have a very small team. And we have dozens of security questionnaires that come in from both potential and existing customers. And for those existing customers, they are also under audit requirements. So we have auditors, potential, and existing customers. So there’s a magnitude of questionnaires that come in, and they're never standard. It's never answer these 10 questions, or answer these 400 questions. It's all over the board. So our team is not scalable internally. So for us to be able to have a tool where we can provide a self service solution to our customers, and to those auditors, is a really great start. So that was the big selling point for us to face the challenges. It did alleviate a lot of our challenges where we weren't scalable, we were seeing a lot of questionnaires. But within the sales process itself, our team was a bottleneck because we were required to get all the NDA signed, review the questionnaires, loop in all of the other teams that were to provide data for those questionnaires. And it would be a two three week backlog.

Al Yang

Yeah, we constantly hear about sales teams growing but then the security team stays small. Kathy, what are some of the challenges you faced when working with sales to enable this third party risk assessment part of building trust?

Kathy Wang

Yeah, I mean, Kristen said it very well. One of the challenges is scaling the team. There was never going to be as many security engineers or compliance people as there are sales folks. So that's okay. It just means that we have to figure out how to automate and how to scale the team. And SafeBase is really great for automating a lot of these processes. So really, drastically reduced the sales cycle. So when you get a security questionnaire, as Kristen said, it’s never standard. I mean, we really would like everyone to take a CSA or SIG or, you know, CAIQ or something like that. But the reality is that, that only works some of the time, that doesn't work all the time.

So then the rest of the time, we have to figure out how to speed up the process. And it's not only that, it's, in our case, specific, because we store sensitive data, there is always a security risk assessment that's done by our prospective customers on our platform. So part of that is looking at all of our reports are either the pen test reports, or web app test reports. They would like to know how long it takes us to remediate findings from those types of reports. That makes total sense. That's what I would do as well by when I do due diligence. If it takes you a really long time,  and you go beyond SLA s that are expected by industry to mitigate one, I'm going to look at you a lot harder, right? Because I'm really worried. What are you doing with my data? How are you protecting it?

So we want to give customers this level of trust and assurance, and transparency at the same time. And SafeBase has really helped us automate and provide that information to build trust with customers. I can tell you that our sales team really likes the tool, because instead of all these back and forth emails that they have to now kind of middleman right, with the prospective customers and the security team introducing us and saying, Hey, they'll provide you the document. This is a much shorter process, which is a win win situation for everyone. Now we get all reports out faster, and customers get the data that they're looking for faster.

Al Yang

That's really helpful, helpful to know. And our mission here at SafeBase is that if a company has put in the work, the resources, the energy, to frankly, hire a team of security professionals whose whose key responsibility is protect a company, build a system to help protect not just the company, but customer data, they should be rewarded with efforts that they put in and not be slowed down by security by any means.

And that's actually what we're seeing today. So hopefully, you're getting that value. And without,  just talking about it, I'll share my screen. And hopefully we can start with Kristen here, walk through your Security Trust Center. And we're always here also, and you know, part of the philosophy here is SafeBase is always improving. And so feel free to throw out any feedback you have, where this is not all just praising. We're here to make improvements, you can call us out.

So what you're seeing here is Mindbody Security Trust Center. This is Mindbody's homepage. And when Kristen said they're a private mid-size company, they are gigantic. I think you've recently gone through a round for a lot of money. So security is super important. And it's part of their DNA. So if you go to the Security tab on their homepage, you'll be linked to their Public Trust Center. And they're one of the most frequently visited trust platforms we have across our hundreds of companies that are using SafeBase. So here's your Trust Center. Tell us about you know, what went in. And we worked with you throughout this and thank you for the feedback along the way. You know, let's just go from the top and you can talk a lot on that and kind of navigate. What are some of the things that you're proud of? Or some things that you like your customers to see that are important to you?

Kristen Deuel

Yeah, sure. Thanks. So happy to walk through. So I'll start by saying the 50,000 foot view of getting started with SafeBase was if you can scroll down just a little bit. We have all these wonderful cards down here and you can see the risk profile, the report card, completed for us. So there were many options for us to choose but we wanted to keep this a little bit more concentric to the information we we really wanted to share publicly, or even privately. So we went through this process of kind of scaling back the number of cards that we wanted to show on this page. And also consolidated some of the other information into some of these cards. I will be honest, one of the things that we ran into is customization. So when we signed on, and we started to build this out, we realized if we wanted something special, well, Kathy would also get that something special, for example. So it was a little bit of a challenge to get to where what you see today, but SafeBase team was there, we partnered really well together and they were able to provide some shortcuts and help us to get some some of the customization that we really needed.

Al Yang

And I'll talk about this one thing that we recently said. We'll go over to Kathy, which is this idea that you can provide Trust Center Updates. And most recently, we not only talked about how we added the Trusted By card, but we also talked about the security updates, which frankly helped a lot of our customers with how they dealt with Log4j. I remember specifically working with Kristen, and we actually decided to put it in the overview card because they really wanted to call this out and in the security prospectus card, where they've decided to make it public. And we're seeing a lot of traffic here. When people come to your portal, clicking on this page, which actually takes you to the security prospectus and your CISO Jason actually wrote an entire letter about that and it was really cool to see and all that traction that they received. And hopefully, what that did, in addition to being transparent about it, is that you and your team got a lot fewer emails about this, and that people were able to read and understand how you're dealing with I can only imagine the hundreds or 1000s of customers.

Kristen Deuel

Yeah, you know, one thing about the Trust Center is it doesn't reduce the number of emails, but it does provide us a place a landing place to send those customers all of those inquiries, instead of sending a form email or answering each one specifically, we're able to just point them here, hey, we have all these amazing white papers that you can read. There's information about log4j, all of the other Trust Center updates, they're right here on this page. So if there's something that you need that you don't see, please let us know. But otherwise, you know, go here, read the information.

Al Yang

Exactly, exactly. That's how we dealt with it as well. We definitely got all the emails still from our vendors or from our customers. And we're able to for on the go to market side, instead of saying, well, let me play quarterback and connect you with my security team or just forward the email, go here, go and see how we dealt with it. And you can have if you have more questions can reach out.

Kristen Deuel

Yeah. So one last note, before we go to Kathy, I did want to say during the log4j issue. A lot of our technical account managers were starting to reach out, hey, our customers are asking, Are we impacted? Are you impacted? Are they impacted? So we have a global array of sales teams, because we are global. And we're all in different time zones, all we're all working on different things. So having it here provided the entire organization information at their fingertips. So because SafeBase was new, it took log4j maybe one day for the fire to spread in my body to say, Hey, everybody, all the information is here on the security page.

Al Yang

That's awesome. That's great. I actually didn't know that. That's awesome. Thank you, Kristen. And, Kathy, talk to us about your Security Trust Center. Security is what you guys do. So love to know how this has been helpful how you thought about setting it up.

Kathy Wang

Yeah, so this has been a gradual process for us setting up and I will be totally transparent and say that I was the executive sponsor for this page, but not the main stakeholder working on this page and that would be my GRC team. So my director of GRC, she had a very heavy hand in building this out and I'm very proud of what they built here. This is really awesome. We are a security product company and with our customer base the way it is, we are PCI level one compliant, and we are also SOC 2 compliant so we have put these reports here so that the sales team is able to help customers self serve to request these reports. And that saved us a lot of time and really helped our small team scale as well, which is super important.

And to the earlier points that were made about the log4j, I don't want this to be a focus specifically on that. But the reason why that's important and having information about the latest major vulnerabilities on these pages is because in the security industry, we're very big on not over ambulance chasing, if that makes sense, we don't want to necessarily put out a blog post about every single major security vulnerability if it doesn't necessarily impact us directly. But then at the same time, understandably, the customer base would like to know, who's been impacted by this major vulnerability?

Because nowadays, it's everywhere, our media, right log4j, within a very short time is on every single major media outlet page. So it is fresh in the minds of every customer. And it's really, really important to have good external communications around events like that. So this type of trust page is a wonderful way to get that information out in a way that isn't what are we going to have to email every single customer to let them know that we have not been directly impacted by this or we have, right? And then either way, if you do that, you're gonna get responses back, which means more emails, and I'm not blaming the customer base because I would do the same thing. But this makes it way easier to get the information out, which is very valuable to a security team.

Al Yang

Awesome. Thank you, Kathy, one thing I want to point out too, is, I had the pleasure of working with you early on as we were building our company, and all your feedback, it helped a lot with our roadmap. And the biggest learning for me personally is how easy it needs to be and how much power we need to give to the security and GRC team in setting up this portal for themselves. So what I want to share is our own security, we talked about our own product. This is our security portal. A key value prop is to help prospective customers understand how we build our security program. And once they become paying customers or they want to become paying customers, they can always subscribe to our portal so that any updates we make, either it's the Russian Ukraine conflict and how we're dealing with it, if we're affected by other incidents, that unfortunately will happen again to hey, we just got our ISO or hey, we just got our Type 2 SOC 2, anything that the stakeholders want to know. And that's the outside, this is what people see. But in the on the inside, and I want to share this, is every company that uses SafeBase gets an app that looks like this. And the app is really cool, because it comes with dashboard. And the dashboard shows the portal analytics and then the accounts. But the idea is that it comes with a lot of things. And it's very, very easy to set it up today and then to provide updates to the Trust Center. So thank you both, and I will stop sharing screen.

Kathy Wang

So what I want to say also Al is you know how much we really loved working with the SafeBase team, the velocity that you all are able to provide for our requests in you know, things like, you know, how do we do this? How do we make this happen? The customer support has been fantastic.

Al Yang

Thank you Kathy. That means a lot to me as someone who's not quoting away, adding value by listening carefully to what our customers are saying. And one thing that I didn't get to show them to emphasize that point is we realize it's not just the speed to which we can help our customers get access requests, faster automation, but the data that comes with the downloads, you know how many viewers and documents are being downloaded. And all this is on the dashboard as well. So we're constantly taking in your your feedback. And we're excited as we're scaling, as we most recently announced a funding round, which is a testament to the mission we're providing everything we can do. We'll continue to listen, we're building out the team to really wrap that up. I know Kristen had a lot of feedback early on as she mentioned and we're actively working on it. One last question I had was what advice do you have for new users who are setting up their Trust Center? And should they do it? No, what tools and processes and procedures would you change, to help with a successful launch of your Trust Center?

Kristen Deuel

Um, gosh, you know, we moved from a static web page where everyone across the organization that worked in security had a contribution. And nobody actually found that page. We had to go to our marketing team to say, hey, we have an update. Very complex. So when we moved over to SafeBase, we had this kind of blank slate, where we could write anything. So we had many stakeholders who were providing us with content. We had our network engineers, we had our cybersecurity operations team, we had our executive staff, legal, because my team doesn't own all of these aspects. And so I, I went in through my team to systematically get contribution copy for each of these things. And then we were just kind of like the puppeteer that brought it all together and put it into the thing. So we weren't doing all of the writing. We weren't doing all the copy. It saved us a lot of time. And ultimately, it was more accurate.

Al Yang

Kathy, anything to note?

Kathy Wang

Yeah, yep. Yeah, for sure. So my advice is Rome wasn't built in one night, right? And it's okay to start small and start with small objectives. So, for example, for us, we started with SOC 2 and PCI. That was what we wanted to share. Then we got feedback from the sales team. And they said, this is really lightening the load for us and speeding up our cycle. Well, let's add things like our pen test reports, our web app assessment reports. So we started from there and built on and on, and then the log4j and other information got added. And so it is okay to build it incrementally. It doesn't all need to be complete before you make it public.

Kristen Deuel

I agree with that. Kathy, great advice.

Al Yang

Yeah. One of the questions from the participants. Is there any specific standard questionnaire, for example, there's VSA, there's the CAIQ, there's the SIG, and there are others that are coming out? Clearly, having one of those, or all of them, on your Security Trust Center, helps your sales team share this proactively. And hopefully, that can reduce the number of questions we're seeing across the board. The question here, is there a one standard that you live or you're kind of behind it? if so, can you talk about that? We'll start with Kristen.

Kristen Deuel

Um, yeah, so we're not in education. And we're not in government. We don't have a lot of those type of customers. Well, we do, but I wouldn't say it's a majority. We have had requests for things like the CAIQ or HECVAT, but our standard is SIG. So we completed one on behalf of Mindbody, a SIG that we share, privately on our SafeBase page.

Kathy Wang

Thank you. And take our standards, we took a look at CSA we took a look at a CAIQ, we took a look at SIG right. And as I mentioned earlier, that might help speed things up and some of our prospective customers will take that, but not everyone will.  So I would estimate it at this point of maybe 50%. It depends on the types of companies that your sales team is prospecting to, right?

Al Yang

That's right. That's exactly what we're seeing about 50%. And starting to be more, because there's also a lot of work on the buyer side to evaluate all these questionnaires and keep track of them. So another question was asked, and this one I can address, which is how to use SafeBase to help reduce the amount of customers who want you to fill out these specific spreadsheets and create work. Well, what we do is by putting the Trust Center, front and center to the prospective customer and asking the prospective customer to share this internally to the vendor security assessment team, and to request them to download either the SIG or the VSA, whatever it may be.

So that trust is built initially. I think the consensus I've gotten from the security professionals that are doing these is it's not so much if you're answering yes or no. You can have no, but do I trust that you have a team who's going to make changes and that they about protecting customer and company data? like it's more of a spirit than it is like needing to have one specific requirement. People are always willing to work with you if you care about it. And that's what's really important. So what we do is we help you build trust to make sure whoever you're talking to know, hey, we care about this as well. We have all these security artifacts here. Any reactions to that team here? Excellent,

Kathy Wang

I think yeah, very, very accurate.

Al Yang

Well, I know we're up against time. And I wanted to thank the awesome and thoughtful leaders here today who provided us with insight with personal experience. And we will continue to work hard here as a basis, fulfill the mission that we have, and serve our customers. So I'm excited to grow with these two thought leaders and security professionals. So thank you, everyone, for being here today. I also want to thank our speakers as well. Feel free to visit our website. Start your start your account today. And thank you again, Kristen, Kathy, so much for your time. Thanks for having me. Oh, thank you. Take care. Bye bye.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.