There are dozens of blog posts you can read that explain the process, requirements and other detailed explanations of what a SOC2 Type 2 actually is. Most of these are excellent reads so I recommend Googling around a bit and checking those out. However, I am going to take a look at something you won’t find in any of the instructional videos or write-ups about this process: How did this affect the culture of my startup and how can you expect it to affect yours?
KirkpatrickPrice has a series of free videos on their YouTube channel that I watched about a dozen times when I was going through my own learning period about SOC2. Regardless of the source of information, the entire process can be daunting and extremely complicated at first. Don't worry, you'll get it.
The challenge and opportunity
Smaller startups operate quickly, pivot rapidly to adjust to business requirements and are full of bright people that need to be extremely flexible in how they perform their daily work. Figuratively dropping the compliance book on the table in the middle of a busy work cycle can really upset some company dynamics if not approached correctly. Most of all, SOC2 needs to be approached with speculation, curiosity and with the mindset of how it can help your company rather than drag it down through paperwork rabbit holes.
Startups can pose interesting challenges for security and compliance teams. The speed at which the business develops can create mountains of legacy projects that need to be researched, documented and accounted for during pre-audit work cycles. It’s up to us to ensure past work does not expose the company to any unnecessary future risks.
This is also an excellent opportunity to understand the history of a company from the inside out. I developed processes and policy as a direct result of how the company ebbed and flowed over time. This will hopefully save compliance dollars in the future.
I have personally been a part of various audits for different companies and regularly worked on tasks that seemed completely random and useless. I never knew why I was helping with the audit process. At one of the larger companies I have worked for, governance and compliance folk always wore suits, always were in meetings and they never talked about what they were doing. They would randomly walk up to you and ask about a process, go “Hmmmmm...” and walk away.
Very drab, if you ask me.
Getting started and what to expect
So, how in the heck do you “lay down the law” in a company that is by their own right, “lawless”? Quick tip. You really don’t have to. Sure, there are some aspects of being compliant that require new processes that everyone absolutely must understand. Make it fun in any way that you can! People hate audit periods for good reason because, well, they aren’t fun.
Something that it took me a while to understand with SOC2 is that it is more about accountability rather than forcing compliance frameworks on an organization. Larger companies must have strict compliance frameworks to ensure accountability across dozens of groups and datacenters. Small companies generally do not have that problem. We simply have to record, and be accountable for, changes we make to our smaller environments. You can use spreadsheets or million dollar tools to achieve the same exact goal. That is an oversimplification, but you get the idea.
If there are problems that need to be corrected in your organization prior to audit, take the time to fully understand how that problem was created to begin with. You need to find compliance solutions that can be molded around the company and not vice-versa. Preventing process friction and compliance slowdowns at a startup is absolutely paramount since operating budgets can be razor thin.
Sometimes, there needs to be a complete 180 degree turn in how things work. Sometimes, you need to be extremely honest and extremely direct with leadership and the teams you are working with. This happens. Know your people, know your company and you shouldn’t have a problem shifting process. Heck, it’s a startup after all! Rapid pivots are what we do for a living.
To answer the initial question of how this affected our culture, I can honestly say that aside from being much more security and compliance aware as a company, there wasn’t much that actually changed. Sure, the addition of new processes and policies was an interesting hurdle for some of our teams but the chaos of the initial audit faded away quickly.
If there are any takeaways from this, it’s about understanding the humans that are working at your company that have a job to do while you are running around ensuring compliance.
What I’ve learned and my advice to you
Make compliance and security fun!
- Relate with the engineers. Joke about “silly” requirements with them and understand their pain when upsetting their work cycles. Allowing them to poke fun at compliance requirements is healthy and it helps cement what is and what is not important with security and compliance.
- Try to lighten the mood during serious conversations. Exposing serious process issues with a team does not have to be a negative experience.
Set the context
- When asking teams about their process, help them understand the context of the questions you are asking. Some of the questions I had to ask people for SOC2 may have sounded really strange out of context. 99.9% of the time, the answers to questions I had were magnitudes better once they understood the larger picture.
- Teams are generally fully capable of tuning their own processes and procedures. Giving the full context of a compliance requirement is magnitudes better than being authoritative with compliance requirements.
Anything else I have learned?
- Actively sell compliance as a benefit when discussing it. The financial impact compliance has for a company is very real.
- Do not worry or stress about seemingly unsolvable problems. Talk to the managers of your teams and you can find a solution or at a minimum, some kind of stop-gap.
Special thanks to C.H. for the early mentoring as I was still cutting my teeth on the complexities of SOC2.
Read the press release - Pana Industries Receives SOC 2 Type II Attestation