Blog Compliance Why Stage-Appropriate Compliance Matters for Startup Growth November 11, 2020 Oro Early-stage startups are in for a surprise when they dive into what’s needed to pursue a regulatory or compliance framework. Implementing SOC 2 alone means wading through about 240 controls, all vague and seemingly written for larger, much more established companies. As a startup, there’s likely no room in your budget to purchase white-glove security solutions, and the thought of hiring a Chief Information Security Officer at this stage is just laughable. Still, early-stage startups need security just as much as established companies. They may not consider it important for startup growth, but without security they can’t expect to move upmarket or manage their growing risk as they mature. Stage-appropriate compliance can help. Your security controls need to be flexible enough to protect your startup as your team, technology, data needs, and funding grow. Stage-appropriate compliance builds a foundation of security that evolves with your startup, giving founders an effective approach for adapting complex frameworks at pre-seed to Series A and beyond. Compliance is essential for startup growth Most founders think they only need compliance if they build a startup in health, finance, or other regulated spaces. What founders tend to not understand is that compliance does far more than help startups meet federal and state laws. In fact, compliance is one of the most effective startup growth strategies available to early-stage companies. Are you looking to sell to bigger customers in the near future? Many enterprise customers require their startup vendors to have a security framework in place in order to work with them. Your startup won’t be able to move upmarket without compliance in place. What about surviving past series A? The more tools, processes, types of data, and people you add to your business, the more unmitigated risk you take on. Building security measures early on not only lessens the risk as your company matures, but it also tells investors that your startup takes risk management seriously and that you’re worth consideration. Frameworks like SOC 2 and ISO 27001 provide a foundation of security that unblocks enterprise sales and protects your startup’s finances and reputation from company-killing events. Stage-Appropriate compliance ensures security at all startup stages Most controls in regulatory requirements and security frameworks are overkill for fast-growing startups. They recommend controls that are too expensive, require too many resources, or otherwise don’t make sense in a startup environment. But with stage-appropriate compliance, even very early-stage startups can become HIPAA or SOC 2 compliant, or design their business with security in mind. Stage-appropriate compliance is a startup growth mindset that helps startups rethink complex and expensive security controls. It gives founders a way to translate security measures into actionable, achievable controls that make more sense for their team, product, and budget at their startup stage. Instead of following security frameworks exactly as prescribed, stage-appropriate compliance urges founders to: Understand the purpose behind each control. What is it meant to mitigate against? Identify a compensation control that fulfills that purpose while making more sense for your startup. For example, it doesn’t make sense for an early-stage startup to hire a dedicated security team or install cameras and a security system to secure your office. In many cases, a simple lock on the door and a building doorman is more than enough to fulfill your framework’s requirements. Follow security recommendations based on your startup stage To help you get started with stage-appropriate compliance, we spoke with Thoropass’s experts to understand how they recommend approaching security at each startup stage. Early/Bootstrap: build your security foundation It’s never too early to start thinking about security as part of your startup growth. When you’re exploring product feasibility and the market, it’s equally important to take stock of your security landscape. Are you in a regulated space? It’s illegal to handle private health information without meeting HIPAA regulatory requirements. Or, if you’re a fintech startup managing payment processing, you may need PCI DSS or a similar framework to comply with state law. What security frameworks will your future customers expect you to have? It’s easier to build security into your startup growth strategy in the beginning rather than course-correcting down the road. That’s why you should look ahead to which security frameworks your enterprise customers require before working with you. Recommended for you Founder’s Guide: The Right Compliance Framework for Your Startup The burden is on founders to understand the use cases and benefits of each compliance type to make an informed decision. Here’s how you can cut through the vague and verbose legal speak to do just that. Get the founders guide icon-arrow-long Install a pipeline of tools that enforce secure development practice Code quality is critical, especially when you’re developing your product. Prioritize installing the tools you need to make sure your developers commit error-free, high-quality code. We’ve found that early-stage startup teams tend to forget to use a static code analysis tool. There are plenty of open-source options to choose from. Rely on well-constructed, reliable cloud service providers You know the usual suspects. Popular cloud frameworks like Azure, GCP, and AWS provide solid solutions for companies, both new and old. Also, they tend to offer free credits or discounts for startups. You may prefer the ease of using a managed service like Heroku. Be careful if you go that route, as it can get expensive really quickly! Don’t forget to follow best practices. Make sure you enclose everything in a VPC, limit the IPs that can access the environment, and set up logging and monitoring properly. It may sound like overkill for a company this young, but it’s much more time consuming and expensive to fix those gaps down the road if you didn’t set them up properly in the beginning. Protect your data Other than your code, people pose the most risk to your startup. You’re likely only dealing with a couple of people at this stage. That means now’s the time to get some fundamentals in place to protect your data before that two-person team grows to five, 10, or 50. Understand what your data is worth, where it lives, how it’s used and who has access. Write it down, keep it fresh. Make sure you have the following controls in place: Database encryption: Don’t stop with just backing up your databases. Encrypt data that moves through networks and use a private VPN as another level of protection for your most critical information. Secure transfer protocols: Leverage “https” instead of “http” to encrypt web data. Multi-factor authentication (MFA) | Two-factor authentication: Use this on all of your major systems. The most popular SaaS applications support MFA. We’re a fan of YubiKeys and SSL vendors like Okta. Password policies: Prioritize passphrases and use an open-source password manager like Bitwarden. Configure role-based access You should also start to move your production configurations out of your code and into a separate repository, enforcing MFA on all services your engineers work with. You can exert a deeper level of control by assigning permissions to employees based on their role and responsibilities. Don’t forget to restrict access to the production server and database, organizing everything through continuous integration tools like Jenkins or TeamCity. Hone in on endpoint security At this stage, you’re probably allowing team members to work on their own devices. This added risk makes it critical you ensure everyone has encryption as well as virus and malware protection. Don’t forget to establish some basic physical protection policies. (Where are people allowed to use their work laptops? What networks can they use? What if they have to leave their café table to go to the bathroom?) Document standard operating procedures Standard operating procedures make it easier to run through all of the security tasks needed as your startup grows and adds employees, devices, and complexity. Hopefully, you’ll need to do that a lot. Seed: Increase Your Security with New Funding Every time you bring in more funding, invest a portion of it in upgrading your startup’s security controls. This is also a good time to focus on people security and plan ahead for more significant security investments. Buy better tools An easy-but-effective way to dial up your security a little more is by moving from open-source tools to paid products. These tools tend to offer additional features and better support. At the very least, paid tools can save you from combing through community forums for troubleshooting advice. We recommend purchasing: Jamf for endpoint security management Snyk or Fortify for static code analysis 1Password for password management Purchase and distribute company devices It’s easier to ensure your team’s laptops and other devices are secure when you can make sure they’re all running stable operating systems, and you can install security on them. It also helps to install asset tags and other tracking solutions in the event someone steals company property. Secure your growing team As mentioned earlier, people pose one of the biggest risks to security. This is particularly true for startups in a race to mature. The more people you add to your team, the more risk you assume. And the faster you grow, the easier it is to overlook risk management along the way. No matter whether you have two or 20 people working for your startup, make sure every one of them is following security practices and is aware of common risks (phishing, malware, ransomware, etc.). To do so: Create onboarding protocols: These establish expectations for your company’s security practices like MFA, passwords, securing devices, etc. Define offboarding protocols: You’ll need these to ensure that your former employees don’t walk away with equipment or access they shouldn’t have. Run risk assessments and test your team’s incident response: These ensure your employees uphold the security standards, as well as keep them aware of and ready for potential threats. Conduct a penetration test Look for an ethical outsider to put your security to the test with a “pen” test. This type of test puts a cyber-security expert’s skills to work at identifying any weak spots that someone else could exploit. Often, companies will seek someone outside of their team with no knowledge of the system to uncover anything that’s been overlooked. Learn more about penetration testing and the different types of pen tests over at Cloudflare. Draft a security roadmap Similar to how a product roadmap defines timelines for core features and updates, a security roadmap gets you thinking about major security investments as part of your startup growth strategy. Let’s say you’d like to improve sales opportunities for your startup with a SOC 2 Type 1. This roadmap helps you decide when you’d like that in place, so you know how much time you have to prepare. Some companies target multiple security frameworks. A roadmap helps you figure out whether you have the money and resources to tackle them all at once or if you need more lead time between them. Series A and Beyond: Pursue a Framework and Manage People While the seed stage is all about building on your security foundation and looking ahead, Series A is the perfect time to execute on your plans. In this stage, focus on implementing a security framework, tightening your people management controls, and preparing for the worst. Become SOC 2 compliant Or execute on your preferred security framework. This involves drafting policies and documenting evidence around the security controls you’ve built so far. You may have to start this earlier if you sell to financial institutions or healthcare organizations. If that doesn’t apply, series A is the time to invest in a formal compliance program. Expect this to be a significant undertaking. Startups can spend weeks to months preparing for a SOC 2 engagement. An audit can take as little as two to three weeks to draft. However, if you pursue a SOC 2 Type 2, your auditor will need to evaluate your controls over a six-month period, extending that time commitment. As for cost, startups can expect a SOC 2 audit to start at $20,000. This doesn’t include the cost of any changes that your team needs to make before the audit begins. Again, we recommend building a security foundation in the bootstrapping stage, so you don’t have to make any significant overhauls at this point. We talk more in-depth about what it takes to become SOC 2 compliant and how to prepare in Everything You Need to Know to Get SOC 2 Compliance for Your Startup. Focus on people management Make sure you keep your security in line with your growing workforce by: Continuing to develop your operational procedures Looking into (and testing) vendor security practices Adding HR resources, training, and awareness around secure code practices, workplace harassment, etc. Conducting background checks for new employees Reconsidering hiring remote employees or vendors in geopolitically sensitive areas Prepare for the worst In 2019, a route leak caused a massive internet outage that took down 10% of 16 million websites serviced by Cloudflare. That same year, a power failure in a Northern Virginia data center not only interrupted AWS service, but it also took down websites like Reddit and lost a significant amount of data stored on the cloud. Your customers expect your product to work as intended when they need it. To deal with circumstances outside of your control, your startup needs a plan in place to notify customers, manage downtime and unrecoverable data, and resume business as usual. Test your team on your business continuity protocol to make sure they’re ready to follow it when the pressure’s on. Get Help with Your Stage-Appropriate Compliance We’ve seen many founders struggle with translating security measures for their stage as part of their startup growth strategy. They either go too far with controls or ignore them altogether. For help, consider working with a consultant or a compliance solution like Thoropass. Some consultants can be overly prescriptive about the controls startups need. To find one that works for you, tap into your startup network. Thoropass, on the other hand, specializes in providing actionable, stage-appropriate advice based on your specific startup growth needs. We give you a checklist of what you need to meet your compliance goals as well as an annual risk assessment to help you scale your security. You can also talk with our compliance experts when you have questions or need a little extra help. Share this post with your network: Facebook Twitter LinkedIn