When it comes to security, more is always better, right?
That sounds good in the abstract, but in practice it can cause problems. For example, I have always resisted allowing any of our 20,000-plus customers to conduct third-party assessments of our security measures. I re-evaluate that policy from time to time, but for now I’m sticking to it. I’ll explain why.
My team spends more than 20% of their time filling out security questionnaires, doing security-related contract reviews, responding to requests for information and participating is sales engagement meetings to address security and privacy. Repeatedly, we find that prospective customers want to conduct a security assessment of our applications and infrastructure, using either their own resources or a third party. It would just be a matter of them running a tool such as Nessus, Qualys or Nmap.