Compliance vs. Security: Evaluating Suppliers & Services to Maximize Efficiency

Avatar photo
Author
Built Team
PUBLISHED: 09/27/2021

As technology providers in an industry where compliance and security are of the utmost importance, Built has dedicated resources to focus on keeping all data as secure as possible. Built’s internal security team has a number of years of experience in this area—from being the assessor and having been the one in the seat being assessed. At times in the realm of security, compliance can end up resulting in a checklist exercise to be completed, but when it comes to ensuring the security and privacy of non-public financial information, it needs to go even further.  

Oftentimes, in the realm of construction finance, the idea of compliance is conflated with security. Being compliant with a framework or industry standard can lead to a false sense of security.  For example, a business may be “compliant” with a given compliance framework or industry standard and in many ways not be secure from threat actors and their exploits. However, a business can be reasonably secure (from a physical and technical security controls perspective), but not be considered “compliant”. This difference is why it is important for us to make sure we approach securing systems, networks, and environments where Built and its client data is transmitted, processed, and stored from a data-driven actual security perspective that is generally aligned with compliance best practices, while not being overly reliant on such practices at the expense of “real security.”

As our customers work to improve internal information security practices, it comes down to three main things: confidentiality, integrity, and availability. It’s essential that data is confidential, accurate, and available to the right parties at the right time. Whether they are looking for a new tool to securely manage work or data, or evaluating what they have or need to support security-related compliance requirements, there’s a lot to consider. 

As a business is evaluating technology solutions, it’s important to know what kind of questions to ask. To start, consider the following: 

  • What exactly is this third-party in our supply chain doing for us? 
  • How are our employees or our users accessing it? 
  • How are they authenticating into the service? 
  • What kind of permissions will they have?
  • Will it connect with any of our existing systems, networks, or business applications? 
  • How does Built’s technology interface with our own?
  • What data elements are in the scope of the service offering?

Once you have the answers to these questions you can move forward in the assessment process. Then, you can determine which additional questions and document artifacts are appropriate and reasonable to require the vendor or supplier to provide responses for or copies of.

There can be a tremendous amount of efficiency lost when evaluating technology providers. To assist in mitigating these inefficiencies, Built’s Security team proactively provides its current and prospective clients and strategic partners the ability to request access to a Security Shared Profile via our website. We take the administrative, technical, and physical security posture questions we commonly get asked regarding the scoped service and environment and combine those with commonly requested and required security-related document artifacts. This allows the information to be proactively available as soon as it’s requested. Then, rather than spending time on the questions that are routinely asked, we can assist in shortening the security review process by addressing security-related questions and requests that are unique in nature. 

In the same way that Built aims to turn reactive processes into proactive workflows, the Built security team is also working to make adhering to security-related compliance standards seamless and proactive. Our goal is to provide prospects and customers the self-serve ability to obtain the information they need to appropriately assess and secure quick approval for access and use of Built’s service offerings. Providing approval quickly so that these prospects and customers can more efficiently operate their business and mitigate risk as soon as possible. 

For more information on how Built is working to keep data compliant and secure, you can visit getbuilt.com/security.