HECVAT Starter Guide for SME SaaS Founders
Understanding Third-Party Risk Management
Ok so I started out writing the usual "What is the HECVAT" and then felt it was starting to head in the 'fear uncertainty and doubt' direction. So I deleted everything to focus a bit more on some foundational information.
The HECVAT is about Third Party Risk. The institution is sharing data with you, and that exposes them to risk. They need to make sure you have a cybersecurity program in place to adequately protect that data. If you've been asked to complete the HECVAT, a business unit within that institution is genuinely interested in buying your product because analyzing your HECVAT costs time and money.
Think of HECVAT as the institution's safety net when buying your software or services. It's basically a way to check if vendors are doing things right before they trust them with their data. Without running these checks, they could be in hot water if something goes wrong - like a data breach or security mess-up. It's kind of like doing your homework before making a big purchase, except this homework keeps the institution out of legal trouble.
Key Concepts for HECVAT Success
Many vendors ask me if there is a "passing score" they need to target. The answer is no. Each institution will make their own determination based on their risk tolerance. Naturally, vendors who store or process personally identifiable information (PII), protected health information (PHI), or other sensitive data will be scrutinized more closely.
Why Accessibility Matters in HECVAT
But why does it include accessibility? This question has been raised many times at the Educause annual HECVAT conference. Providing accessible services is a legal requirement under Section 508 of the Rehabilitation Act and the Americans with Disabilities Act. Failing to do so can result in lawsuits and fines. So since accessibility is a requirement, the institution needs to check it before procurement also. Therefore they opted to include it in the HECVAT. Interesting, the accessbiility questions are highly weighted in version 3.x meaning they can easily sink your score.
Building Your Cybersecurity Program
If you don't have a well established cybersecurity program, you will need to build one. This is a good thing. It's a great opportunity to implement a program that will protect your data and strengthen your market position in the education sector. But be prepared. It is a journey. But one that can open the education market whilst also improving the resilience of your business.
It's pretty common for vendors to download a template information security policy and use that as the basis for their HECVAT submission. This is a mistake. The job of the instituion analyst is to detect risk. They know how to spot template material and other signals indicating the lack of a lack of a real cybersecurity program.
Practical Cybersecurity Implementation
To many, cybersecurity is a complex and daunting endevour. The marketing and hype around cybersecurity does little to help. But the reality is it's far less complex than it's made out to be, and with the right approach and just enough knowledge, you can feel confident that it's under control.
Contrary to popular belief, you do not need expensive products or tools to establish an effective cybersecurity program. Good processes, a few tools (including open source options) and some training will get you a long way.
At the end of the day, the institution wants to know cybersecurity is not an after thought. They want to know you have a plan and that you are actively managing risk. If you aren't doing this already, you need to start. Engaging a consultant is a good idea since if you had the expertise in house, you would be doing it already.
Next Steps on Your HECVAT Journey
Always happy to chat with vendors about their HECVAT journey. We're so busy with our work that we aren't interested in selling you anything unless we can genuinely help. Remember that cybersecurity should be a balance of risk and cost. If you do engage a consultant, make sure to prioritize the areas that will have the most impact.