Compliance! Everyone’s favorite topic. There are plenty of articles about compliance benefits that typically cite building customer trust, improving quality and avoiding breaches and their consequences. In addition to those solid reasons, for this post let’s get down to business by describing the tangible benefits of compliance for a late-stage SaaS startup. Keep reading if:
-
You’re a SaaS company hearing questions from your customers about a SOC 2 report, an ISO 27001 certification, or a FedRAMP authorization.
-
Your website analytics indicate that the content on your “security story” or “privacy policy” pages may be turning potential customers away.
-
Or… maybe you don’t have pages that describes your approach to security and privacy at all.
-
Your staff is increasingly spending time completing vendor questionnaires instead of building your product.
Compliance frameworks share a similar purpose and outcome, which is an opinion on the maturity and effectiveness of your company’s operations from an independent third party. Put simply, this means that your customers gain assurance that you can keep their data and their customers’ data safe.
Compliance Benefits
While compliance has a cost, it should also be recognized as an investment. Here are some great upsides applicable to you as a SaaS builder:
-
Open Up Your Total Addressable Market — A significant portion of your total addressable market will require demonstration of your compliance before allowing you to manage their sensitive data. Some of these folks may be satisfied with your answers on a security questionnaire, but increasingly you’re going to be turned away without a compliance certification.
-
Boost Your Evaluation — Your acquisition offer will consider the size of the market you can access with your service. Your compliance program will be a powerful negotiation tool.
-
Grow Peer Revenues — You might be focused on the direct, “vertical” customer revenue currently blocked by your lack of compliance. But additionally, other companies who are either compliant or working on their compliance may want to include your platform in their solution. Some frameworks allow a company to leverage another company’s compliance.
-
Shorten Your Acquisition Time — The main goal of preparing for compliance is to transform your tribal knowledge into a repeatable, improvable program. Documenting what you do and how you do it is useful for due diligence review. An acquiring company is concerned about risk, and your documented understanding of your company’s risk posture goes a long way.
-
Shorten New Hire Onboarding — You’re growing. How long does it take you to onboard a new hire? How long do they need to shadow current staff before they can perform on their own? If you’re operating on tribal knowledge, this step alone can cause unnecessary disruption to daily ops.
The Real Scope is More Than InfoSec
Compliance isn’t just something for your technical team to handle. It forces you to define and document your processes, who is responsible for defining the process, who should execute it, and how you can demonstrate that the process was followed. Examples include:
-
Communicating your company’s mission and objectives to your employees
-
Managing, measuring, and growing your employees
-
Provisioning and deprovisioning credentials
-
Procuring tools you want to incorporate into your platform (code repos, bug tracking, security services, and beyond)
-
Monitoring and responding to security events
-
Performing changes to your platform
Get Started Now
We get it — startup life is crazy hectic. But as your team grows, the assumption that everyone knows what to do and how it should be done grows weaker. If you’re already seeing signs of people repeatedly pioneering their own path or duplicating work, it’s time to tackle this step.
Starting your journey armed with defined processes will help decrease the time required and ease the pain. Documentation templates (of varying quality) are widely available, but only your team can document how they do what they do each day.
Be aware of the commitment by understanding:
-
This is a significant undertaking that will touch nearly all aspects of your business — it’s not just for the security team.
-
The scope includes how you manage the platform, not just the platform itself.
-
The journey can take several months to complete, even beyond a year.
-
After you become compliant, you need to plan for ongoing resources to remain compliant.
-
And many more…
But don’t fret. You may be further down your path than you realize. Coming up, we’ll share field notes and observations about customers who have been pleasantly surprised to learn they are already doing many of the right activities. Much of compliance boils down to common sense.
How is your compliance program coming along? We’d love to hear from you in the comments.