Communication Disconnect: Sales Promises & the Information Security Audit

Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing.

This communication – and timing – disconnect between sales and operations can cost companies both prospects and current customers. Information security is traditionally implemented and maintained behind the scenes. In today’s market, particularly for healthcare vendors, good market positioning means that information security has to be front and center.

As an example, the demand for a SOC 2 audit report is on the rise. Healthcare vendors and other service organizations are being asked for it as proof of a sound information security program. We work with clients as they prepare for and proceed through SSAE 16 SOC 2 audits. In cases where vendors engage a CPA firm conduct a SOC 2 audit, we find that the decision to go through an information security audit comes from two places: the C-suite and sales.  The C-suite sees the audit as a way to retain current customers and to maintain marketability.  The sales team looks at it as another strong sales point.

What happens when the sales team over-promises?

If the sales team sells a product or service based on the assumption an information security audit can be done without checking in with its IS department, they may find themselves in a huge bind. It’s even more problematic if the company executed a customer contract along with the promise to conduct a SOC 2 audit. Imagine how that will come back to bite the company when the customer demands a copy of the nonexistent report!

In one instance, a company we’ve worked with in the past lost out on a multi-million dollar deal based on an over-promise.  Sales promised they would complete a SOC 2 audit, that they then delayed for a couple of years. The prospective client walked away from the table.  Remember, the proverbial grapevine works well, healthcare industry or otherwise. If you’re doing a great job, people will hear about it. If you fall on your face, they’ll hear about it faster.

Sales teams like to run full steam ahead, promising results, valuable products and enhanced service.  That’s a good thing. That’s how companies stay in business and continue to grow.  Often, though, IT / IS is left trying to figure out how to keep the promises made.

Vendors for healthcare and other service organizations are under mounting pressure to prove customer data is safe and secure. Information security is a market driver.  If sales and the information security team aren’t on the same page, the outcomes could be disastrous for business. So communicate amongst yourselves! Sales, IT and the information security team.  Actively involve the C-suite. Then you can be assured the company is steered in the right direction, with the right resources. When promises measure up to delivery, everyone is happy.