It seems the world can't go a week without another major data breach.
From Target to Facebook, Uber, Equifax, and Delta Airlines, even the biggest brands aren't immune. All told, there were more than 1,500 data breaches in the U.S. last year, which amounted to more than 179 million records being exposed.
Stats like that have consumers (understandably) scared, and as a result demand for heightened data security is reaching a fever pitch.
As companies take stock of their own data security protocols, they're learning that many data breaches start with vendors. This means it falls to vendors to level-up their security standards in a number of ways, such as completing security RFIs, penetration tests, bug bounties, and compliance audits.
That all sounds pretty straightforward--until young companies discover just how challenging it can be to make it through a compliance audit such as the ubiquitous SOC2.
Luckily, a new tool being released on May 21 may hold the keys to facilitating the compliance audit process. It's appropriately called Comply, and it's all but guaranteed to increase the number of tech startups completing the compliance audit process. And the best part? It's 100 percent free. I spoke with Comply's creators to learn more about the challenges facing startups and how this tool can help.
The Trouble with Compliance Audits
At first glance, it might seem like a no-brainer for software and other tech startups to hop on the compliance audit bandwagon.
"Companies need ways to demonstrate that they're good stewards of data and that they've earned the trust of their consumers and customers," says Schuyler Brown, co-founder of database management company StrongDM, which headed up the Comply project. "So they look for ways to demonstrate that, and third-party seals of approval like compliance audits are a critical pillar in that effort."
But obtaining that seal of approval can be a shockingly arduous process.
For starters, SOC2 (one of the most relevant compliance audits for tech companies) has standards set by a fiduciary organization, not a tech startup. "The result is that the questions are often phrased in language that is unfamiliar to tech people," says Justin McCarthy, another co-founder at StrongDM and co-leader of the Comply project.
This creates a situation in which "controls are both open to interpretation and incredibly broad in scope, and so there's a huge amount of effort that goes into interpreting what their implications are and their impact on your business," says Brown. Meanwhile, because the controls impact so many different departments, interpreting them requires the lengthy involvement of every member of a team.
Once companies make it through the planning and evaluation phase, their challenges aren't over.
"Everyone that goes through this process is at some point faced with the problem of staring at a blank sheet of paper," says McCarthy. "Many of these companies that are going through it for the first time [find] there is really no starting point. There is no roadmap... about how to do it and how to make it through to the other side in a way that does build assurance with your customer and that doesn't destroy productivity and morale."
This means the offering phase requires a tremendous amount of work in the form of in-depth research and original writing. Brown says by the end of the process, companies might have to produce up to 80 pages of writing from scratch.
Making Compliance Audits Easier for Tech Startups
After personally contending with all of the challenges described above, Brown and McCarthy saw the need to provide other tech startups with resources that facilitate the compliance audit process. So they created Comply, a free, open source product that launches on May 21.
Comply approaches SOC2 from a developer's perspective by offering a pre-authored library of 24 policies, a dashboard to assign and track compliance tasks, an online course with advice from experts, and integrations with GitHub and Jira for convenient workflow and improvements.
"We're hoping that [Comply] gives others a leg up in three key areas," says McCarthy. Namely:
Providing a framework for documents so they are both easy to produce and audit-friendly. To that end, the StrongDM team created a couple dozen PDFs that are formatted according to SOC2 guidelines. "Those templates will satisfy a SOC2 audit, [and] that's gonna be a major time saver," says McCarthy.
Eradicating the "blank page" issue by providing customizable templates that allow users to edit existing information rather than creating pages and pages of original writing from scratch.
Providing guidelines for workflow operations throughout the year. "Once you kick off your compliance, there are weekly, monthly, and annual [requirements] for documenting it," says McCarthy. "We have workflow management that helps you remember every week, month, and day which part of the annual compliance plan you should be executing... [in order to enjoy] a successful audit at the end of the year."
All told, the StrongDM team hopes Comply will enable other tech startups to breeze through the compliance audit process so they can devote more of their resources to growing their business.
"We want other people to start with something," says McCarthy. "They'll end up customizing in a way that totally suits their business. But at least they won't be starting with the blank page."