What Compliance Looks Like at a Startup
When you think about creating a startup, you may think about generating products, business plans, funding, and building a customer base, but Vivun’s cofounders added security and compliance to that core delivery of services – making it just as high of a priority as releasing products.
Managing security and compliance at a startup certainly comes with its own challenges, so Vivun Security has 4 recommendations for achieving Compliance goals at an early-stage Startup.
Build it from the beginning
Conducting audits for your security program achieves multiple goals. For starters, it gives your program a sense of where you stand against industry standards. You’ve built your program, but how do you know you built it correctly? Audits. The confirmation that you’ve built your program correctly not only gives you assurance, but also assures your customers that they can trust you with their data. Another more apparent and clear goal of conducting audits is to abide by industry regulations (hospitals abiding by HIPPA, for example).
Going through audits in the early stages of start-up creation 1) ensures that what you’ve built is strong, 2) instills trust in customers and prospective customers – launching your company above others, and 3) quickly complies with industry regulations.
Don’t do it alone, leverage expertise
Vivun underwent its first set of audits in December 2020 when the company had only 30 employees. Although audits at this time were an all-hands-on-deck effort of the CEO, CTO, CISO, and many engineering managers, Vivun managed to successfully receive its SOC 2 Type I, SOC 2 Type II, and ISO 27001 certifications. A top recommendation we have for startups: leverage third party experts to help guide you and prepare you for full-fledged audits. We partnered with 2 external firms to aid us through the maze of SOC 2 and ISO 27001 compliance controls. We looked to Jemurai as our “phase 1/internal audit” auditors and Schellman & Company, LLC as our external certifying auditors.
By late 2021, we had a round of audits under our belt along with lessons learned and enough resources to build out a dedicated Compliance team. Although this “team” was one person, Vivun had a dedicated resource to organize evidence requests and coordinate with internal team members and auditors, which alleviated much of the executive team to, well, focus on running other parts of the company.
Create your standards from the get-go
With a Compliance team and past experience, undergoing audits must be a rinse-and-repeat process now, right? Well, kind of. As you may already know with startups, there are never dull moments when creating a new company and generating new products at such a fast pace. Creating new products and tweaking old ones come with its own set of compliance challenges, which is why weaving our standards into our day-to-day work is of the utmost importance. Another recommendation for startups: create your security and compliance standards from the get-go. Our software development process abides by the same standards regardless of product. Our various products are extremely different when it comes to their components, but the development and engineering practices have remained the same when it comes to security and compliance. The only additional compliance work for a new product is additional evidence collection.
Avoid Compliance Silos
The Compliance team, much like the entire Security department, must add value to the business to ensure longevity. Gone are the days where Security and Compliance teams operate from the shadows of obscurity. The Vivun GRC team not only delivers the Governance, Risk, and Compliance for the company, but also partners with all aspects of the business stakeholders to ensure full transparency and partnership.
A recommendation for startups: keep your compliance team close to your engineering and product development teams. This will ensure compliance is truly woven into the day-to-day operations of the company and will also inform your Compliance team about what evidence exists when it comes time to collect for auditors.
When facing compliance at a startup, your team may be small, but you must build it to be mighty. That’s why gaining efficiency wherever possible will launch your startup above the rest.