A couple of weeks ago, our founder Sam Li and Steve Schultz from AWS hosted a webinar for the YC Winter cohort on Day One Security & Compliance. This webinar covered what founders should do (and not do) early in the product lifecycle in regard to compliance. As a startup founder himself and compliance expert, Sam has some tips for founders.
Before Getting Started
Sam suggests that startup founders get educated on the unknowns. What compliance frameworks are you likely to have to be compliant with? What will your customers ask for? What data will you hold, and which industry will you be in?
If you hold or transfer data (like most tech companies), compliance will be critical to your growth trajectory. Expect prospects, partners, and investors to ask about your information security. Remember, a culture of security and data privacy comes from the founders.
Some compliance practices may seem like overkill for a small business. But just like your company culture, compliance isn’t built in a day. Get into the habit of separating production and development early, dive into the principle of least privilege. We’ve found if you build a healthy foundation of compliance into your business from the jump goes a long way.
Get Familiar with Common Frameworks
There are several common compliance frameworks for information security, privacy, and reducing risk. Sam recommends getting familiar with those to choose which one is relevant, particularly because there is overlap between some of the frameworks. Investment in one will get you a long way in another, like SOC 2 and ISO 27001.
The five most common frameworks:
- PCI DSS: Framework that ensures that businesses who process, store, or transmit credit card information maintain and demonstrate a secure digital environment
- HIPAA: These standards address the use and disclosure of individuals’ health information by covered entities, e.g. healthcare providers and clearinghouses, health plan entities, and business associates
- SOC 2: Examines service providers to ensure they are securely managing 3rd-party data to protect information and ensure privacy
- ISO 27001: Best practices for information security management systems. These standards were designed to be applicable to global businesses, to assess and treat threats and vulnerabilities
- GDPR: Passed by the European Union to address the collection and processing of individuals’ personal data
If you’re not sure which framework is right for you, we got you covered. Laika built a Compliance Quiz to help you find the most relevant framework/certificate for your company.
Use Tech Partners for Heavy Compliance Lifts
In the early days, transfer as much compliance risk to partners. Well-established organizations like AWS and Stripe add a layer of protection with built-in security and compliance.
- Use Stripe to fulfill PCI requirements. Level 1 PCI is a self-audit, so you don’t need to invest too deeply.
- Leverage AWS (or other managed services) to handle instance encryption requirements, such as database encryption, logging, and monitoring, etc.
- Consider tokenization solutions for handling sensitive data such as SSN
Sam’s Mistakes to Avoid
Finally, Sam has some parting words of advice. Don’t view compliance as transactional. It’s easy to get caught paying for certification or audited report, but taking shortcuts or putting on band-aids will cost more in the long-term. The bigger your business grows, the harder it will be to implement required security controls and build a culture of compliance from scratch.
Build best practices into your organization from the start, avoid any embarrassing mishaps or breaches, and build trust with partners, investors, and customers. You can thank us later.