editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
Definition Due diligence is the process whereby an organization will assess the risk of an activity before it begins. It’s the business equivalent of checking the temperature of your coffee before you take that first sip.
There are two main types of due diligence your company is likely to encounter, customer due diligence and financial due diligence. While they share the same objective, they work slightly differently. We will cover financial due diligence later when we talk about fundraising, acquisitions, and IPO.
If you are selling your products or services to other organizations (a B2B, or business-to-business, company), you will no doubt encounter customer due diligence at this stage.
Definition Customer due diligence is the systematic process of verifying the security maturity of an organization you plan to buy from. This form of due diligence focuses on the risks your organization may encounter by interacting with this organization as their customer. It can be used for both product and service transactions. These risks may cause your company, people, systems, or data harm.
Due diligence is often carried out at the following stages in a customer relationship.
| Why are they doing this? | What are they asking? | |
|---|---|---|
| Pre-purchase | A purchaser may require you to complete a security due diligence process as part of their assessment of your offering. This allows them to understand what the impact would be if there were a security incident and if they can meet their security obligations by using your solution. | Can I use this? |
| Annually | Just as your security program will require you to assess your risks on a regular basis, your customers probably have a similar requirement. Smaller, lightweight due diligence processes may be used annually to check that nothing has changed in your organization since they last reviewed you. | Is it still safe for me to use? |
| On significant change | Sometimes we buy a tool for one job and we notice it can be applied to other situations. Your company’s offerings are no different, and often, happy customers will find other ways to use your solutions within their organization. This diversification of usage can change the risk—by changing the data held within the tool or changing the environment it is deployed into. Customers will often reassess due diligence if they choose to use a tool for a purpose outside of its original intended scope or if their internal/external circumstances have changed. In this case, “it’s not you, it’s them” and they are attempting to understand the impact of their usage decisions and circumstances. | Can I use this in another way? |
Our businesses operate as part of an ecosystem. This system is made up of organizations of all shapes and sizes connecting to each other to share information, collaborate, and transact. No organization can operate alone, each of us needs other companies and organizations to provide the products and services we need to get the job done (but they are not part of our core business model).
This ecosystem is vast and densely coupled. Each organization connects to dozens if not hundreds of others in an interconnected network.
Figure: The business ecosystem is highly interconnected.
Securing our data, people, and systems requires trust. We trust the people we employ, the policies we write, and the systems we build to protect what matters most to us whilst ensuring it remains available for use.
Definition This interconnectivity is what makes customer due diligence so important. The old saying goes that a chain is only as strong as its weakest link and, in this case, our network of organizations is only as secure as its least secure members. This concept is sometimes referred to as supply chain security.
Supply chain attacks are on the rise. Incidents like the 2020 compromise of security solutions provider SolarWinds illustrate the complexity and severity of these attacks. In this incident, attackers were able to compromise a security software platform developed by SolarWinds and use it to distribute malicious software to their customers. Approximately 18K Solarwinds customers globally are believed to have been infected and compromised as a result, including national government organizations as well as Fortune 500 companies.
Remember that, like most people, attackers are lazy and looking for the most effective ways to compromise the most targets. Supply chain attacks can provide an economy of scale for these criminals who are able to invest once in their attack and compromise many companies as a result.
Due diligence helps us to systematically verify supply chain security and gives us confidence that our security will not be compromised as a result of this relationship. While this assessment can never completely remove the risk of a supply chain attack, it helps your organization understand where it has vulnerability and risk outside of its immediate control, and gives you an opportunity to plan for and manage this risk.
Due diligence can be useful after incidents and compromise.
I’m sure we would all agree that identifying and addressing security risks upfront is the preferred option, however, there is no such thing as 100% secure and breaches happen with increasing frequency.
When a breach occurs, due diligence evidence is often reviewed as part of the investigation or post-mortem process. The aim of this review is to identify if anything could have been done differently to identify or prevent this breach from happening. In the case of compliance regimes such as PCI DSS, this check is part of their process for understanding which organization is at fault and liable for any damages that occur.
During this review process, assessors (or auditors) will be trying to understand how risk was managed and understood. They may consult the evidence and notes from due diligence processes and assess whether the information provided at that time was complete and accurate. If evidence suggests that the information provided was incomplete, or included errors, inaccuracies, or omissions, this may impact liability and expose your organization to legal threats.
Finally, in the case of cybersecurity insurance claims, if your security due diligence was found to be incomplete or accurate, it may lead to the insurer refusing to accept your claim and cover the loss.
In this section we walk through the typical stages of due diligence.
Figure: The typical workflow of a due diligence process.
The organization conducting the due diligence will contact you or your team to kick off the process.
The aim of this stage is to start off the relationship and set expectations of process and timelines, as well as give everyone an opportunity to ask initial questions about the process
Key activities:
Make a connection and set up the start of a collaborative and sharing relationship. Remember that these things don’t need to be adversarial.
Prepare your questions in advance so you can ask about and understand the process, how long it will take, and what you will be required to do.
The due diligence process is underway and you will receive a set of questions about your approaches to common security challenges and risks.
This is commonly referred to as “the questionnaire,” a reference to the high number of questions and typical format of this stage.
Key activities:
Read through the questionnaire thoroughly before you start to answer.
If the questionnaire is a spreadsheet, take a copy and work from your copy to allow for review and finalization.
If the questionnaire is delivered via an online tool, create your account and ask for any other required accounts to be created for team members. Remember that account sharing isn’t good security practice, so lets start on the right foot and give everyone who needs access their own account.
Check for evidence requirements and understand what the questions are asking. Your aim is to answer the specific questions asked and provide evidence of your answer as requested.
Get organized with your answers and evidence. Remember to use good plain language where possible and complete sentences. If there is something you don’t do, provide a brief explanation as to why.
Consider what information you can hand over. You likely cannot provide a list of your customers, some internal security processes, sensitive information, etc.
Don’t wax lyrical and provide information beyond what they need. Aim for “Yes, we do X.”
When it comes to evidence, make it easy to find. Name your files in relation to the question that they relate to and keep them up to date.
If evidence is used for more than one question, consider whether you should provide a cross-reference guide mapping evidence to questions, or whether you simply add a second version of the same evidence with a new name.
Evidence files should be easy to review and navigate. Remember to use common formats like PDF or images where appropriate and to consider if any data is lost when converting to these formats. For example, Google Docs files will lose their automatically generated table of contents in the conversion so you may wish to create a static table of contents in these cases.
The assessor will go through your answers and any evidence shared so far to identify risks.
Key activities:
In most cases, the assessor will need to ask you questions about your answers. Don’t forget, they don’t know your environment or processes, so if your answers or evidence were unclear or they want to gain additional context, they may go through your responses with you and your team in a call or interview.
Key activities:
Help set the scene early on. If you can provide additional documentation about your business architecture or structure, this will help.
Remember your assessor doesn’t know your product or business at all, they are a process in procurement and may not have heard of your organization before this point. Be helpful and help them understand why your product or service is being chosen and where it will fit into their organization’s operations.
Don’t be afraid to say “I don’t have that” or “I don’t know” and offer to get back to them if a question catches you off guard or you need time to get better evidence.
Use this process as a chance to share your approaches and reasons behind your decisions, as well as the technical details. Sometimes the reasons behind the decisions allow us to understand the risk in more depth.
The assessor will consider their findings and reach a decision based on the amount of risk associated with using your company, product, or service.
Key activities:
As well as the overall outcome (typically pass/fail), this stage may also provide feedback on their assessment and any risks they have identified.
Use this feedback to suggest security updates and plan future improvements.
If the result is successful, you may proceed with procurement.
If the result is not successful, they should communicate your options for reassessment. (Please note that not all processes allow for reassessment and you should not count on this.)
In the event of an unsuccessful assessment, some organizations will offer a window to fix any issues identified and resubmit.
Key activities:
Remember that reassessments vary, some will just look at the change you have made, others will start the entire assessment process with a new assessor.
Kick off your reassessment efforts with a good structure. Ask the assessor:
How long do you have to resubmit?
What issues need to be addressed?
How many reassessments are permitted?
What is the reassessment process?
Maybe you’ve completed the really long questionnaire and there are questions you couldn’t answer. Or perhaps you have submitted your responses and received feedback, identifying some gaps in your approach.
First, take a breath. This is normal.
Failing to meet the requirements in a due diligence questionnaire can be normal in these early stages. To be clear, failing due diligence isn’t a good thing, it’s just that it’s a normal thing and doesn’t necessarily mean the end of your sale or a failure to proceed.
If it’s normal and it’s not the end then we have a chance to address it. In this section we will give you some strategies for approaching failed due diligence and addressing the gaps identified.
This is a contentious question to start with but it’s an important one. If the deal will generate $100 of revenue but the security requirements will cost $10K to remedy, then you have a business decision to make before you get into the business of remediating risks. While the dollar value to the sale or engagement won’t be the only driver, it’s always important to keep this in mind when planning to address gaps, deal with customer requests, or change your operating model.
Questions to consider when deciding how to respond to failed due diligence include:
How much is this deal worth compared to the cost required to respond to the gaps?
How much is this customer worth to me outside of straight revenue? (For example, signing a large, recognized brand may be a great asset to your sales and marketing strategy and could offset some of the cost/revenue ratio.)
The other factor to consider at this stage is what the impact will be on your sale. Will the customer proceed anyway and expect remediation along the way or is the sale paused until remediation is accepted?
If the process is now stalled, look at the impact this will have on your operations and sales forecasts.
Most due diligence processes are based around questionnaires. While some of these will provide detailed feedback when they identify gaps in your security maturity, some will not. When faced with a simple “the computer says no” response to your answers, you may need more information before you can assess and plan for remediation.
Schedule a call with your contact in the organization and their security person. Be clear about your intentions and that you aim to understand their requirements more clearly before you plan your next steps.
Most organizations will be happy to oblige and set up a call, particularly if they really like your product or service.
Use this time to listen to their concerns and ask for examples of suitable solutions or controls if they have some to share. While you may not follow their preferred approach, the more you learn at this stage, the better you will be able to explain your chosen solution when presenting your remediation plan.
It’s natural to feel a little bit sore if you fail due diligence. We even often avoid using the word “fail” in this space as it feels final. If you know your response is likely to be defensive, take a breath and pause before you respond.
Your aim in this phase is to understand and plan remediation, not to justify your approaches and argue. While there may be a chance something has been misunderstood, most of the time our focus needs to be on constructively accepting the feedback and responding.
Remember, you don’t own their risk. If you fail due diligence, it means that they are not happy with the risk they inherit from using your product or solution. Aim to understand the risk posed to them and what this means in their context before you try to challenge their assessment.
Once you have all the information you need about the risks that were identified and the work you need to carry out to progress, it’s time to make a remediation plan. This plan is split into two distinct phases:
The technical (internal) implementation plan that your team will use to understand and track the work needed. This could be a task tracking board, to-do list, or project plan, depending on your internal working practices.
The executive implementation plan that you will communicate to your executive team, board, and the customer. This high-level plan will communicate your proposed actions and timelines, and any associated challenges, and lets these high-level stakeholders know what to expect. This communication is important not only because it shows direction and leadership, but also because it manages expectations regarding timelines and next steps. In brief, it is saying, “We understand what we need to do, this is how we are going to do it and this is how you will know we have succeeded.” This is likely to be a short report or presentation.
Both the technical and executive implementation plans will require you to estimate the time and resources required to meet the requirements. As members of younger companies, particularly those in engineering roles, we often underestimate the complexity and time required to remedy issues.
In this case it is important to add some buffer into your time estimates and not to promise too much, too soon. It is better to spend 90 days on remediation and do an amazing job than it is to spend seven days on this work and have it rejected multiple times.
If you aren’t sure how much buffer to add, double your first estimate and then double-check that number with someone objective and experienced that you trust. If there is any doubt, increase it some more.
This is particularly important if any of your remediation activities require procurement of tools or services, or if you have to interact with third parties. As you cannot control their operating speed, you must allow some room in your estimation process (and list this as a risk on your implementation plans).
Definition A compensating control is a security measure that you implement when you are unable to take the typical or suggested approach. It is a different way of reducing the same risk when you face operational, contextual, or unusual constraints.
For example, if your system integrates with a third party and, as part of this relationship, you have to login to their systems. Unfortunately, they don’t allow you to use your single sign-on provider or have separate accounts for each user.
This situation isn’t ideal and most security frameworks prohibit the use of shared accounts or promote the use of single sign-on at all times. This isn’t your system, however, so you can’t take action. You can’t change the authentication type or enforce individual accounts per user.
Instead you may choose to implement a compensating control to address the risk, in this case that activity cannot be attributed to a person, making incident investigation hard and increasing the chance of account compromise.
Our proposed compensating controls could be as follows:
Enforce a long password stored in the company’s password manager.
Turn on 2FA where possible.
Create alerts that notify your team (via chat or email) when the account is accessed. This might be via your network logs or be something you can configure in your systems.
Enforce a policy that requires team members to centrally log when they use these credentials.
There is no exact science for compensating controls. The trick to making the most of them is to:
understand the risk that needs to be addressed
understand the preferred approach and articulate why it can’t be done
plan alternative strategies that address the same risk and submit them for approval or assessment.
When you are satisfied with your remediation efforts and have worked internally to validate that they have been met, it’s time to resubmit your assessment.
Some organizations will only reassess the remediated areas and conduct a partial assessment, others will insist on completing the entire assessment from start to finish again (sometimes even using a different assessor).
Find out what the process is for reassessment before you submit, and be prepared. If you passed some other areas of the assessment but you know your answers were weak, spend some time to reinforce these before you go back. It could save you some issues later if the full assessment is conducted again.
It can take a significant amount of time to complete due diligence questionnaires, particularly if they are based on international standards, they have been customized tightly to your customer’s environment or language, or you operate in an environment processing large volumes of personally identifiable, financial, or otherwise sensitive information.
Here are some of the ways you can make this process less time consuming and stressful for everyone involved.
Don’t be afraid to ask for a chat if things are unclear. Due diligence processes can be complicated, and often include questions and considerations framed in the language of regulators or the larger enterprise you are dealing with. This can often mean that questions are confusing or unclear. It’s OK to be unsure and ask questions. If you need clarification or to understand what the risk/concern is related to a particular requirement, ask. You may find that the person who sent you the questionnaire appreciates you taking the time to understand before you submit your responses.
Always link the security control to the risk that is being managed. So your due diligence questionnaire has a question about a specific type of security vendor device and whether you have one in your network. You don’t have much of a network and you certainly don’t have that expensive device.
Before you jump into your answer, consider what risk that device might be trying to reduce. Perhaps you don’t have this specific device or architecture but are you managing the same risk in a different way. It’s OK that your organization does things differently, your job is to help others understand that difference.
Remember, due diligence is about communicating how you reduce risks rather than meeting a checklist of technology implementation requirements.
Save your answers for a later point, both for discussion and for reuse. How many times has someone asked you for an answer to a question and you’ve replied with something clear and to the point, only to then have forgotten what you said just a few moments later?
Don’t let this happen in due diligence. Write down your answers or transcribe them. Not only will this be useful when discussing them during later meetings but it will allow you to refine your answers over time, improving the quality of your due diligence response and speeding up the process.
Remember that this is a collaborative, not hostile, process. It is perfectly natural to feel vulnerable during the due diligence process. You’re discussing your approaches and any risks your organization may carry with someone you would like to impress, that can be an uncomfortable situation. People often have the tendency to become defensive when we feel uncomfortable or vulnerable, a primal instinct to protect ourselves.
Remember, this may feel uncomfortable, but done well, it shouldn’t be a hostile process. Often the people conducting due diligence want you to succeed, as they want what you have to offer. This makes the process more collaborative than adversarial, and this shift in perspective can help reframe the discussions and make for a more productive process.
Answer honestly but be careful with your words. Don’t lie. That probably seems obvious but really, don’t do that. Don’t exaggerate or talk about future ideas as if they were already implemented. These behaviors will always come back to haunt you later on if someone digs deeper or an incident happens. Be concise and explain the risks and your current approaches. If you give plans for future improvements, be sure to explain when they will happen and how they will be resourced.
Collaborate internally with those responsible for each domain/control or area to ensure your answers are accurate. If you are reading this as a CTO or other founder role, you may be used to shielding your team from these sorts of questionnaires. They may prove to be a distraction and you would rather they focus on operations. When we choose to shield our teams and take the weight ourselves, however, we expose ourselves to more risk. This risk comes from two places; firstly, we may not know all the answers and may provide incorrect or incomplete answers. Furthermore, we deny the team exposure to security and why it is important to your company. If they never see this side of the sales process, they will make decisions with incomplete information. By getting the right people to collaborate, security becomes a team endeavor and each person finds they have a role to play—whether it is communicating your processes as part of the answers you provide or understanding and planning the remediation efforts needed to address any gaps.
Translate to their language. Remember that the communication style and conventions we practice in our organizations may not be the same as those within our potential customer organizations, particularly if they are operating at a different scale or in a different geographical region or market. Spend the time to write clearly and concisely, mirroring their communication style if you can. It takes less effort to understand conversations that are in your own language or style, and so meeting your customer where they naturally communicate can make it easier to get the message across.
🚀 As explained by Laura
Like with most parts of your business, the time has come to get organized. You are probably already familiar with the benefits of increasing organization as you scale, but in case you need a recap: