How a sales strategy led to me questioning the purpose of my work

As a bit of a change in pace, I thought I’d write about how a perfectly legitimate sales strategy led to depressing conclusions about vendor risk management in certain organisations.? Dark, I know.

Before I get into it though, I want to first mention that I consider myself more of a "risk person" than a "compliance person".? When it comes to matters of compliance, I’m always finding myself reasoning about the impacts of non-compliance, which seems to me to be a risk-based approach to the matter.? Compliance people tend to say, “it’s a requirement, we must comply”, and they get uncomfortable if you start the discussion about what happens if you don’t. I'm not in any way claiming that one of these is better than the other; I'm just explaining how I myself tend to think, as it frames a bit what I've written below.

Domain capture and domain analysis

Say our company has built a SaaS product that is growing in popularity.? Well, when you’re a growing tech startup, since you don’t have large marketing budgets, it’s likely the case that much of your user growth is organic - word of mouth, social media, that sort of thing.? After a while, assuming that our product is applicable to them, people in medium and large organisations will start taking notice and will also want to start using our product for work purposes.

Now the thing to understand about organisations of this size is that they all have challenges when it comes to internal communication.? Generally, people in different teams don’t talk to each other much unless they have to in order to do their jobs.? So what happens is that a few people in marketing sign up to the free or low-cost tier of our product, and a few people in engineering do the same, and a few people in finance, and so on until you have 50-100 people within the organisation individually using the product, few of whom knew when they signed up that any of their colleagues were using it.

Importantly, unless the organisation has done a wonderful job of instilling in its entire workforce an appreciation of vendor risk (and to be quite blunt, I’ve not seen an organisation that has), it’s possible, even likely, that the procurement, finance and security teams are in the dark when it comes to their use of our product within the organisation.? What they have is a case of shadow IT.? More on this later.

Now back in our SaaS product company, we want to take these low-value users and turn them into high-value users by monetising them, because generally, getting more money is a good strategy for a company.? The way that we do that is by doing two things.

The first is to build the “enterprise” tier of our product, complete with “enterprisey” features such as additional security, reporting, that sort of thing.? Importantly, one of those enterprise features is the “domain capture” feature, where if you are an enterprise customer and someone tries to sign up to the service using an email address from your domain, then it will redirect them to sign up as part of the customer’s enterprise account instead.

The second is to do some “domain analysis” - querying of our user database to find the email domains that have many users but who are not enterprise customers, and then to have the sales team reach out to those organisations to tell them that they have n users already using the product, and that they will get additional features if they sign up for the enterprise tier, and that with the domain capture feature (only available in the enterprise tier), they will ensure that they have complete visibility of anyone from their organisation wanting to use the platform going forward.? It’s a legitimate sales strategy.? I have no idea how successful it is in actually converting free users to paid users, but I assume it works to some extent, otherwise no-one would do it.

Shadow IT

For those unfamiliar with the term (I'm guessing approximately 0% of the people who would ever consider reading this article), “shadow IT” is basically referring to the use of hardware or software that isn’t “approved” by the organisation.? In our modern world of SaaS products, unless your organisation is whitelisting which websites its staff can visit, or is requiring them to access the internet via a VPN, or something like that, you probably have a shadow IT problem.

I say “problem”, but how much of a problem different organisations perceive it to be seems to vary wildly. Organisations in highly regulated sectors (finance, healthcare, government, etc) tend to have little tolerance for this and put in technical controls of varying effectiveness to combat it.? Most less-regulated organisations know it goes on, but turn a bit of a blind eye to it, choosing to pick their battles and only go after instances that are perceived as particularly risky.? Some organisations actually encourage it, seeing it as a legitimate mechanism for the introduction of new systems into the organisation.

Honestly, it’s a tricky issue.? There are clearly rewards to be had from staff being able to utilise best-of-breed tools with little organisational friction.? But the risk is also clear: staff taking sensitive information and putting it into third-party applications that don’t necessarily have security postures that are up to the standards of the organisation.

Vendor risk management vs compliance

Now, you’re probably wondering why you’ve spent a couple of minutes of your life reading about domain capture and shadow IT.? Well, the organisation that currently puts up with my presence has a sales team that does this “domain analysis sales thing” (I believe that’s the technical term) - encouraging organisations that already have a good number of users on the platform to bring them all into an “enterprise” account (we don’t use that term, but that’s analogous to what it is) which has additional security features and other things that larger organisations will find useful.? And in many cases, their response is along the lines of, “that’s a great idea, but we’ll need to do a security assessment - would you mind completing this questionnaire?”.

Now, if you had no idea that your staff were using our product, then as a risk person, I have no problem completing your questionnaire - you’ve discovered an unapproved tool in use, and to continue its use, you need to assess the vendor.? Fine.? I do have some questions about the effectiveness of your information security policies and employee knowledge and awareness training, but I respect the fact that you’re looking to manage your vendor risk, and you’re the customer in this interaction, so I’ll let those questions slide.

On the other hand, if you knew that our product was in use and sitting in your shadow IT bucket (and yes, some customers have actually told us that this was the case), and you suddenly want us to complete your questionnaire when we tell you the benefits of moving to our enterprise product, then it is clear to me that you’re not interested in managing your vendor risk and are only assessing us for compliance reasons.

How do I come to this conclusion?? Simple.? What changes between the time that they have lots of people on the platform with individual accounts, and the time that they have all of those same people in an enterprise account?? It’s the same set of people entering the same data into the same platform for the same purposes, so there’s no change there.? They now have access to some additional security features, so there’s actually a reduction in risk there.? Anything else?

Well yes, actually.? What’s changed is that they’re now paying for it.? It goes from “off the books” to “on the books”, or to put it more cynically, “something that they had plausible deniability of” to “something that they can no longer claim they had no knowledge of”.? And purely because of this change in status, the organisation needs to make sure that they follow their procedure to assess the vendor.

You can see my point here, right?? From the customer’s perspective, the risk didn’t change in any material way - if anything, it was reduced.? They were happy with the risk beforehand - we know this because they knew about the usage of the unapproved product and did nothing.? The 200-question questionnaire that they are now asking me to spend hours on is purely “security theatre” - a process that needs to be done in order to satisfy their auditor.

This raises an interesting question for me:

As an industry, how much time and effort are we spending in activities where the sole purpose is to ensure that *some other organisation* is meeting their compliance obligations?

Of course, I recognise that risk and compliance are not mutually exclusive, and that it is typically (I hope) going to be the case that vendor risk activities satisfy both risk management and compliance purposes, which is absolutely fine.? But the idea that even a small slice of my time is spent so that some other organisation that doesn’t care an iota about managing their vendor risks can maintain one of their certifications rubs me up the wrong way.

Maybe I’m the naive one here, and this “going through the motions for compliance purposes” is actually quite prevalent.? I don’t know if this is the case, but if it is, then honestly, it makes me a little sad.? I’m hardly an authority on vendor risk management, but my team and I both care about vendor risk and do our best to manage it.? The idea that other organisations might be putting as much time and effort into similar activities without actually caring about risk is just depressing.

Am I wrong?? Does your organisation actually try to manage its vendor risks, or is your vendor risk programme mainly for compliance purposes?? I’m really quite curious.

(Of course, you probably can’t talk about your current employer, but maybe you have a friend whose cousin once worked at this place where…)