Playbook: How to announce your security achievements.

This week, Trustpage announced our SOC 2 Type II compliance.

‍

This was a huge milestone for our team, demonstrating our dedication to the highest security standards.

‍

At Trustpage, we believe that your security program is a part of your product—a deeply engrained part of your value proposition that, when treated as such, can help you win deals and beat out your competition.

‍

When you visit a website for a software product, everything about the product is outlined. Use-cases, features, recent updates and more.

‍

Knowing that buyers evaluate security as a critical part of their purchasing process, why not treat security as the core product feature throughout the customer experience?

‍

So today, we’re outlining our playbook for announcing updates to your security posture, SOC 2 or otherwise.

‍

Telling your security story

The software industry largely agrees that security is an operational practice. Preventing data breaches and achieving compliance certifications are key parts of the operations that InfoSec professionals are responsible for.

‍

But how are you telling the story of your successes to your colleagues? Your customers? Your prospects?

‍

Product teams share their successful updates and releases through a series of well-defined best practices: product emails, release pages, and dedicated product marketing managers do the job of communicating the product teams’ success to the required audience.

‍

Often, security requirements are non-starters for large organizations’ ability to buy your products. So, shouldn’t we also have a similar infrastructure designed to tell your security story?

‍

Announcing your compliance

Announcing your compliance is an exciting milestone to share your hard work with your customers, colleagues, and friends.

‍

Like many other companies, we chose to publish our announcement via a blog post then share updates on our company social media to shout it from the rooftops.

‍

It’s also a great idea to update your marketing materials, website, and pitch decks to include the AICPA SOC compliance logo, a recognizable icon in the software world.

‍

Documenting your compliance for customers & prospects

Putting together a Trust Center that outlines your security posture, including your newly achieved compliance, is the first step in sharing your security story. Companies like Pendo, OnBoard, Paragon, and AppLearn all document their compliance achievements in a Trustpage-powered Trust Center. Other companies, like Slack and Monday.com, outline their achievements on a DIY web page.

‍

Wherever you choose to host the information, productizing your security and outlining your newly achieved compliance gives website visitors a place to land when their mind starts wondering to your companies’ security.

‍

Sharing your reports

While sharing your compliance reports publicly is not a wise move, it is important to make the report available to customers and prospects who are interested in it. Most companies require a non-disclosure agreement before sharing sensitive documents, and others choose to only share these documents at a certain part of the sales cycle.

‍

Here at Trustpage, we choose to host our SOC 2 Type II report in our Trust Center, where all visitors can see that it is available and request access. Viewing the report, however, is only possible once the request has been approved and an NDA has been signed. This method protects against our reports falling into the hands of bad actors, but allows customers & prospects to request them at any time.

‍

Keep pursuing additional achievements

While a celebration is well deserved following your achievement, your compliance with a single security framework should not be the end goal. Maintaining the controls you proved and building good compliance habits ensures that you’re protecting your customers to the best of your ability, and that you’ll have a simpler task next time the auditors roll around.

‍

Keep pursuing more achievements.  Not only is it important to check these compliance boxes, but it is also important to continue to develop your security program beyond these frameworks.  Achieving a SOC 2 great foundation, but isn’t the end all be all.

‍

Next our our list is are  ISO 27001 and NIST compliance. Want any advice on what should be next on yours? Claim your Trust Center and reach out to our team today. We’ll give you personalized advice based on your industry and current posture.

‍