Introduction
During a recent internal knowledge share, our Executive Vice President Mitch Martinez said something that should be required reading for every IT vendor dealing with security.
"The more granular and transparent you are with laying out what you're doing with security,
the better off you're going to be.”
When Mitch said that he was speaking to the fundamentals of cybersecurity: the documentation, policies, and operational rigor that tell a prospective customer whether you're worth trusting before a single technical conversation even occurs.
The Security Conversation Comes First. No Exceptions.
Healthcare systems and government agencies don't start evaluating IT partners by asking about processing speeds or storage capacity. They start by asking whether you can be trusted with their most sensitive data and most critical systems.
Because if you can’t be, the technical capabilities don’t matter. Assessing security capabilities make up the opening questions in every serious vendor evaluation.
For energy providers like Con Edison, the scrutiny goes even deeper. The Department of Homeland Security mandates strict cybersecurity protocols for any vendor touching critical infrastructure. If you're working with a utility company, they don't just want to know that you have security policies. They want evidence that those policies work.
"When confidential information crosses the internet, encryption isn't optional. You need comprehensive security at the source all the way to the destination. No gaps, no exceptions."
What "Security Policies" Actually Means in Practice
At Derive, our IT Security Policies and Procedures cover every foreseeable situation where security could be compromised without a plan. Derive plans for incident management, disaster recovery, business continuity, data protection, access control, offboarding procedures, and more.
An example of this is when someone leaves Derive, their access is shut down immediately. Not tomorrow. Not at end of day. Immediately. That's not just good practice, it's this kind of documented, verifiable commitment that sophisticated clients require.
We classify incidents by severity. We have escalation paths. We have notification protocols. We test our own resilience regularly. And critically, we can demonstrate all of this with documentation that carries legal weight.
When Mitch submits our Standard Information Gathering document to a partner for a state contract vehicle, it came with a fraud warning statement (a legal certification that the answers are accurate). An SIG is the kind of proof that ends the conversation about whether you can be trusted.
The Ǫuestions on Security We Hear Most Often
Before any technologyconversation begins, the organizations we serve want answers to questions thathave nothing to do with speeds and feeds:
1. What compliance certifications or frameworks do you follow?
2. Have you had a data breach or security incident, and how did you handle it?
3. What is your incident response plan and when was it last tested?
4. How do you manageaccess controls and who has access to our data?
5. How do you assess and manage risk from your own third-party vendors?
The vendorswho can answer these questions with documentation as opposed to talkingpoints are the ones who get to have longerconversations.
The Third-Party Verification Standard
Sophisticated buyers don't take your word for it. Many large companies hire third parties to independently verify the answers on security questionnaires. They test whether you actually have antivirus and firewalls, whether you're truly encrypting data at rest and in transit, and anything else they may view as a security risk to their organization.
This is the standard serious customers operate under. It’s not about whether you can claim to have these practices in place, it's whether someone with no incentive to be generous can verify it independently.
Derive has undergone this kind of scrutiny. We have documentation that supports it. That’s what matters.
Why Security is as much Marketing as it is Compliance
SIn this business, trust is everything.
Organizations that work with us need to know that we've protected the interests of our clients fiercely over the last 25 years. Protecting our clients the way we do sends trust signals. And in the markets we serve, trust is the biggest marketing asset available.
"If we're providing disaster recovery and business continuity services to customers, the first thing they want to know is that you've got your own act together, and we’ve proven that dozens of times over."
The Takeaway for IT Buyers
The sophistication of your IT partner's security posture is a proxy for everything else. If they're rigorous about their own internal systems, they'll be rigorous about yours. If they have documented incident response plans, they'll apply that thinking to your infrastructure. If they can demonstrate compliance under third-party scrutiny, you can trust the work they do on your behalf.
After 25 years serving healthcare systems and government agencies, including rebuilding NYC's Office of Emergency Management after 9/11 and supporting citywide technology recovery during Hurricane Sandy. Trust isn't built on a sales presentation, it's built on the documentation, the policies, and the demonstration of operational discipline that exist long before the conversation starts.
Want to discuss Derive's security and compliance posture? Contact us.