Building trust with enterprise-class security

This is the fifth installment in a series about what it takes to build an enterprise-class software company. You cannot build an enterprise-class software company without enterprise-class security. We combine deep wealth management domain expertise and enterprise software expertise and deliver timely, innovative solutions configured for our customers’ businesses—all while keeping their data secure and private.

The best security is when you never have to think about it. One of my favorite phrases is “we do our best work in the shadows.” What I mean by that is security is not in your face, it is never a barrier, and it is frictionless. It is not high-profile, but at the same time, you get a sense of assurance that it is there and protecting your organization as designed.

For most enterprise-class software companies, security is not their primary business. Either way, their customers trust them to protect their data. From an enterprise-class perspective, we are in the business of trust, which is hard to earn, and easy to lose, and why we take security seriously.

Building trust with enterprise-class security

How do you build trust? We understand the importance of data security and we take a pragmatic, risk-based approach so our customers can trust that their data is always protected. Our platform is built to enable advisors to do the best for their clients, and they can only do that if they are assured of the confidentiality and integrity of the data being presented.

Here is the approach enterprise-class software companies should take:

Accessing the platform
When accessing your platform, users should have their own unique User ID and password combination. This along with multi-factor authentication increases the level of assurance that only authorized users have access to your platform. Analytics also help create a baseline of normal behavior to better identify abnormal behavior.

Protecting your data
All communication—either through web or mobile apps—should be encrypted. Likewise, from a data-at-rest perspective, all data stored in your systems should be encrypted by default. This adds an additional layer of protection to your data regardless of where and how it is used.  

Third-party assessments
In addition to continual internal security testing, you need to conduct regular penetration tests using a trusted third party to evaluate the strength of your platform’s security posture. This helps firms proactively identify any weaknesses so they can be addressed in a timely manner to better protect their technology.

Security based on industry best practices

Enterprise-class companies need to hold themselves to the highest industry standards possible, whether it’s standards such as System and Organization Controls (SOC 2) or the Health Insurance Portability and Accountability Act (HIPAA). These help prove your commitment to strengthen their assurance that customers can trust you with protecting their data.

Compliance alone, however, does not create security, and your strategy and focus should not only be to meet these standards but to exceed them in line with your own business needs.

Security by design
Cybersecurity best practices should be implemented in your infrastructure and software development from initial design to feature and function rollouts. This ensures the best protections are in place from the start when you are building your enterprise-class software and helps reduce your risk posture.

Enterprise-class security as a culture
As an organization, it is everyone's role to have a security-minded focus. You must ensure that you have the right risk-aware culture in place to help you prepare for the ever-evolving threats that put companies at risk. Attackers generally do not have the same time constraints as defenders. As threats continue to evolve, it is critical that firms remain aware of them so they can apply the best protection against them.

Proactive defense and monitoring
Proactive 24x7 security monitoring and alerting ensures the integrity of your infrastructure and data. Using multiple layers of security technologies will help you identify, address, and remediate suspicious activity. Implementing security analytics and automation technologies allow you to set a baseline of normal behavior to more quickly identify and respond to suspicious behavior.

But it is not about technology alone. As well as having the best technologies available, it is critical that your staff are well-trained and motivated, and that your processes are robust and flexible to deal with both the known and unknown.

Data center security
Where you host your technology is important, too. Whether on-premises, in the cloud, or in external state-of-the-art data centers, ensuring you have the correct physical and environmental protections along with geographic considerations will ensure your technology is available when your clients need it, regardless of what’s going on outside.

Ensure the best possible protection

We believe commitment to these industry best practices is crucial in protecting data and building customer trust. Enterprise-class software companies need to invest heavily in technology, their people, and processes to ensure the best possible protections and services for their customers. Cyberthreats continue to change and evolve at a rapid pace and taking a proactive approach to security is vital for any enterprise-class organization.

Alex Cunningham is Senior Vice President, Chief Information Security Officer at Advisor360°. He leads the Information Security team in protecting the Advisor360° enterprise, keeping all company and client data and infrastructure safe and secure.