Protecting user data has become an integral part of building trust with customers. With data privacy legislation changes considering Google Analytics illegal in parts of the EU, the likes of LinkedIn experiencing massive data breaches (over 700M records), and security vulnerabilities like Log4j still being patched, people are more concerned than ever about how companies gather and store their personal information. And rightly so.
For software companies like Knak, which serves other businesses, there’s a growing need to mitigate these risks. It’s why we prioritized becoming SOC 2 Type 2 compliant as we ramped up for a period of hypergrowth.
While this may seem like an unusual step for a startup that doesn’t touch-sensitive healthcare or financial data, we knew it was the right thing to do for both ourselves and for our customers. Now that we’re officially compliant, here’s the story behind how and why we did it.
First things first: what is SOC 2?
SOC 2 is a voluntary compliance framework that was set up by the American Institute of Certified Public Accountants. It was designed primarily for cloud-based service organizations (so, SaaS companies like Knak), and it includes controls and procedures for keeping corporate and customer data safe. Basically, if you’re storing, accessing, or processing customer data, the SOC 2 framework can help you build a tangible security program that results in a verified report you can share with your clients.
With me so far? Great.
Companies working towards this type of security compliance need a third-party auditor to review a long list of business and technical activities to make sure the company meets all of the framework’s requirements. Specifically
- Vulnerability management
- Asset management
- Access management
- Security policies and training
- Vendor management
- Data classification and handling
- Infrastructure and application security
(To name a few.)
What led Knak to SOC 2
Like with many B2B SaaS startups, one of the main drivers that prompted us to build our security program based on an industry-recognized security framework was that our large enterprise customers needed us to do it. Why? Since the global pandemic began, organizations have reported an 81% increase in cyber attacks. Enterprise companies are under more regulatory pressure than ever to secure their customer data, and part of that means making sure that vendors (like Knak) have all the right security controls and features in place. In other words, every time our clients bring on a new provider, they have to assess whether they pose a security risk. By being aligned with the SOC 2 framework, we can make it much easier for our customers to do that.
Here’s how we got there
For companies that have a basic security program in place, quickly setting up a SOC 2-compliant program can feel like ramping up from walking three kilometres every other day to running a marathon in less than a year. It takes a lot of work and commitment from all business units across the company.
From the moment we started focusing on SOC 2 full time to the time we got our attestation, we spent seven months establishing secure practices and processes, working with our audit partners, and forcefully encouraging our team to get (and stay) on board. Here are some of the key learnings we gathered along the way.
Keep your leaders close
When it comes to SOC 2 compliance, each department will have a different area of interest in making it happen — and it’s important to understand what these are.
- Your CEO wants to protect your customers and also ensure the team’s time is used as efficiently as possible.
- Your CRO wants to close deals faster, which is difficult when you have long security questionnaires as part of the vetting process that you can’t answer with ease.
- Your CTO wants to make sure that their software engineers and developers can focus entirely on shipping the app and its features.
- Your head of HR wants to have comprehensive employee training materials and policies.
SOC 2 compliance helps address all of those needs, and gives each department something that’s in it for them (other than knowing the company is more secure).
Tie everything back to your core values
At Knak, we have ten core values that guide how we do things both internally and for our customers. Any time we announced a change or an initiative under the SOC 2 compliance project, we always connected it back to at least one of those values. This was an important change management effort as it gave our teams clarity around how this project aligned with what we stand for as a company.
Don’t be afraid of over-communicating
Another big step we took to keep the team engaged was to be as transparent as we could about what we were doing and why we were doing it. We shared regular updates throughout the seven months, indicating how each step might impact the way a team or individual worked. There were also regular onboarding sessions to get people up to speed, including in-depth meetings with new hires that provided an overview of the project and where we were at.
We also created entertaining nick-names and leveraged the almighty power of a well-timed pun to bring some fun to security.
Leverage partnerships and technology
Remember, you don’t have to go through this alone. We worked with audit partners from Schneider Downs, who guided us as first-timers with regular check-ins and by answering all of our questions. We also heavily relied on a security compliance automation tool, Drata, that made it possible to hit our aggressive timelines, automating a ton of evidence collection, educating us on the SOC2 framework, and showing us how we were progressing in real time.
The value of staying secure
Getting our SOC 2 attestation was a huge deal for us. It’s given our team and our customers’ peace of mind in our security posture. Plus, when it came time for us to raise funding this year, it was awesome to be able to reassure our investors that we were meeting industry standards from a security standpoint.
Moving forward, we’re committed to keep meeting our customers where they are and upholding security standards within our industry.
To learn more about Knak’s robust security measures, check out our Security page.
The post We’ve reached SOC 2 Type 2 compliance, with zero findings. Here’s why we did it. appeared first on Knak Blog.