Last Updated on 8 June 2023 by admin
Customer Thermometer is an award-winning Brighton-based SaaS company that provides cutting-edge customer satisfaction software. We caught up with Jim Turner to discuss Customer Thermometer’s perspective on SaaS security and to learn more about their own cyber security journey and how they’ve adapted their approach over the years.
Tell us about Customer Thermometer and your role?
I am the CEO of Customer Thermometer, we are the market leader in short survey solutions; with our 1-click email feedback software, were helping the worlds most customer-obsessed businesses get quick and accurate feedback from their customers in seconds. With over 2,000 customers and operating in 60+ countries, were taking the market by storm and our innovative approach to surveying is revolutionising the feedback sector.
How has your approach to securing your SaaS platform changed over the last 2 years?
I have a background of working with software companies that offered bespoke software builds as part of their service offering so, I came to Customer Thermometer 3 years ago with this level of information security in my mind. But SaaS is very different and you see very quickly that security has to be at the top of the tree in terms of priorities, way before new features!
What lessons have you learned from penetration testing your SaaS platform?
That choosing a security partner that genuinely cares about doing a good and thorough job over a fast or cheap one is critical. Look around until you find a team of people that are even more concerned with app security than you are!
What SaaS security best practices do you follow in your development process?
Throughout our development life-cycle, we have built-in checkpoints to ensure security is met. Our development processes include a mixture of manual and automated tasks, all listed on our internal security review checklist that we adhere to. We utilise automated tools where possible, from monitor any of our dependencies and libraries to vulnerability scanners. Code reviews are an active component of our life-cycle, with every commit being reviewed and tested prior to deployment. We follow an iterative process with our development, ensuring that each feature meets the minimum requirements, is tested and has adequate on-boarding support before being rolled live.
What defensive security do you offer against hackers and cyber threats to protect user data?
In order to keep our users data safe, we have a number of defensive security measures in-place on our infrastructure and built into our application. Firstly, all data in transit is protected with TLS. We have brute-force and bad password lists implemented, to strengthen the quality of passwords that our users input. We have alerting and logging in place, with manual review processes for any event that is not whitelisted.
Privilege separation of duties and tasks – this is across our development cycle and system administration functions. Following the “least privilege model when assigning permissions or configuring software. Independent penetration testing is carried out regularly, along with a rigorous internal testing process of both manual and automated tasks.
Most importantly, we educate our teams through internal training sessions – ensuring they understand what cyber risks are out there and what risk they pose.
How important is cyber security to your customers?
We have around 2,000 customers on the platform and around 20,000 active accounts being used to a greater or lesser degree so the importance level varies a lot from client to client. Just because we dont know if a customer treats cyber security as an important factor, it doesnt mean that they dont. They may have scoured our site to check our security and privacy policy before they signed up. So, we treat it as if its the most important thing for all of our customers. These days users will assume an app has a high level of cyber security in place, so they may not ask because they trust you have it. So we cant betray that trust.
You work with some impressive brands, how do you work with their security teams?
We fit to them on the whole, all of our customers have varying needs and we need to be flexible to fit them as best we can. Often they will find the InfoSec process painful too so, we do everything we can to take that pain away and get everything tied up with a neat little secure bow as quickly as possible.
What are the top 3 security risks that keep you up at night?
Honestly, none. We have an excellent team and I trust them completely to do everything they can to keep the app safe and secure. We work hard to do everything we can to keep our app and our clients data protected.
How should SaaS CEOs be driving cyber security across their organization?
Cyber security must be a top-down organisational approach. If the leadership team talk about it and highlight and push forward with training schedules then the business will always keep it at its core.
What advice would you offer to CEOs when it comes to cyber security?
Partner with an excellent and trusted firm that work with similar companies and have case studies and testimonials on their site that clearly show the trust their customers have in them. Choose a partner that is clearly full of cyber security uber-nerds, people who not only know their onions but that are all over LinkedIn and social channels fighting the good fight and highlighting risk in a sensible and helpful way. If you are worried about it or you dont know what the risks are then get informed and take remedial action to fix anything.
But I think the most important thing is to nurture a team that is as obsessed about cyber security as you are, from sales to support and not just your technical and product teams. Live and breath it across the business.
About Customer Thermometer
Customer Thermometer is the only customer satisfaction survey customers can answer from their inbox, giving you industry-leading response rates. It is an easy and unique way to gather the thoughts of your customers.
Write, create and send beautiful, branded emails in seconds. Your customers click directly from their email inbox. You track their responses in real-time.
