Compliance Is a Growth Accelerant for Startups That Get It Right

As cloud-first companies reach new growth milestones, they come face to face with an abundance of exciting and fresh opportunities — new investors, new hires, evolving business deals, and, if all goes well, the prospect of a very successful future.

But along with this tremendous growth comes new challenges that companies have yet to navigate. These challenges only become more complex and nuanced as they expand. Infosecurity, and new compliance requirements in particular, can prove to be thorny, quickly changing from what was previously an afterthought to a daunting, time-sucking source of friction between compliance teams and their stakeholders during hyper-growth stages.

When “Good Enough” Just Isn’t Anymore

It has become increasingly important for companies to meet compliance standards set forth across industries today. System and Organization Control 2 (or SOC 2) for instance, has become important for companies that work in the cloud. Collecting, storing, and sharing a plethora of customer data, the completion of an SOC 2 audit assures customers and various stakeholders that the proper infrastructure and processes are in place to protect information from unauthorized access.

What Is a Service and Organization Control 2 (SOC 2) Report?

Applicable to all technology service or SaaS companies that store customer data in the cloud, this is a report produced during an audit by an independent certified public accountant (CPA). It ensures that controls and practices effectively protect the privacy and security of customer data.

The same goes for the ISO 27001 framework, which documents proper handling of information security, HIPAA to protect medical records, and Sarbanes-Oxley (SOX) to increase transparency in financial reporting.

2 Important Laws for Infosec Compliance: HIPAA and SOX

Sarbanes-Oxley (SOX): U.S. law meant to protect investors from fraudulent accounting activities by corporations.
Health Insurance Portability and Accountability Act (HIPAA): Federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

While meeting compliance requirements like these can be challenging at any stage, in the new hyper-growth phase, meeting and maintaining new compliance frameworks becomes more critical — and more challenging — than ever before. The “good enough” methodologies employed by small startups suddenly no longer work. And considering that the infrastructures of hyper-growth companies are often nothing short of labyrinthine mayhem — with massive increases in usage of third-party SaaS tools, containers, virtual machines, as well as security, developer, sales/marketing, and HR solutions — it’s nearly impossible to successfully navigate compliance activities and processes for all these systems in the manual fashion currently used by the majority of businesses.

What Is an ISO 27001?

A standard, mutually agreed upon by by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that functions as a framework for an organization's information security management system ISMS. It details requirements for establishing, implementing, maintaining and continually improving an (ISMS) to help organizations make the information assets they hold more secure.

Additionally, the ad hoc fly-by-the-seat-of-your-pants approach that may have previously aided one SOC 2 report here or perhaps another ISO 27001 certification there now fails to provide the groundwork that would enable teams to leverage already-performed work for upcoming audits. A siloed strategy therefore leads to the need for repeat compliance activities, wasting precious time and valuable resources. For example, in the one-time-project mindset, evidence for similar controls in different frameworks must be collected multiple times, causing the people tasked with the chore to perform duplicate work. Additionally in this stage, more is needed at all levels — more frameworks, more controls, more evidence, more SaaS tools and cloud environments, and better overall security and compliance maturity — all of which are difficult to account for in a one-time-project model.

And thus, the current state of infosec compliance at hyper-growth companies relying on these tactics today: a hot mess of outdated and manual, human-driven activities and processes, all of which further burden already overburdened infosecurity teams. In fact, today’s manual methods are reminiscent of pre-cloud days, featuring screenshots, Excel spreadsheets, and face-to-face meetings. Without automation of processes, no single source-of-compliance-truth, and no end-to-end visibility, these manual and old-school techniques not only lead to damaging errors, audit fatigue, and wasted resources — they hinder the ability to sustain impactful growth, prevent compliance from being used to bolster security posture, and limit a company’s potential to effectively scale against competition.

Read More on Infosec on BuiltIn.comWhat Is an Information Security Analyst? What Do They Do?

Use a Compliance-as-a-Growth-Accelerator Framework Instead

To make it through the trials that come with remaining compliant during hyper-growth phases, companies need to rethink their model. This means accepting a new perspective, looking at what compliance can do for their business and how it can be used strategically instead of only serving as a pesky formality.

By taking a Compliance-as-a-Growth-Accelerator Approach (CaaGA), companies can build mature compliance programs that establish connective tissue between frameworks and effort. With a panoramic, 360-degree perspective, compliance can become a way to sustain dynamic growth instead of a tedious, dreaded roadblock.

The Compliance-as-a-Growth Accelerator approach is all about reshaping compliance as a catalyst to enhance and drive growth. Specifically, this new model:

Takes the efforts done for each framework and applies that extracted information seamlessly and in the background to further frameworks, drastically reducing time and energy expended. It also establishes an underlying fabric with which compliance posture can be monitored and understood, and provides a centralized hub to remediate issues at scale so that control posture can be continuously maintained.
Provides the right controls and measures, to meet current business and/or product needs, as well as any future requirements. By anticipating additions and changes to the business and product roadmaps, compliance controls can be added incrementally and then cross-mapped to meet these new frameworks seamlessly.
Facilitates seamless adjustments to new policies and regulations, whether due to a new use case that now requires HIPAA compliance, the need to become compliant with SOX in case of an IPO, or the need to add on SOC 2/ISO 27001 to enter into a new market.
Anticipates a rapidly evolving tech stack. Many compliance approaches use a prescriptive model, one that assumes a company’s tech stack is relatively limited. While this can work for young startups, which typically use a similar and narrow group of tools and platforms, it’s not the right fit for hyper-growth companies whose tech stack is constantly evolving and becoming more varied and unpredictable.

Leveraging Compliance as a Way to Succeed

The hyper-growth landscape is on fire today; the funding taking place at cloud-first companies is constantly breaking new records and the number of companies looking to go IPO grows with each month. Through a Compliance-as-a-Growth-Accelerator perspective, companies can expand faster, capture greater market share, earn more credibility, and leverage compliance as a way to succeed in today's competitive landscape. By adopting a CaaGA approach, compliance is no longer an enemy. Instead, it becomes a trusted ally that supports the organization and provides guidelines for compliance and security maturity.

Read More on Growth on BuiltIn.comEventbrite’s Casey Winters Explains What Startups Mean by ‘Growth’