Last month, we held our inaugural event at Digital Garage in San Francisco in collaboration with Founder's Village. The event’s fireside chat panel focused on helping technology startups navigate the complexities and unknowns of security and compliance. Cheryl Cage from the AWS Global Security and Compliance Acceleration (GSCA) partnership team moderated the discussion. It featured compliance experts Patrice Peyret from Financial Strides, Chuck Yu from VGS (Very Good Security), and Venkat Thiruvengadam of DuploCloud.
Our experts shared valuable insights on five key topics, and we've compiled a summary accompanied by a video to help you quickly find the information you're seeking. Dive into these takeaways and discover the expertise our panelists had to offer:
Topic 1: Building a solid compliance foundation
As startups kick off their compliance journey, it's crucial first to grasp the frameworks and regulations specific to their industry and business model. This way, they can concentrate on the correct compliance requirements and resource allocation. Prioritizing key areas like securing back-end infrastructure is a must, as is evaluating the team's expertise and filling any knowledge gaps.
“First, start with the right framework, as there are substantial differences between them, like PCI and others. Next, understand the investment and efforts needed. Then, assess your subject matter expertise and identify the tools, software, and people required to assist you in your compliance journey." Venkat Thiruvengadam CEO, DuploCloud
Picking the perfect cloud provider is vital since it affects compliance and security. Therefore, startups should carefully choose cloud technologies per their compliance objectives. In short, being proactive and tackling the problem early on allows startups to establish a robust foundation for security and compliance.
Topic 2 - How to differentiate between security and compliance
Security involves implementing configurations and controls to safeguard systems and data from threats, while compliance refers to adhering to prescribed regulations and standards to fulfill certain requirements. Compliance standards outline a set of controls organizations must implement to meet framework requirements, including security measures, privacy, data retention, and customer rights.
Driven by legal or regulatory requirements, compliance is typically overseen by a dedicated function, whereas security, being more technology-focused, is managed by the technology team. Both areas are interconnected, with compliance helping to ensure that security measures are in place and effective.
However, security and compliance require different organizational skill sets and practices. By understanding their unique characteristics and harmonizing security and compliance efforts, organizations can build robust defenses, reduce risks, and meet the expectations of regulators, customers, and stakeholders.
Topic 3 - Startup staffing for security and compliance
When building a startup's security and compliance program, it is common for the CEO to take on multiple roles, including those related to compliance and security. However, startups should also be aware of industry-specific requirements, such as needing a dedicated compliance officer in the financial services sector. As the company grows, the responsibility of compliance and security can be distributed among specialized roles within the organization.
Dividing duties into technical and non-technical aspects is crucial to effectively manage compliance. The engineering team can handle the technical elements, while non-technical tasks can be outsourced to part-time Chief Information Security Officers (CISOs) or compliance officers. This division of labor allows startups to address compliance's technical and procedural components efficiently.
“Compliance and security are not one-time tasks that can be addressed in a sprint or a six-week cycle and then forgotten. From the very beginning of your planning, as you build your company, consider making a consistent and steady investment that grows in these areas, ensuring ongoing vigilance and adaptation." Chuck Yu CTO, Very Good Security
Finally, an essential piece of a robust security and compliance program is the creation of an in-house Incident Response Team (IRT). Startups should conduct tabletop exercises to train staff and foster a security-conscious mindset across all departments. By rotating IRT responsibilities among team members, startups can ensure broad involvement and a shared understanding of security and compliance expectations.
Topic 4 - Common security & compliance misconceptions
One major misconception when building workloads for security compliance is the belief that relying on cloud providers like AWS alone ensures security. In reality, organizations must be responsible for their part of the stack, ensuring the security of all aspects of their service, including mobile apps.
"By thoughtfully architecting your systems to check all compliance boxes, you can turn a potential weakness into a selling point. With ongoing attention and maintenance, compliance becomes an integral yet manageable aspect of your business operations." Chuck Yu Very Good Security
Another misconception is that compliance is excessively costly and will hinder growth and development. Compliance can become a strength and competitive advantage in the market with appropriate instrumentation and tooling.
Lastly, organizations should not assume that passing an assessment or certification automatically guarantees total security. Compliance standards may not always be prescriptive, so taking personal ownership and responsibility for compliance and security is crucial. In addition, understanding all risk areas, including mobile apps and front-end security, is essential for maintaining a secure and compliant environment.'
Topic 5 - Why compliance is more than a checkbox
Compliance is more than a checkbox activity as it demands a proactive mindset to identify and address potential risks. Employees should consider possible issues like account takeovers and implement necessary measures, such as device binding in fintech apps. Employees can better understand the importance of continuous vigilance by providing concrete examples.
Compliance is crucial for startups, particularly venture-backed ones, as any violations or breaches can negatively impact their ability to raise funds. In addition, security or compliance incidents can overshadow a company's strengths and innovations, forcing them to spend valuable time explaining the breach and its consequences instead of discussing their innovative ideas with investors. This highlights the importance of treating compliance as an ongoing, long-term commitment rather than just a one-time achievement.
"It’s important to emphasize to your team to stay vigilant even after auditors have said you're good to go with a compliance standard, by continuously evaluating potential issues and using concrete examples to effectively illustrate possible risks." Patrice Peyret Financial Strides
Finally, security controls should be continuously monitored to ensure their effectiveness. Employees must pay attention to alerts and attention to security controls, which can create security gaps and increase vulnerability to breaches. Ignoring these issues and treating compliance as a rubber stamp can lead to severe consequences, including penalties, misrepresentation lawsuits, or accusations of willful neglect. Companies must maintain compliance standards once established and consistently work to improve their security posture.
The Compliance Alliance, a collaboration between security and compliance providers, is dedicated to educating and elevating the conversation about all things compliance and security.
We look forward to hosting future webinars and in-person thought leadership events that continue to inspire learning and connection. You can stay connected with us by following the Compliance Alliance on Linkedin and subscribing for updates.