Information Security Requirements for B2B SaaS Providers
Hyvärinen, Tuomas (2023-03-30)
Information Security Requirements for B2B SaaS Providers
(30.03.2023)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2023051244159
https://urn.fi/URN:NBN:fi-fe2023051244159
Tiivistelmä
To gain a competitive advantage, companies are continuously more willing to collaborate with other companies and share information between them (Karlsson et al. 2015). Outsourcing is a viable option for many companies offering cost savings and improving efficiency, however, it does not come without risks to information security (Khidzir et al. 2010). Due to the current business environment of interorganisational collaboration, new threats are emerging in the space of information security. Collaborating with other companies introduces new threats by creating possibilities for non-compliant behaviour, intrusion, and exposure. (Goodman and Ramer 2014.) Therefore, organisations must now rely on partners to ensure information security is upheld on an interorganisational level (Karlsson et al. 2015).
Within the field of information technology, cloud computing has grown to become one of the most dominant computing paradigms in recent years. According to some estimations, by 2024, more than 45 percent of companies’ IT spending will consist of cloud computing solutions. (Gartner, 2019.) The reason for cloud computing’s rapid increase in popularity is due to its promise of bringing down costs while delivering the same, and potentially more, functionalities as traditional information technology (Marston et al. 2011). However, information security concerns can be seen as one of the biggest challenges that the cloud computing paradigm must overcome for it to reach its full potential (Tipton et al. 2012).
Therefore, in this increasingly connected and digital business environment, a fundamental challenge for companies is to meet information security requirements (Gordon et al. 2010). Organisations must adhere to both standard and organisation-specific information security guidelines to meet these requirements (Thalmann et al. 2012). Managing security in companies both providing and consuming services is no longer limited to internal services, systems, and infrastructure. Furthermore, companies providing services to other parties must also consider the requirements of their customers. (Currie et al. 2001.)
I am conducting this research for a SaaS company, SoftCo, which operates in the enterprise software industry. The aim of this research was to understand what the most common information security requirements are for SaaS companies by analysing the customer questionnaires regarding information security of the subject organisation SoftCo. These findings are gathered into an artifact which includes the most important information security themes and questions from the analysed companies. This study was conducted as a qualitative study using document analysis to gather the data for identifying the information security themes. Additionally, I have evaluated the produced artifact according to the design science research method process by Peffers et al. (2007) where I compared the information security themes with the ISO/IEC 27001 standard for information security management.
In this study I was able to determine 24 different information security themes that were important to customers of SoftCo and also show which of these themes were of most importance according to the questionnaires. Based on these three themes, I identified three areas of information security which were highlighted in the questionnaires: the shift of administrative control from the customer to the service provider, ensuring business continuity and protection against external threats, and concerns regarding auditability and compliance of the service provided.
Within the field of information technology, cloud computing has grown to become one of the most dominant computing paradigms in recent years. According to some estimations, by 2024, more than 45 percent of companies’ IT spending will consist of cloud computing solutions. (Gartner, 2019.) The reason for cloud computing’s rapid increase in popularity is due to its promise of bringing down costs while delivering the same, and potentially more, functionalities as traditional information technology (Marston et al. 2011). However, information security concerns can be seen as one of the biggest challenges that the cloud computing paradigm must overcome for it to reach its full potential (Tipton et al. 2012).
Therefore, in this increasingly connected and digital business environment, a fundamental challenge for companies is to meet information security requirements (Gordon et al. 2010). Organisations must adhere to both standard and organisation-specific information security guidelines to meet these requirements (Thalmann et al. 2012). Managing security in companies both providing and consuming services is no longer limited to internal services, systems, and infrastructure. Furthermore, companies providing services to other parties must also consider the requirements of their customers. (Currie et al. 2001.)
I am conducting this research for a SaaS company, SoftCo, which operates in the enterprise software industry. The aim of this research was to understand what the most common information security requirements are for SaaS companies by analysing the customer questionnaires regarding information security of the subject organisation SoftCo. These findings are gathered into an artifact which includes the most important information security themes and questions from the analysed companies. This study was conducted as a qualitative study using document analysis to gather the data for identifying the information security themes. Additionally, I have evaluated the produced artifact according to the design science research method process by Peffers et al. (2007) where I compared the information security themes with the ISO/IEC 27001 standard for information security management.
In this study I was able to determine 24 different information security themes that were important to customers of SoftCo and also show which of these themes were of most importance according to the questionnaires. Based on these three themes, I identified three areas of information security which were highlighted in the questionnaires: the shift of administrative control from the customer to the service provider, ensuring business continuity and protection against external threats, and concerns regarding auditability and compliance of the service provided.