Nicholas - Great question. A clear concern for the industry at this time.
(disclaimer) As a software service provider, I have some strong opinions here Let me make a few comments, and see if we can get some discussion going in advance of your interview. I would note that I am referring to data/information security here, rather than physical/on-site security - an important topic, but separate from this one IMHO.
Security, disaster recovery, and business continuity are key business functions for any business, regardless of industry. The cannabis industry just received a wake up call that shows how critical this is.
These functions are so critical, and yet so dependent on the underlying service providers (POS, website, payment processing etc) that the responsibility for these functions has to fall to those providers. These functions should be basic “core competencies” of all software providers to the cannabis industry, period.
The average licensee really does not have time or expertise in-house to manage this. The have enough to worry about. It needs to be a provided service: either included by their key service providers or contracted with a data security/disaster recovery provider. It has to be worry free, always up, never down, without failure. With today’s technologies, this is achievable.
For disaster recovery and backup, I like to think about two key metrics: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). These are somewhat technical terms, but easy to express in terms of your tolernance to data loss and downtime:
RPO: If your provider lost your production database in the middle of the day, how much data would it be ok to loose upon recovery? Would you tolerate 5 minutes of lost sales/transaction data? 10 minutes? 1 day? 4 days? Every minute of data loss means rework to recover that data. A zero data loss RPO is achievable with today technologies. Data loss of more than 5-10 minutes begins to be problem.
RTO: If your providers service crashes hard, how long can you tolerate being down? 10 minutes? 30? 12 hours? Days? For example, we set an RTO of 15 minutes for local/data center failures, and 2 hours for a region wide failure were we have to move operations across the country.
Obviously, the less time for each, the better. But there are tradeoffs in archtecture that impact what RPO/RTO can be achived cost effectively. Each organization has to establish their tolerences for these objectives, and architect, implement and TEST to acheive them.
Most providers should be able to state an availability or uptime goal for their service. This can be expressed in “Nines”. eg 99.9% (three nines) or 99.99% (four nines) etc. At Green Marimba, we offer an uptime of 99.99%, which would mean less than 5 minutes of downtime per month.
Apart from disaster recovery, the security of Personally Indentifiable Information (PII) is a key issue. Does your provider have a detailed security plan and expertise in cybersecurity? Do they adhere to any well know security standards (PCI, HIPPA, CIS, etc). Can they provide you with compliance statements, periodic vulnerability scan reports, etc. We have all seen news reports of hacks where companies loose millions of customer records to hackers (Yahoo, Target, et al). Cybersecrity risks are high for any one storing or tranmissing PII. This area could potentially be a risk for our industry, if providers are not managing security well.
Here are the questions any licensee should ask of their software providers:
Do you have a disaster recovery plan?
How frequently do you test it?
Can you share the documentation?
What is your security plan? How do you secure personal information?
What is your RTO and RPO?
Do you offer a service level agreement. Will you pay/credit fees if the SLA is not met in any month?
Do you have a stated uptime guarantee?
How frequently is my data backed up? Can I have a backup of all data at any time? Can I have a usable backup of my data if I terminate service?
Please let me know if you have questions/comments.