Many startups only consider compliance when they have a catalyst. A client that requires SOC 2, or when the first security questionnaire hits the inbox. At that point, it's too late to set your company up for success.
Our approach - Implementing security practices from day 1
When we started Portable as a data integrations company, we knew that security, privacy, and compliance would live at the core of our business. If we could implement a strong culture, a suite of processes, and organized controls from day 1, we would have a foundation to innovate and a framework to constantly improve our security controls.
Where did we start? Datavant's quick-start guide
We had worked closely with Travis May before he started Datavant. When we read Datavant's Quick-Start Guide to Compliance for Startups, it provided a phenomenal framework to approach security as a startup.
What did we like about Datavant's guide?
- They shared their approach. Security is a complex topic, overwhelming at times, and difficult to organize into a structure, especially without a clear starting point. Datavant provided a clear place to start the journey.
- They kept it simple. There are countless ways to approach security. The first two bullet points in Datavant's quick-start guide resonated with us: 1) "Building compliance into your culture", and 2) "Why starting early matters".
Portable's ideas for improvement - building on Datavant's framework
Obsession - Become dogmatic
- Start even earlier. From day 1, we knew we were a data company, so we started on security. Before we even had a product, we made sure we understood the audit frameworks, best practices, and how we could build security into our business at the ground floor.
- Add too much structure, and then streamline. It's always easier to start rigid and add flexibility vs. going the other direction. We started by defining overly restrictive policies, procedures, and controls based on the best practices we had seen at the largest enterprises, and then we reviewed and streamlined everything around our particular business requirements.
Rationalization - Set concrete rationale
- Define the business rationale. You always need a clear reason to make prioritization decisions. For us, we have two core business reasons to prioritize security: 1) it allows us to unlock larger enterprise deals faster, and 2) it will save us significant time and money not needing to retroactively add controls on top of a system that already exists.
- Pick an audit to work towards. Unlike Datavant, we didn't have immediate goals to enter the healthcare ecosystem, so HIPAA wasn't our objective. Instead, we have structured our Information Security Management System (ISMS) with the intentions of undergoing a SOC 2 Type 2 audit. By reading 10+ SOC 2 Type 2 reports, dissecting them and organizing our ISMS accordingly, we have a clear path towards our objective.
- Summarize everything into a client deliverable. We reviewed websites and security documentation from other integration companies and started organizing our takeaways into an 8 page summary that discusses our security posture, narrative, and key controls. This process helped us to distill what truly matters to our company and to our clients. The highest level summary can be found here.
Education - Talk to experts
- Meet vendors. One of the best ways to learn about security best practices is to get demos, ask questions, and understand how experts approach the problem. Within 3 months of starting Portable, we were getting demos of IT management platforms, exploring tools to streamline the SOC 2 process, reviewing pen testing reports, and talking with consultants about best practices.
- Find off-the-shelf examples. In addition to finding SOC 2 Type 2 reports and audit templates online, you can also find example policies, procedures and controls across the web. Many colleges and universities make their security policies public, and the SANS institute is a foundational resource for understanding the possibilities.
**Organization **- Policies, procedures, and controls
- Define your objectives. We created a target list of controls we wanted to have in place. To do so, we pulled a list of potential policies, procedures, and controls from SOC 2 reports we found online. We then deduplicated the list, found the most relevant items, and set out to engrain them in our organization.
- Find the gaps. Once we knew our objectives, we found the gaps. Based on the items we wanted to have in place, we identified the policies we were missing, we found procedures we needed to define, and we created a list of the technical controls we would need to implement.
- Create policies, update processes, and add controls. With a clear sense of the gaps between our current state and where we wanted to be, we set out adding policies, defining processes, and ensuring we had truly incorporated our desired controls into our ISMS and our organization. We started with templates we found online. We then iterated based on our actual objectives, our culture, and the particular technologies we have in place.
**Formalization **- Tools and tips
- Update your values. If security is core to your business, every new hire and every client should know it. We updated our values, adding two things: 1) our first value is now 'Always Protect the Data', and 2) we defined privacy principles that are listed alongside our company values. Thanks to Datavant for the idea of adding privacy principles!
- Start tracking IT assets. As we learned more and more about security, it became overwhelmingly clear that we would need a clear view into all of the IT assets (SaaS tools, engineering systems, laptops, etc.) at our company. We kept it simple by tracking a list of our IT assets in a Google Sheet. We track things like: 1) description, 2) lifecycle, 3) who has access, 4) is MFA enabled, 5) what data is stored, 6) links to vendor security documentation, and more. We add new tools as we set them up, and we review the list on a regular basis.
- Assign ownership and track last reviewed dates. None of the above matters if you don't have clear ownership. Our ISMS has an owner (me, the CEO). And our policies, procedures, and controls each have an owner. Additionally, we need to keep things fresh - so we added a 'Last Reviewed Date' alongside the owner for each item. This allows us to know what we need to review and when.
Repetition - Make It Stick
- Quarterly security day. If you do all this work, and then put things on the shelf, it's useless. At Portable, we have 'Quarterly security day' on the calendar every 3 months. Owners review everything, we evaluate changes to the market and to our business, we create tickets for work that needs to be done. To create strong habits, we actually conducted 'Quarterly security day' on a monthly basis for the first quarter - it helped to keep things top of mind, and it was the perfect way to streamline the whole process.
- Stay up to date. We use tools to review our codebase, cloud monitoring solutions for vulnerabilities, tickets to track issues, and a #security Slack channel to discuss things in the news