Like taxes or going to the dentist, compliance is one of those topics that people often don’t like to contemplate. There are many reasons for the distaste but this “anything-but-compliance” mindset can lead to problems.
In startups, compliance is typically viewed as a blockage to be bypassed, and SOC 2 or ISO 27001 audits are little more than frustrating but necessary steps to close more deals. Companies with this perspective want to quickly complete each audit cycle, which is understandable, but they do so without ever thinking about the big picture of what information security compliance really is or about the underlying goal.
The result of these “efforts” is often a slapped-together, ad-hoc project that may very well get the job done in the moment, but it doesn’t adhere to any sort of best practices, does little to benefit future compliance undertakings, and misses a huge opportunity to bake-in security from the start.
As problematic and ill-conceived as the mindset is in startups, it’s an even bigger problem when it comes to companies experiencing exponential growth.
“Hyper-growth” can be an exciting chapter in a company’s life, with a lot of shiny, new elements: new departments, hires, offices, mergers, acquisitions, etc. And thanks to this accelerated growth, companies need more to support them – more SaaS tools and cloud environments that require more compliance frameworks, controls, policies, and evidence. And above all, these businesses need advanced security and greater compliance maturity than their startup counterparts.
Amidst this flurry of expansion, the ad-hoc approach that worked for a first-round SOC 2 or ISO 27001 audit is a recipe for disaster in complex infrastructures. Not only is the siloed-project model not scalable, but it doesn’t support security posture. In fact, having a “let’s-just-get-it-over-with” mindset assumes compliance efforts are little more than boxes to be checked off, it does nothing to establish and manage controls and policies that enhance maturity, and ultimately, weakens the current and future compliance posture.
As a result, companies lose out on the opportunity to effectively bolster security and security best practices.
Driving security through compliance
By seeing compliance as little more than a pesky roadblock, companies hold themselves back from adopting a more mature approach. But this mindset can be changed: by viewing frameworks as guidelines, which can help illuminate the correct path companies should take.
Seeing frameworks as guidelines helps lay the foundation for a stronger approach to compliance that continually maintains and improves upon policies and controls. They can serve as the guiding light, preventing companies from taking risky moves that push them away from the established path and instead, ensuring they are always optimally addressed. In this way, security practices are baked into each process and activity, facilitating a security-by-design model.
Making it practical
While metaphors and analogies are handy rhetorical devices, how can companies practically implement this?
Take for example the process of onboarding new employees. Without a dedicated security persona in place, which is often the case in many smaller to medium-sized companies, no one is tasked with ensuring that the new hire is aware of their security responsibilities in relation to the data the company holds. With SOC 2 or ISO 27001, however, regardless of whether there is a mature security team in place, the company must establish, and adhere to, an onboarding process as part of its Human Resource Policy and Procedure that clearly outlines how employees must be briefed on their security responsibilities when being onboarded.
Now consider the issue of security awareness. Again, when a company lacks a proper security team, who will take responsibility for making sure that employees with access to sensitive data, like developers and HR teams, handle it properly? Even if a company is still in pre-CISO stages, thanks to the necessity to implement a robust Information Security Awareness Policy and Procedure as part of SOC 2/ISO 27001 requirements, everyone on staff with access to sensitive information is duly aware of their responsibilities and must undergo recurrent awareness training.
Next, think about typical R&D teams. Without the backing and encouragement of a solid security team, R&D teams tend to develop without taking security concerns into consideration. This can lead to fixing issues such as bugs retroactively, which consumes time and delays production. As part of Secure Software Development Life Cycle (S-SDLC) Policy and Procedure for ISO 27001 and SOC 2, the company must commit to guiding its personnel on how to plan, design, develop, test, integrate, and deploy code in a secure manner, and with minimum risk to the business operations.
Finally, consider how security incidents are handled. In less mature companies, without a robust security function, there is little to dictate how incidents are handled, which can have devastating short- and long-term effects. ISO 27001 and SOC 2 require the establishment of detailed Information Security Incident Management Policy and Procedures, to ensure that companies can respond optimally, if/when incidents occur.
Using compliance frameworks as a guide, it really is possible to establish and uphold a security-by-design methodology and ensure that security best-practices are incorporated into all aspects of compliance activities. In this sense, it emphasizes why the “get-it-over-with” mindset is flawed; compliance isn’t a pain in the backside or just a formality—instead, it’s a helpful resource, one that keeps companies on the straight and narrow road, to prevent them from falling head-first into unknown territory, and to ultimately drive enhanced growth and maturity.