Building a Culture of Trust: Why This Early Stage Startup Puts Data Security First
Trust is the foundation of any relationship, especially when you’re a software company charged with helping companies spot patterns in their customer data to unlock opportunities for growth — and you need to deliver those solutions responsibly. That’s why, from the beginning, Rekener made a commitment to building process and security into the entire company and culture. To demonstrate this commitment to our partners and clients, we pursued and achieved SOC 1 and SOC 2 certification. Here’s more about why and how we made this vision a reality.
Why SOC Compliance Matters
As my colleague, Dave Casion, CTO and co-founder of Rekener, explains, “We’re an extension of our clients’ teams and technology, so we bring a mindset of building trust to the way we operate our business. Our clients not only expect that our software will help them achieve strategic business goals; they also assume that we’ll do that in a way that aligns with their own approach for data management and security. Frankly, this is so important to clients that we don’t understand why any new software business would not pursue SOC compliance,” says Dave.
To achieve SOC compliance, Rekener engaged Practical Assurance, SOC compliance experts who help companies prepare for audits by guiding them through the entire process.
According to Ben Thomas, Founder and CEO of Practical Assurance, larger companies are pushing down their compliance requirements onto all vendors. However, he says the majority of vendors merely try to tell a good security story, relying solely on a policy. The question becomes: Are they actually following the policy or is it just a piece of paper?
The best way to satisfy companies seeking this reassurance and do the right thing is by pursuing some type of compliance program, says Ben. To that end, SOC 2 is great fit for technology and SaaS companies. That said, in Ben’s experience, it’s unusual for a company of Rekener’s size to pursue this rigorous level of compliance. In fact, he believes only about 10% of companies with fewer than 100 employees do so.
As Ben explains, SOC 2 forces companies to put controls in place for core areas of the business. “It provides a good foundation on information security and operations practices, communication practices, incident management and disaster recovery procedures. Moreover, it provides a solid path for a company to mature fairly quickly, establishing key policies and procedures and making sure everyone in the company understands their roles and responsibilities when it comes to information security.”
Rekener’s achievement of SOC compliance at this early stage in our growth demonstrates our investment in our clients from the start. “We are one of very few startup companies our size to make a commitment of this magnitude to its clients,” says Dave.
Putting the Foundation in Place
The preparation process for Rekener included updating and creating SOC-compliant policies and following those policies. Putting in place a policy is only a small part of SOC; following the policy consistently and across the board is at the core of SOC 2 Type II. In parallel, we made additional investments in our security posture. As Ben explains, “Security and compliance are not the same. It’s possible to be fully compliant but still have security holes, so it’s important to implement relevant security controls as part of the process.”
One example of how Rekener is making early strategic investments in trust through security is our deployment of CA Veracode for both static and dynamic analysis for the Rekener Account Control Center. As Dave noted, “We were looking for an enterprise-grade third party to be an unbiased voice at the table, helping us prioritize security-related development priorities and the commensurate dynamic analysis to constantly keep an eye on the front door.” Dave and his team worked with CA Veracode’s expert Application Security Consultants to review our processes and results and help us mitigate any possible issues early, before they could have any impact.
The next step was going through the audit process. First, Rekener needed to find an auditor that was a good match for its business. Once engaged with Practical Assurance, we completed several audit preparation questionnaires. Together, we agreed on the tests the auditor would apply to assess the security controls we had implemented.
This was followed by a full-day field visit by Practical Assurance, during which time they reviewed our policies, we provided evidence that we’re following our policies, and shared our process for mitigating security incidents. In the SOC 1 Type II and SOC 2 Type II audit reports — delivered a little more than six months after the preparation began — the auditor noted no exceptions, meaning we passed the auditor's tests of all security controls.
Making It Work
As Ben explains, smart companies start preparing early for compliance. That’s because the executive team understands it’s important to make this investment early on even though it can be disruptive. “You can achieve compliance in less than a year but it takes tremendous focus and effort. By starting early and giving yourself ample time, you can move fast when compliance is a deal breaker with a prospective client,” says Ben.
Plus, as Ben points out, embarking on a compliance journey early in your company’s existence means less pushback against doing things differently than in the past. “If your company never had security controls in place and people freely share passwords, don’t encrypt data, don’t track anything, etc., people get used to loose operations. On the other hand, if you establish security controls, policies and procedures early, it becomes an intrinsic part of the company culture,” continues Ben.
According to Dave, this process is not to be taken lightly. “It is a tremendous undertaking requiring true commitment. To be successful with the implementation requires strong curiosity and a willingness to ask the right questions to tease out the correct processes and procedures that are true win-wins for you and your clients.”
For Dave, the best way to balance the compliance effort with day-to-day responsibilities was to break down any distinction between the two. Specifically, he and his team treated the preparation for SOC compliance as part of the company culture and every business decision made.
Rolling Out the Program and Ensuring Ongoing Maintenance
MJ Langlais, Chief People Officer at Rekener, helped introduce the SOC compliance project to everyone in the company in March 2017. Once the audit was complete, she led a company meeting to roll out security awareness training. As she explains, all company employees are required to follow Rekener’s security requirements. “That covers everything from handling data, to the security of the physical space, to managing the development environment, to security related to third parties, and also as part of our hiring, onboarding and training efforts,” says MJ.
Now that Rekener has achieved compliance with SOC 1 Type II and SOC 2 Type II, we must be diligent about following our policies and practices to stay compliant. “This is our commitment to our clients, and we take it very seriously. We realize that trust is the most important aspect of the relationship with our clients, so its important they trust both our BizOps and technical expertise. We believe the certification helps give our clients faith in our commitment to doing the right thing for them,” continues MJ.
A Win-Win Proposition
By putting in place a solid data security and risk management program, we expect to further deliver on our commitment to be trusted partners to our clients. “We’re here to help enable sales and BizOps leaders to unlock tremendous value for their teams and organizations in innovative ways. Since we’re looking to build lasting relationships with clients, SOC compliance is a conversation starter around our culture and processes. But more importantly, it also demonstrates our ongoing commitment to to building a relationship of trust with them,” concludes Dave.
Got questions about Rekener’s culture of trust, SOC certification or our approach to data security? Contact us.
Add new comment
Your comment will appear soon!
Steph served as Rekener’s Community Manager and CMO. A Rekener co-founder, she was previously Senior Director of Marketing at CCC, a $300M+ recurring revenue business, and served in marketing leadership roles at Vertical, @stake, Informio, DotContent and Meridian. Her first recurring revenue role was as an inside sales rep selling real-time stock pricing subscriptions.
Get the best BizOps content delivered to your inbox twice a month.
Got Great BizOps Content?
If you'd like to be a guest author, drop us a line.