Breaking Barriers to Market Entrance with Compliance
Customers are often interested in a compliance framework they don’t objectively need. For example, they think they want to pursue FedRAMP, but they don’t provide cloud services that can be sold to the government in some form.
Let’s talk about barriers to entrance and compliance.
What is a barrier to entrance? According to my 20 year old marketing text book from back when my back didn’t hurt and I didn’t have “the knees of a 90 year old man”, barriers to entrance kept you from selling your product in a given market. They can be in the form of a particular technology you don’t have access to, or in our case, a regulation in the form of demonstrating compliance. This can be imposed by the government or a contractual cost of doing business. The former is FedRAMP, and the latter is PCI-DSS.
As an example, if a company wants to sell into the healthcare market, they are going to run into the HITRUST compliance framework. With a little due diligence and some Wikipedia searches, they’ll discover that the executive council for HITRUST is made up of the following firms:
Anthem Inc, Express Scripts Inc, Highmark, Humana Inc, IMS Health, Kaiser Permanente, McKesson Corp, and UnitedHealth Group.
If you research HITRUST, you’ll notice that it’s often associated with companies that want to do business in the healthcare market. We can presume that if a company were to offer their widget to that market, at some point they are going to get requests for proposals (RFPs) for contracts that will contractually obligate them to meet HITRUST.
This means that the company should think about compliance beforehand. They should engineer their product so that at the end, a HITRUST certified assessor can come in and assess the product, and the product will pass. This will remove that barrier to entry to that particular market.
Why is this relevant? If I had a Kennedy half dollar for every sales call I’ve been on where a customer had designed and deployed a product only to run up against a compliance framework that they neither planned nor prepared for, I could probably buy a Tesla P100D.
Having a coherent strategy to sell your product in your target market is critical. In the event that doing the necessary due diligence is not your forte, then a consulting firm that specializes in compliance (here’s where I pitch you, just to be intellectually honest) is going to be a value add for you.
The money you spend on a gap assessment of your product early will save you the cost of re-engineering your application to meet compliance requirements.
I’ve literally had clients tell me that they “should have done this last year when it would have been cheaper than ripping their SaaS apart this late in the game.”
To recap: Figure out and research the markets into which you want to sell when you are in the early stages of building your product. I know that sounds obvious. Then, if you realize that you must demonstrate due diligence in the form of some sort of compliance framework (FedRAMP, HITRUST, PCI-DSS, SOC2, ISO 27001, etc.) you should consult with an expert (internal or external, sometimes your company will already have a person for this) and make sure you don’t have to rip apart your SaaS later.
The information presented in this article is accurate as of 10/1/2020. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.