CIO Just 4 things: how do I, as a startup/scaleup, get ready for Enterprise Customers?

I have been recently asked a number of times by startups/scale-up founders: how do I get ready for enterprise/large customers? When will I know if I am ready? This article looks at the top 4 things you need to have in place in order to truly be ready to engage with any large/global/enterprise organisation in my experience. ?

• Security: There are two ways you can go about putting in place a minimum level of safeguards depending on how much time you have and where you are in your scale-up timeline. The first is to do a simple search for the words “infosec questionnaire template” and download a selection of them. This will give you a good indication of what the infosec departments of large corporates will be looking for in terms of assurances before engaging with you. The good news is that these questionnaires are largely modelled on best practice found in various standards like ISO 27001 and NIST. The ISO standard is downloadable from the BSI website, or there are a number of organisations on LinkedIn?which?provide template policies and checklists which should?give you a headstart. Note that the ISO 27001 certification will take a minimum of 6 months to achieve but that does not mean you cannot start putting all the necessary safeguards and policies in place beforehand. Just as an aside, there are many very good boutique organisations that can get you ready and at genuinely affordable rates. This need not be complicated or costly, but it is invaluable. ?
• Privacy: this is probably the most important topic after security. At a very high-level what you need to know about privacy is that: (a) you should not store more data than you strictly need to deliver the service, (b) keep it no longer than the contract duration unless you anonymise it (c) ensure that you have taken the correct measures to encrypt and secure data (d) be ready to comply with the data subject rights as embodied in various legislations and (e) have enough of an audit trail to prove that you do what you say you do. This is naturally a simplification of a very complicated topic but I would recommend for anyone to?become familiar with GDPR which is often considered the Gold standard for data privacy and is adopted not just by EU countries, but also countries who have data equivalency or similar arrangements with it. The above need not be daunting as there are now many Data Protection courses available online. Also ensure that you are registered with your relevant regulator. Some key deliverables are: a privacy policy, a data impact assessment and relevant data protection/destruction clauses in your contract. ?
• Scale/Resilience: Any enterprise customer will want to know that you have in place both the ability to scale if they want to increase their usage and that you have provisions for maintaining 99.95% minimum uptime. This is where using cloud providers like AWS, GCP or Azure will definitely help you go a long way to providing the necessary assurances with features like auto-scaling, availability zones, etc... Just stating however that you are using those providers will not be enough. You will need to provide some level of technical documentation in support of your claims. It will be important that you have at least high-level architecture diagrams and many will request network diagrams too. Here again there is an appropriate level of disclosure whereby you can give the necessary assurances but not give away your “secret sauce”. Additionally, this will be a rather good time to ensure you have an NDA (Non Disclosure Agreement) in place, if you have not already done so.?
• Insurance: you will need to have insurance to cover you as a director, to be able to indemnify customers in case of an issue and I would very vividly encourage you get some level of cyber insurance to help pay for dealing with the regulator, customers and possibly the customer’s customer. The latter is often written into contracts. The cyber insurance should provide dedicated legal support, incident management and forensic research. ?

If you have all the above covered to some extent, then you will be at least 70% of the way to being able to comfortably engage with large and global corporates. The remaining 30% is about having people with key roles like Data Protection Officer and Information Security as well as a program of audit and continuous improvement. Note, in scale-ups/startups, these roles are often not dedicated roles but rather ones that your CIO/CTO and finance/legal person will take on in addition to their main remits. ?