Everything startups need to know about building a security compliance program

With cybercrime on the rise across the UK and more SMEs being targeted, security is more important than ever before.

Even if you believe your business is secure from data leaks and cyberattacks, if you’re not able to demonstrate this to potential clients, your sales team could be missing out on growth-driving deals. This is especially the case for enterprise clients that often require potential partners to demonstrate compliance with some of the key measures such as ISO 27001 and SOC 2.

All this means that security compliance is no longer a nice to have for UK startups.

Security compliance programs help your organisation identify, implement, and maintain appropriate cybersecurity controls to protect sensitive data, comply with laws and contractual obligations, and adhere to the standards, regulatory requirements, and frameworks needed to protect customers and enable the business to succeed.

Steps for getting started

Step 1: Define your organisational goals and needs

Are you starting the program to close deals? Do you want to proactively demonstrate trust or compliance? More importantly, what are you trying to accomplish and why? After answering these questions, we recommend identifying your desired end state and vetting and aligning this with key stakeholders and their needs. The more granular you can be about your intended goals and desired end state, the easier it’ll be to work backward towards your objectives and bring others on board as well.

Before worrying about which standard to implement or what tools to buy, it’s critical to ensure these goals are doing more for the organisation than just unblocking deals or solving one problem.

At Vanta, we leverage our compliance efforts as force multipliers wherever possible. For instance, a known compliant process in one business unit could potentially be adapted to work in another, which could streamline cross-functional work and alignment across different projects.‍

Step 2: Define your roadmap and timeline

Consider breaking your timeline down into specific milestones you’ll be able to track and work toward. In addition, think through whether there are any dependencies you’ll need to account for and how they relate.

This step should include identifying the answer to questions such as:‍

• What are our known technology needs or gaps?
• Do we expect we will need to invest in some additional tooling or support?
• Do we have an understanding of the technical demands of where we want to go?
• Do we build, buy, or partner?

‍For instance, if you’d like to build and are planning to hire for the role, consider whether you need someone who’s more of a manager who can set direction or someone who’s willing to roll up their sleeves as a doer. This is especially important for a foundational role like your first compliance hire.

If you opt to buy or partner, consider whether using services such as a virtual CISO (vCISO), Managed Service Provider (MSP), or other fractional resources could address your needs and objectives more cost-effectively. This is especially important if you have a very broad tech stack or complex operations, as an MSP or vCISO firm will usually have access to more expert resources than any one person can be expected to know.

If you’re building a program from the ground up or for the first time, it may be more cost-effective to use a trusted third party to supplement your work than to hire one or more FTEs to build a program in-house. Regardless of what option you go with, you’re likely looking for an individual—or even a team—with privacy and/or compliance knowledge as well as technical engineering knowledge.

Part of defining your objectives also includes measuring your progress and ensuring that what you’re measuring is relevant to your intended outcomes. As you develop your program, be sure to identify key metrics that help your organisation understand and share the achievements and outcomes of your security compliance program.

Remember you’ll need to prioritise what you’ll build and when. This is especially true given that you’ll likely have a long list of action items, and more tools and needs than you have budget for. The approach we’ve taken at Vanta is to align our security compliance program with our business objectives—which also ensures we’re meeting the needs of our customers and our overall business.

As a tip, our team likes to reference Verizon’s Five Constraints of Organisational Proficiency as described in their 2019 Payment Security Report to help structure our approach to our compliance program. This framework highlights the importance of capacity, capability, competence, commitment, and communication as key to the health and effectiveness of a strong data protection compliance program—we suggest giving it a quick read if you’re interested!

Step 3: Prioritise and start building

Now that you have an understanding of your needs and timeline, it’s time to start prioritising your efforts based on the needs and constraints of your business. You can start by taking the following steps:

• Double-check alignment with business objectives—is your plan still what the business needs or has it had some scope creep or plan drift that might introduce unnecessary friction?
• Set up official deadlines based on your new understanding of the project goals, and officially kick off the implementation of your program.

Remember, security and compliance are infinite black holes without context. Make sure that what you’re planning on doing for compliance has guardrails to ensure you’re spending your time and effort in places that drive measurable business outcomes.

‍Lastly, understanding, defining and communicating why you’re working toward these objectives—whether toward meeting customer needs, revenue goals, or internal risk reduction—can bring others on board as well.

Additional considerations: stakeholders and resources

Don’t forget that executive sponsorship, commitment, and budget are some of the most critical components of a strong security compliance program. We suggest seeking these out earlier rather than later and continuing to build this bridge by highlighting risks, impact (including positive!) and your company’s overall security compliance journey.

‍After you determine your goals and identify your tooling and technology needs, it helps to know what tooling is available and what meets those needs most. Referencing industry trends and feedback can be a good place to start, as well as networking with others in the industry who are or have addressed similar challenges.‍

Tips and suggestions for building your security compliance program

While every team and company approaches building security compliance programs slightly differently, here are a few tips we’d suggest:

• Build repeatability: While it may be tempting to aim for quick wins, focus on repeatable processes and repeatable outcomes within your program. Remember that fire drills are often an indication of broken processes.
• Start with a strong foundation: Focus on the fundamentals and do your basics well—no matter how mature your program, the fundamentals always matter.
• Avoid shiny object syndrome: Tools and technology may help, but will only exacerbate broken processes.

Ready to start building a strong security compliance program?

Check out Vanta’s guide for UK startups to learn more about the differences and similarities between ISO 27001 and SOC 2 and which is right for your organisation. You’ll also learn how to leverage compliance automation to streamline certification and support your business through an international expansion.