Skip to content
Ron SivondaOct 1, 2020 12:00:00 AM2 min read

Breaking Barriers to Market Entrance with Compliance

Breaking Barriers to Market Entrance with Compliance

Breaking Barriers to Market Entrance with Compliance

Customers are often interested in a compliance framework they don’t objectively need. For example, they think they want to pursue FedRAMP, but they don’t provide cloud services that can be sold to the government in some form.

Let’s talk about barriers to entrance and compliance

What is a barrier to entrance? According to my 20 year old marketing text book from back when my back didn’t hurt and I didn’t have “the knees of a 90 year old man”, barriers to entrance kept you from selling your product in a given market. They can be in the form of a particular technology you don’t have access to, or in our case, a regulation in the form of demonstrating compliance. This can be imposed by the government or a contractual cost of doing business. The former is FedRAMP, and the latter is PCI-DSS.

FedRAMP, PCI-DSS, HITRUST

FedRAMP, PCI-DSS, HITRUST

As an example, if a company wants to sell into the healthcare market, they are going to run into the HITRUST compliance framework. With a little due diligence and some Wikipedia searches, they’ll discover that the executive council for HITRUST is made up of the following firms:

Anthem Inc, Express Scripts Inc, Highmark, Humana Inc, IMS Health, Kaiser Permanente, McKesson Corp, and UnitedHealth Group.

If you research HITRUST, you’ll notice that it’s often associated with companies that want to do business in the healthcare market. We can presume that if a company were to offer their widget to that market, at some point they are going to get requests for proposals (RFPs) for contracts that will contractually obligate them to meet HITRUST.

This means that the company should think about compliance beforehand. They should engineer their product so that at the end, a HITRUST certified assessor can come in and assess the product, and the product will pass. This will remove that barrier to entry to that particular market.

Why is this relevant? If I had a Kennedy half dollar for every sales call I’ve been on where a customer had designed and deployed a product only to run up against a compliance framework that they neither planned nor prepared for, I could probably buy a Tesla P100D.

Having a coherent strategy to sell your product in your target market is critical. In the event that doing the necessary due diligence is not your forte, then a consulting firm that specializes in compliance (here’s where I pitch you, just to be intellectually honest) is going to be a value add for you.

The money you spend on a gap assessment of your product early will save you the cost of re-engineering your application to meet compliance requirements

I’ve literally had clients tell me that they “should have done this last year when it would have been cheaper than ripping their SaaS apart this late in the game.”

To recap: Figure out and research the markets into which you want to sell when you are in the early stages of building your product. I know that sounds obvious. Then, if you realize that you must demonstrate due diligence in the form of some sort of compliance framework (FedRAMP, HITRUST, PCI-DSS, SOC2, ISO 27001, etc.) you should consult with an expert (internal or external, sometimes your company will already have a person for this) and make sure you don’t have to rip apart your SaaS later.

avatar

Ron Sivonda

Ron is the Chief Information Security Officer for ScaleSec. He has served in roles from help desk technician to system administrator to cloud security, and did compliance when STIGs came in 3 ring binders. He built his first computer in 1992. Ron brings over 20 years of experience from both public and private sector. He is comfortable in the server room or the boardroom. He loves building cloud security programs for companies.

RELATED ARTICLES

The information presented in this article is accurate as of 7/19/23. Follow the ScaleSec blog for new articles and updates.