As your software company matures, there will come a time when you must put on the big girl (or is it big boy:) pants. This phase, which encompasses all aspects of your company, is really about letting the world know that you're serious about doing business. In terms of security and compliance, this stage nearly always requires that you show the world that they can trust you with their data.
Photo by Miguel Á. Padriñán from Pexels
In a previous blog post, we unpacked the difference between security and compliance, as well as why compliance is required for SaaS. We also described why 3rd-party compliance standards and certifications exist, and mapped the major security compliance standards to different types of software industries or businesses. Please check that post for reference.
Now, there's the common problem of security compliance certifications being expensive and time-consuming. This is due to the nuances of each standard and its certification process which requires subject matter expertise in crafting and deploying the security policies enforced by the standard. Additionally, the expectations of each policy must be accurately reflected in the daily operations of the company for certification to be feasible. Finally, the combination of policies and evidence of execution must be compiled for an external auditor (who wasn't involved in policy creation or execution) to review, prior to certification.
What does all that mean? Certifications like ISO27001 or SOC2 Type 2 could take companies 6 months to a year to achieve. Financially, since most maturing companies require security consultants to help them prepare for certification, the cost of certification preparation plus the final audit can easily cost around $100,000.
A Cheaper Way?
A couple of years ago, a few entrepreneurs began to ask, how can automation simplify this process and reduce the cost? As often happens, one of the first movers was a founder who had experienced firsthand the frustration of preparing for security compliance certifications manually... Christina Cacioppo founded Vanta. Soon after, products like Drata, SecureFrame, and Very Good Security Control took the stage.
Automation Meets Security Compliance
The primary aim of the four companies listed in the previous section, and others like them, is to apply automation and her sister process, curation, as much as possible, to reduce the work and thus the cost of achieving or maintaining compliance certification.
The objectives of those companies and their products are as follows:
Curate Security Policy Sets for different compliance standards - ISO27001, SOC2, HIPAA, PCI-DSS, GDPR etc. such that companies can access, use, and customize policies, without the need to write them from scratch.
Automate Testing of SaaS Infrastructure for Compliance against the technical requirements of compliance standards.
Automate Generation of Compliance Evidence wherever possible by leveraging the output of automated tests, in preparation for audit.
Automate the Assignment of Operational Policies to Employees, so they are able to sign a commitment to follow the expectations of the policy.
Provide A Vetted Pool of Auditors to simplify the last step in the compliance certification process. (At present, only Vanta provides this service)
With some of these products, the cost of preparing for and achieving compliance certification can be as low as $25,000 - $35,000. The time to certify can also be reduced to as little as three months! But I must also point out that complex systems or systems with little to no security controls in place may take more time or require some consulting help. This takes me to a few caveats that you'll be wise to keep in mind.
Caveats to Keep In Mind
There are some limitations with the state of the art in compliance certification automation.
The automated security compliance testing in today's tools is limited to cloud-based apps and the infrastructure you've deployed in major cloud vendors like AWS, Azure, and GCP. If you have edge IoT devices or a hybrid cloud architecture, today's tools aren't able to integrate with or test such "more" complex system architectures for compliance. You will need alternative ways of verifying the compliance of such systems.
Usually, there is a yearly cost associated with these tools i.e. if your $15,000 /yr subscription gets you certified in year 1. To continue using the platform in year 2 for monitoring and maintaining compliance, you'll be paying again. If you can afford it, this could be worth it since most certifications have an expiry period and your work in recertifying is greatly reduced if you've been monitoring and testing. As an example, ISO 27001 certification expires in 3 years, while SOC2 expires in just 1 year, so you might as well keep your subscription.
Compliance standards like SOC2, ISO27001, GDPR, and HIPAA provide very little to no guidance for software security. Depending on the standard, there is guidance on infrastructure security, network security, data protection, and privacy, but there isn't guidance on how to design plus develop your software to be inherently secure and resilient to cyberattacks. This Software Security is a big piece of the security of your software company and your software platform. You can get certified and still be hacked because your software was not designed or coded securely. But hey, that's why we created the Software Security Playbook.
The Software Security Playbook
Building on decades of securing software at Fortune 50, Fortune 100, and numerous startup software companies, we created the Software Security Playbook to empower software businesses to build and automate security into every single, iterative step of modern software development. Because as we always emphasize... with the world's technology running on software, secure software makes the world a better place for us and our families.
To get access to the Software Security Playbook, please schedule some time for a Free Software Security Assessment using the button below.
Keeping in mind the caveats shared above, if your company is SaaS-based, or if a major part of your architecture is SaaS, we strongly recommend leveraging compliance automation platforms for your certification needs. At Resilient, we have relationships with a number of companies with products in this area and will be glad to meet with you and provide further guidance if there's any way that we can help with your compliance goals.