Gaining actionable insights for startups navigating the complex world of security and compliance
DuploCloud participated in a collaborative event at Digital Garage in San Francisco with Founder's Village, aimed at helping technology startups untangle the intricacies of security and compliance. The fireside chat panel, moderated by Cheryl Cage from the AWS Global Security and Compliance Acceleration (GSCA) partnership team, featured compliance experts Patrice Peyret from Financial Strides, Chuck Yu from VGS (Very Good Security), and our own Venkat Thiruvengadam from DuploCloud.
Together, our experts delved into five essential topics, providing valuable insights to provide key security and compliance insights. To make the information easily accessible, we've compiled a summary and a video highlighting the key takeaways from the panel discussion. Explore these condensed insights and learn from the expertise our panelists brought to the table:
Topic 1 - Building a solid compliance foundation
As startups kick off their compliance journey, it's crucial first to grasp the frameworks and regulations specific to their industry and business model. This way, they can concentrate on the correct compliance requirements and resource allocation. Prioritizing key areas like securing back-end infrastructure is a must, as is evaluating the team's expertise and filling any knowledge gaps.
First, start with the right framework, as there are substantial differences between them, like PCI and others. Next, understand the investment and efforts needed. Then, assess your subject matter expertise and identify the tools, software, and people required to assist you in your compliance journey.
Venkat Thiruvengadam
CEO, DuploCloud
Picking the perfect cloud provider is vital since it affects compliance and security. Therefore, startups should carefully choose cloud technologies per their compliance objectives. In short, being proactive and tackling the problem early on allows startups to establish a robust foundation for security and compliance.
Topic 2 - How to differentiate between security and compliance
Security involves implementing configurations and controls to safeguard systems and data from threats, while compliance refers to adhering to prescribed regulations and standards to fulfill certain requirements. Compliance standards outline a set of controls organizations must implement to meet framework requirements, including security measures, privacy, data retention, and customer rights.
Driven by legal or regulatory requirements, compliance is typically overseen by a dedicated function, whereas security, being more technology-focused, is managed by the technology team. Both areas are interconnected, with compliance helping to ensure that security measures are in place and effective.
However, security and compliance require different organizational skill sets and practices. By understanding their unique characteristics and harmonizing security and compliance efforts, organizations can build robust defenses, reduce risks, and meet the expectations of regulators, customers, and stakeholders.
|Topic 3 - Startup staffing for security and compliance
When building a startup's security and compliance program, it is common for the CEO to take on multiple roles, including those related to compliance and security. However, startups should also be aware of industry-specific requirements, such as needing a dedicated compliance officer in the financial services sector. As the company grows, the responsibility of compliance and security can be distributed among specialized roles within the organization.
To effectively manage compliance, it is crucial to divide duties into technical and non-technical aspects. The engineering team can handle the technical elements, while non-technical tasks can be outsourced to part-time Chief Information Security Officers (CISOs) or compliance officers. This division of labor allows startups to address compliance's technical and procedural components efficiently.
Compliance and security are not one-time tasks that can be addressed in a sprint or a six-week cycle and then forgotten. From the very beginning of your planning, as you build your company, consider making a consistent and steady investment that grows in these areas, ensuring ongoing vigilance and adaptation.
Chuck Yu
CTO, Very Good Security
Finally, an essential piece of a robust security and compliance program is the creation of an in-house Incident Response Team (IRT). Startups should conduct tabletop exercises to train staff and foster a security-conscious mindset across all departments. By rotating IRT responsibilities among team members, startups can ensure broad involvement and a shared understanding of security and compliance expectations.
|
Topic 4 - Common security & compliance misconceptions
One major misconception when building workloads for security compliance is the belief that relying on cloud providers like AWS alone ensures security. In reality, organizations must be responsible for their part of the stack, ensuring the security of all aspects of their service, including mobile apps.
By thoughtfully architecting your systems to check all compliance boxes, you can turn a potential weakness into a selling point. With ongoing attention and maintenance, compliance becomes an integral yet manageable aspect of your business operations.
Chuck Yu
CTO, Very Good Security
Another misconception is that compliance is excessively costly and will hinder growth and development. Compliance can become a strength and competitive advantage in the market with appropriate instrumentation and tooling.
Lastly, organizations should not assume that passing an assessment or certification automatically guarantees total security. Compliance standards may not always be prescriptive, so taking personal ownership and responsibility for compliance and security is crucial. In addition, understanding all risk areas, including mobile apps and front-end security, is essential for maintaining a secure and compliant environment.
Topic 5 - Why compliance is more than a checkbox
Compliance is more than a checkbox activity as it demands a proactive mindset to identify and address potential risks. Employees should consider possible issues like account takeovers and implement necessary measures, such as device binding in fintech apps. Employees can better understand the importance of continuous vigilance by providing concrete examples.
Compliance is crucial for startups, particularly venture-backed ones, as any violations or breaches can negatively impact their ability to raise funds. In addition, security or compliance incidents can overshadow a company's strengths and innovations, forcing them to spend valuable time explaining the breach and its consequences instead of discussing their innovative ideas with investors. This highlights the importance of treating compliance as an ongoing, long-term commitment rather than just a one-time achievement.
Finally, security controls should be continuously monitored to ensure their effectiveness. Employees must pay attention to alerts and attention to security controls, which can create security gaps and increase vulnerability to breaches. Ignoring these issues and treating compliance as a mere rubber stamp can lead to severe consequences, including penalties, misrepresentation lawsuits, or accusations of willful neglect. Companies must maintain compliance standards once established and consistently work to improve their security posture.
It’s important to emphasize to your team to stay vigilant even after auditors have said you're good to go with a compliance standard, by continuously evaluating potential issues and using concrete examples to effectively illustrate possible risks.
Patrice Peyret
Financial Strides
During the Compliance Alliance fireside chat, DuploCloud along with other industry experts discussed the importance of building a solid compliance foundation, differentiating between security and compliance, effective staffing strategies, common misconceptions, and treating compliance as a long-term strategy. The key takeaway is that startups must proactively address security and compliance early on to build a strong foundation and reduce risks.
For startups interested in security and compliance, understanding the steps to get to compliance is a crucial step toward building a strong foundation for your business in the cloud. Check out our comprehensive SOC2 checklist that breaks down the process step by step, providing valuable tips to speed up your time to market while maintaining the highest level of security. Download here:
