Christina Cacioppo, Vanta’s CEO and Co-Founder, talked with Chris Evans, Co-Founder at Incident.io, about security strategies to help startups get secure from the start and stay compliant in order to focus on growth. They discussed how to instill a culture of security that doesn’t slow your team down, how to automate security, when to pursue a security certification, and more.
Christina and Chris walked through the five rules of thumb for building a secure product, breaking down the principles through the lens of Incident.io’s perspective.
1. Start doing things early, even if you don’t do them perfectly
As a startup, your company is likely launching by selling its product to small customers. As you grow and start to work with bigger companies, they tend to require greater levels of assurance over the security practices your company promises. Implementing strong security practices sooner rather than later will help your company scale in the future — and if you set up these processes correctly you’ll save your team time in the long run.
Chris noted that at Incident.io they started thinking early on about auditability and evidencing, and having robust processes in place for everything they do. It was critical for the Incident.io team to build good rails to ship things safely to production. The byproduct of good rails is the ability to show evidence of the procedures you’ve put in place, and to demonstrate to your customers that you’re thinking about security.
2. Codify as much as you can (yes, literally in code)
In the startup environment, the priority is generally to ship fast and to optimize around efficient delivery. Codifying practices on the front end might not seem to make sense when you’re pre-product and pre-customers, but as you start to grow you’ll find that you need to backfill. As Chris says, “If it moves and can be defined in code, do it.” There are operational benefits as well as secondary effects to this approach. Implementing a culture of security with auditable practices serves your company well whether you’re going through a compliance certification audit or whether an engineer on your team wants to know what happened — they can look through code changes and pull requests to find the answers they’re looking for.
Codification also comes into play when you’re onboarding new team members. Successful codification of policies and practices across the company means that team members are following those practices from day one.
As Chris noted, policy development can go awry when companies find that they’re creating policies to pass an audit, without real consideration of how those policies will be executed. It’s important to capture the ways that processes need to be done, in language that applies to your company. In other words, your goal is to codify practices and policies in ways that are pragmatic, meet compliance goals, and that are there to be utilized by the people on your team.
3. Track people as well as you track things
Security is non-negotiable, and you want everyone at your company to appreciate this. It is impossible to code people to do things in a certain way; however, it’s possible to tackle security and compliance in a way that makes it easy for people to do the right thing. If your company puts systems in place for employees to follow from the get-go, then no one is faced with making an individual choice about security.
It’s also key to avoid setting up security practices in a way that they serve as barriers to people getting things done. If your systems are too complicated, people will find workarounds — and you’re back at square one. Instead, work to establish practices such that security fits into the day and doesn’t add a lot of friction. Companies might consider following Incident.io’s lead by creating a way for employees to flag if security is making their job more difficult. Bringing those friction points to the fore when they appear, and finding workable solutions, means improving security while keeping it sustainable company-wide.
You’ll also need to review and update processes in a proportional way as your company grows. As Chris noted, what works well for a company with five employees will need to shift with 15 employees, and shift again at 50, with companies reassessing and recalibrating their culture of security at those inflection points.
4. Centralize and assign ownership
Christina and Chris also discussed how fragmentation is the enemy of productivity. The broader your tech stack and the more people doing different activities across an organization, the harder it is to make organization-wide changes. Startups that strive for consistency and uniformity in their practices will find that they can process changes and updates at once across the organization.
Chris noted that employees may come with interest in implementing new tech in order to move fast and meet short-term outcomes. To bring this conversation to teams in the moment, Chris suggests acknowledging employees’ good intentions while explaining local versus global optimization: There are security benefits to the whole organization if software and services are used and supported at the organizational level rather than at the team level.
5. Think about demonstrating your security with a SOC 2
SOC 2 offers the opportunity both to signal and to prove to your customers that you’ve done your due diligence and that you’re thinking about security practices in the right way. Companies will also find that when selling to the enterprise, there is a size of company for which the standardization of the SOC 2 is a necessity.
At Incident.io, the team valued the SOC 2 process of having an external auditor challenge their practices; it can be easy to miss obvious things, and it’s a benefit when someone comes in and spots something you might have missed. Those challenging moments point to opportunities to build stronger security practices that are ultimately better for customers.
After getting their SOC 2, Incident.io noted that the process changed the way they think about auditability and evidencing. Their key takeaway: it’s important not just to do things well, but to demonstrate that you are doing things well. Customers care that you are doing this, and SOC 2 serves as the proxy to communicate these qualities to your customers.
For a deeper dive, watch Christina Cacioppo and Chris Evans dig into the details during their session Secure from the Start, part of the LAUNCH Jam Session series.