By Justin Beals, Strike Graph CEO

B2B companies are confronted by a new challenge in accelerating their customer acquisition. The challenge is often described as needing to complete a SOC 2 audit or ISO 27001 certification. While the procurement team for your latest enterprise deal might name these documents, what they are really requesting are assets that instill trust. Strike Graph customers acquire a variety of valuable trust assets, thereby solving a critical revenue problem. Since our customers focus on acquiring trust assets instead of complicated integrations, they achieve trust more quickly with less disruption. That means revenue.

Strike Graph customers utilize our solution to acquire the right assets to meet their revenue goals at the right time. Our solution is dynamic enough to support the unique practices of any organization and convert those practices into a variety of trust assets, including a SOC 2 audit or ISO 27001 certification. It’s wrong, however, to imagine that every deal will require only one of these two assets. Today we are going to talk more about the variety of assets you should acquire.

Self-verified assets

There are a variety of important assets that a company can create without the delays and costs required by an auditor. Being able to produce trust assets without the oversight of a third-party assessor is a quick and lightweight solution to gain trust. If constructed properly, these assets also can be used later in the acquisition of more prestigious certifications. Strike Graph technology allows companies to create the following types of assets:

• System and Security Description - An overview of your organization, the product, and security.
• Control Library - A spreadsheet of your organizations' security controls.
• Policy Library - Policies and procedures adopted by your organization.
• Vendor Assessments - A questionnaire, required by a buyer, answered according to your security practices.
• Internal Audit - An internal audit of security control design and practice.

These are trust assets. While they do not have the cachet of an Ernst & Young audit, they are important assets in communicating your organizational capability and maturity. Many Strike Graph customers begin by developing these types of assets initially to help accelerate their revenue acquisition and reduce their time to close. Sharing these trust assets will help market your organizational maturity to important buyers. 

Third-party verified assets

As your company grows, buyers will be looking for trust assets that have been verified by third parties. This verification helps increase the amount of trust an asset can communicate. However, these assets are much more costly to acquire. They are costly because auditors charge for their services in much the same way lawyers charge hourly. It is in the interest of the audit organization to over-sell the level of verification required to earn more money from you. Creating a little bit of fear and competition certainly hasn’t hurt their businesses. When you attempt “leaping ahead” in the compliance prestige game you wind up spending an unnecessary amount of money and time.

A SOC 2 audit is a very common third-party verified trust asset, as a certified public accountant will perform a review of the design and operating effectiveness of your security controls. There are, however, other trust assets that can be third-party verified. Critically, many of these assets are a pre-cursor to a more prestigious trust asset. 

Strike Graph customers get the right third-party verification according to the revenue goals they need to achieve. There is little value in getting a certification that doesn’t meet revenue goals. Scoping these assets properly is why Strike Graph customers have been so successful. Here is a broader list of important third-party verified trust assets: 

• Annual Penetration Testing - An assessment of your technology infrastructure by a certified penetration tester.
• Letter of Intent - A letter from an auditor certification organization verifying that your organization intends to complete a certification.
• ISO 27001 Annual Assessment - An assessment of your control design and operation to the ISO 27001 standard by a Certified Information Systems Auditor.
• HIPAA Assessment - An assessment of your control design and operation to the HIPAA standard by a Certified Information Systems Auditor.
• SOC 2 Type 1 Audit - An assessment of your control design to the SOC 2 standard by a Certified Public Accountant.
• SOC 2 Type 2 Audit - An assessment of your control operation to the SOC 2 standard by a Certified Public Accountant.
• ISO 27001 Certification - An assessment of your ISO 27001 control design and operation to the ISO 27001 standard by an ISO Certifying Organization.

I founded Strike Graph to help companies acquire the trust assets needed to grow their businesses. We take that focus seriously. We realize that the real problem confronting our customers is getting the right type of trust and the right time. If you over-burden your security practices too early with complex standards and expensive auditors you suffer reduced productivity, a failed audit, or worse a serious breach. If done properly, each acquired trust asset is an important tool in making the next asset easier to acquire. With Strike Graph, companies can build immense trust with a variety of valuable assets.