Information Security at Opal

Information Security at Opal

Cyber security (aka. information security or “InfoSec”) is a topic that has been covered previously in this forum, but that’s because there is a point worth emphasizing—we take InfoSec seriously at Opal. In this article, we’ll provide a little more context about the “why” behind our commitment to InfoSec.

We designed every element of Opal (the business and the platform) to serve the brand marketing organization. Information security has become a top priority for every company in every vertical over the past few years. Per SEC guidelines, public companies are even required to disclose cybersecurity risks, which includes a regular assessment of gaps in security controls, including confidential data that is stored or processed by vendors. Knowing that we would be hosting our enterprise customers’ valuable marketing data, we implemented industry best practices from the outset, designing security features into our software platform and our organization at every level. Our customers have noticed.

Because of our commitment to an enterprise-grade product designed to unite the marketing organization, out of the Fortune 50, we proudly call 4 tech brands and 3 financial services companies Opal customers. Because of the value of these brands, and the ever-increasing importance of information security, these customers apply particular rigor to vendor screening, especially for vendors with access to confidential information like marketing content. The InfoSec team at Opal is proud to boast that we have never failed an information security assessment. Not failing may seem like a low bar, but let me elaborate.

Most of our customers have implemented some form of procurement process that includes a review of vendor security policies, practices and certifications. But the world’s largest financial services firms have some of the world’s most rigorous vendor requirements, exceeding even those of the US government (also an Opal customer). Here is a look at the process from the SaaS vendor’s standpoint.

One of our more recent financial services customers in the Fortune 50 first required us to participate in an elaborate RFP comprised of more than 50 narrative questions. The RFP was accompanied by a list of more than 200 technology-based questions, with areas of focus ranging from change management and quality assurance to operations, background screening and hiring decisions. In addition to customary questions focused on financial viability, support and training services, and security, the questionnaire included in-depth inquiries in areas of patent coverage and systems architecture. Our SOC 2, Type II certification was considered a baseline expectation rather than a stamp of approval.

Participation in this process obviously required a substantial resource investment, but with an anticipated initial launch of 200 users, this was a worthwhile investment for Opal’s InfoSec team. After a few rounds of meetings of follow-up questions and related clarification, we had cleared all security hurdles and had a clear path towards closing this customer account. Promptly after signing the agreement, we received follow up requests.

Before launching, we would need to pass an independent penetration test of the platform—we did. Then we were asked to complete a separate InfoSec questionnaire comprised of more than 400 questions. Our new customer informed us that they typically anticipate a new vendor will take 3-4 weeks to complete this stage, but we only had a matter of days before our anticipated launch. Opal’s InfoSec team provided comprehensive and acceptable responses within 3 days.

Closing this account would have been impossible for most companies of Opal’s size, but since its launch, Opal has incorporated information security into every element of the organization and product. As a result, Opal is one of the most technologically sophisticated platforms available to marketers. Information security permeates conversations across the organization, from design to sales, and influences every major decision made by our management team. As a result, we are in the best position possible to serve the enterprise and unite the marketing organization across every industry vertical, including tech CPG and highly regulated verticals like financial services, medical services and pharma.