Expert Insights About Supercharging Startup Growth with Compliance from Former Auditor Marc Rubbinaccio
Achieving and maintaining compliance is time and resource-intensive — and startups are limited on both.
In the Secureframe Expert Insights webinar held on Tuesday, November 8, compliance expert and former auditor Marc Rubbinaccio walked through the five biggest security and privacy compliance pain points of startup leaders and how to solve them.
If you missed it, we’re recapping his insights and best practices for simplifying and streamlining the compliance process for startups below. You can also watch the recording here.
Why security, privacy, and compliance matters for startups
The main reason is that you want to be able to sufficiently secure your customers’ data and assuage their privacy concerns.
Customers are looking for companies, small and large, that can protect the security and privacy of their data and interests.
Achieving compliance with security and privacy requirements such as SOC 2 and ISO 27001, and staying compliant with data privacy regulations like GDPR and CCPA is an ideal way to demonstrate your commitment to security and privacy.
Building a strong cybersecurity program that meets compliance requirements helps startups reap additional benefits, including:
- Creating streamlined, scalable internal processes for things like onboarding and offboarding employees;
- Preventing data breaches that can be costly in terms of revenue and reputation; and
- Attracting stakeholders that want to limit their legal and reputational risk when making investment decisions.
Compliant startups can also differentiate themselves from non-compliant competitors, close more deals faster with customers asking for proof of compliance, and expand into new markets, including going upmarket.
Biggest security and privacy compliance pain points for startup leaders & how to solve them
1. Lacking in-house expertise to begin the compliance process
Unless you have been performing audits or you have worked in internal compliance at an organization, it is unlikely that you have memorized the requirements laid out in these security frameworks. It can also be difficult to comprehend them.
Typically, framework requirements are either very specific and complex or broad and too general to know what exactly needs to be implemented.
For example, SOC 2 is a guidance created by the AICPA. This guidance can be interpreted differently between companies or even audit firms that have their own information requests lists and interpretations.
These frameworks are also changing as our technology changes. ISO 27001 released a major update. PCI DSS 4.0 has officially been released as well. Reading and understanding the frameworks is difficult enough — keeping track of their changes and how they may apply to your organization is even more difficult.
As a startup, you may not have a dedicated team that’s responsible for understanding and maintaining that understanding of these frameworks over time.
Good: Read the guidance
It’s incredibly important to at least have a baseline understanding of what’s required of you for these compliance efforts. This can be difficult without former audit or compliance experience however.
Better: Hire a consultant
Hiring a consultant who has a deep understanding of these compliance frameworks and can translate the guidance into actionable tasks is a better option. A consultant will be able to work with you regarding your environment and your processes as they are now and give you steps to reach those compliance requirements. However, this can be costly, especially if you’re using a consultant to help you maintain compliance.
Best: Use an automated platform in conjunction with compliance support
Utilizing a platform that you can integrate your technology into and can see exactly what you need to do based on your configurations and environment is ideal. It will be the most efficient way to move forward in your compliance journey, especially if you don’t have someone on your team who is an expert on these frameworks.
2. Understanding exactly what you need to implement
Reading the guidance and understanding it is not enough — you need to understand exactly what the guidance is asking you to implement.
As mentioned above for SOC 2, each auditor could interpret that guidance differently. Based on their interpretation, they could provide you a separate information requests list. So the auditor you select could greatly impact your assessment. For example, you could interpret the guidance one way, implement certain processes to reflect that, and discover when it comes time for the audit that you need additional processes or implementations based on the auditor’s interpretation. This will extend the timeline for getting compliant.
Let’s look at an example. One SOC 2 principle states: “The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.” If Secureframe customers were asked to implement this control, they would likely all do it in a different way, because it’s hard to understand what they’re looking for just reading the guidance. What exactly are effective risk assessment mechanisms according to the auditors and to your business? What is an appropriate level of management? All of these things can be interpreted differently. And this is just one example of implementation guidance in the AICPA guide.
PCI self-assessment questionnaires (SAQs) are another great example of this pain point. PCI requires any merchant or service provider that stores, processes, transmits, or can impact the security of cardholder data under the designation of Level 2-4 complete and maintain an SAQ. This is a self assessment. A QSA or third-party auditor is not required to attest against your controls.
So what if you are a company of five people and you have never even heard of PCI before? You now have the complicated task of reading through these 300 or so PCI controls, scoping out your cardholder data environment including your connected-to and isolated systems, and then implementing the hundreds of PCI controls in order to complete your SAQ. Then, you submit this Attestation of Compliance (AoC) to your payment processor or customers stating you are compliant and all you can do is hope everything is implemented right and you do not get breached.
To give you an idea of how difficult this is, all startup PCI Secureframe customers who have gone through an SAQ on their own had missing implementations when it came time for review by their dedicated compliance manager.
So it’s incredibly important to understand what you need to implement to become compliant. To do that, you first need to understand what you do and do not have in place.
Good: Perform a readiness assessment
A readiness assessment will give you an idea of what you have in place today and where you need to get to in order to be compliant. However, performing a readiness assessment against a framework you do not really understand can be counterintuitive.
Better: Hire a cybersecurity consultant to perform a readiness assessment
It’s important you have someone who is an expert in the framework and your environment perform a readiness assessment. If you don’t have someone on your team, then you could consider hiring a consultant.
Best: Use an automated platform that guides you through the process
The best solution is to use an automated platform where you can connect your technology, see all your configurations, and utilize control mapping to all these frameworks to tell you exactly what tasks you need to complete to become compliant.
Many of these platforms also have the customer support and expertise to be able to guide you through that process so you know exactly what you’re doing when it comes to implementation.
3. Acquiring the right vendors and partners
Another important part of compliance is acquiring the right vendors and partners to assist you with your compliance effort.
For example, an auditor is a third-party partner that you would need to get your AoC. A third-party penetration tester might be required for some frameworks. ISO 27001 requires an internal audit, which you may need a third party to perform if you do not have the resources to perform it yourself. PCI DSS requires external vulnerability scanning performed by a PCI approved scanning vendor.
So you need to understand not only what vendors and partners you need but who are the best for your specific environment.
Good: Ask a friend or colleague
You can ask your personal network about what vendors and partners they use. These recommendations can help narrow your search to try to figure out who would be worth researching and interviewing.
Better: Research and interview vendors and partners
Doing research on vendors and partners and requesting an interview is a good way to start your vendor acquisition process, but this could take a lot of time. It would also be difficult to figure out if a vendor is the right fit for you just based on researching online.
Best: Tap into a trusted partner network of pre-vetted vendors
Utilizing a partner network would be the best option. If you have a vendor you trust, utilizing their pre-vetted partner network is a great way to establish a few good options to then choose from. This would be much easier than researching online and evaluating a few hundred vendors to try to understand which would be best for your environment.
At Secureframe, we have an established partner network for pen testers, auditors, ASV scanners, and more, which were all vetted by our internal team. Working with your dedicated compliance manager, you could determine what would be the pen tester or other vendor for your unique environment. So you wouldn’t have to do your own due diligence.
4. Managing your time between getting compliant and building your service
This is probably the biggest pain point facing startup leaders. As a startup, there is likely little bandwidth you can take away from engineering and operations to focus on your compliance efforts.
Here at Secureframe, there are always new features to build out, bugs to fix, and processes to improve. This is true for all of you as well: you’re always improving your product or service for customers, which is critical to growing your business.
The problem is that, if you’re not using a consultant or compliance platform, this can cause chaos during your audit. Unless you are performing a readiness assessment with a consultant that understands exactly what the auditor needs during audit time or a platform to organize your evidence, the audit process can be complicated and require valuable time and resources.
Let’s break down the audit process. It usually consists of a fieldwork week and then evidence review or report writing week. It’s critically important for auditors to receive as much accurate evidence as possible prior to the fieldwork week in order to meet those deadlines. This gives auditors an opportunity to review as much evidence as possible prior to or during the fieldwork week so they can perform all their interviews and observations and generate only a small list of follow-up items, which can be collected at the end of the fieldwork week or during the following report writing week.
If you were not fully prepared for the audit and do not provide as much evidence prior to that fieldwork week, this follow-up list will be much longer. If you don’t complete this list of follow-up items prior to the end of the report writing week, the auditor will no longer be dedicated to you. They’ll be dedicated to another customer and they will have only so much time to review the evidence you provide. This can extend the audit process tremendously. It may even cause you to miss your audit date.
Good: Map out tasks from documented guidance
Mapping out your tasks from documented evidence is a good start, but it will take a lot of bandwidth on your end.
Better: Hire a consultant to list out the tasks for you
Using a consultant to assist with mapping out those tasks will save a lot of time, but it can be very expensive.
Best: Use an automation platform that guides you through the process
Using an automation platform is ideal. A platform that not only maps those tasks out, but gathers the evidence automatically will save substantial time prior and during the audit process.
At Secureframe, we invite our auditors to pull evidence prior to the audit week to determine that it’s acceptable. Any list of follow-up items will be short and provided during the audit week to ensure we’re not pushing the audit into a week where the auditor is dedicated to another client.
5. Continuously monitoring to maintain compliance
Preparing for your first assessment is only the first step — maintaining compliance is critical. There are many processes that require regular reviews during the year, such as quarterly access reviews, vulnerability scanning, and penetration testing. Missing any of these recurring tasks could affect your status as compliant. If processes are not being followed precisely, this can also be a critical issue during the audit process.
For audits that review evidence over a period of time, one missed vulnerability scan or one missed review against a critical code change could jeopardize your compliance status. It may result in an exception or qualified report, for example.
That would be incredibly unfortunate because you went through so much effort and time to become compliant. And if you’re not compliant the next year, you’ll have to tell all your customers that are requesting your status as part of their due diligence process.
Good: Schedule regular reviews to check all systems, applications, tools, and integrations
Scheduling these reviews ahead of time is a good way to prepare throughout the year but this is not ideal due to human error. The person responsible for this could leave the organization, mis-schedule these tasks, or miss a task that was required and not schedule it.
Better: Set reminders for task owners to complete checks
You could set reminders for task owners to complete checks but this manual process would still be prone to human error.
Best: Use an automation platform that sends out automated reminders
Utilizing a platform that will automatically schedule these required tasks, allow you to assign owners, and also send notifications will be the most efficient way to ensure all of these tasks are completed throughout the year.
To hear what questions were asked and answered live during this Secureframe Webinar, watch the recording starting around the 27-minute mark.
Join our next Secureframe Expert Insights Webinar
We hosting Secureframe webinars regularly to address the biggest security, privacy, and compliance pain points that we hear from prospects, customers, and our in-house compliance experts. Find upcoming webinars as well as on-demand recordings of past ones in our compliance resources library.