At Alloy, we had a decision to make relatively early on, when we were just 5 people on a very tight budget: whether or not to invest in a SOC2 process. The SOC2 reports are designed to establish a company’s design and operating effectiveness of their non-financial controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. (For more information, see SSAE-16’s website).
We knew it would cost a ton of money and eat up valuable engineering resources. Our CTO had to be willing to live and breathe compliance standards for a few months. We bit the bullet and learned a lot in the process about why doing it early makes sense:
1. Banks (and other compliance-heavy institutions) will work with you.
When you’re a young company (with young founders and employees, to boot), credibility is everything. For fintech startups, credibility can come in many forms. Client logos, investors or board members, and founder experience all play a part, but trust and credibility around your product is king. Banks are notoriously difficult for startups to work with. Culturally, they’re worlds apart. They operate slowly and with layers of hierarchy and committees, and they go to sleep at night riddled by regulator-induced anxiety. So when banks engage with early-stage startups, there’s often a clash of people, technology stacks, processes, timelines, and cultures (suits vs. hoodies!). Think of working with banks as a process of trying to remove (or mitigate) barriers. You can assuage them in a variety of ways, but having your SOC2 done is key. You will stand out relative to other startups they meet, and you’ll be knowledgeable about all the seemingly nit-picky things they’ll ask you about.
2. You’ll invest in some worthwhile policies and procedures.
Once you’ve done your SOC2, you’ll also have all sorts of policies and procedures ready to go. These may feel silly to you when you’re small and nimble, but these are the sorts of things that risk and compliance departments spend their time thinking about. (And rightly so — too many hacks and data breaches to name here, but you get the idea!) With a SOC2, you’ll have policies and procedures for things you wouldn’t have thought about otherwise but are actually helpful. For us at Alloy, that included things like putting together a performance review system and a smooth process around contracting with clients.
3. The sales cycle shortens.
You won’t get stuck in long back-and-forths over your security. Instead, the focus can be on the value you’ll bring them. Many of the policies and procedures you built for the SOC2 will be in one neat little packet, and you’ve saved yourselves days of emails, phone calls, and document creation as a result. In other words, you can focus your sale on the value proposition you’re delivering.
4. It’s easier when you’re earlier/smaller.
You’re all in the same room and without the pesky burden of different offices and departments. When you need questions asked or changes made, it can happen quickly and easily (at that beloved startup pace!). And you don’t have to change your entrenched systems or ways of doing things. There’s no undoing, just building from scratch.
5. The tools available now make it simpler & less expensive.
Tools like AWS and SSO make it easier. Adhering to data security standards is easier when your data center controls can be standardized and implemented. There’s no need to reinvent the wheel. Ten years ago, building compliant infrastructure yourselves would have been a huge headache. And shoutout to services like VGS, StrongDM, and Vanta who make data security/compliance and related audits simple for startups.
Oh, and there’s one more bonus: By the end of the SOC2 process, you’ll get to have your very own paper shredder up and running!
You’ve earned this paper shredder as part of your SOC2 pain!