It’s been a while since my last blog-post here, but no doubt the last two and something years have been quite a handful for all of us with Covid (still around) and geo-political tensions in Europe (now) impacting many aspects of our day-to-day lives.

It’s specifically because of what I’ve experienced on the field in the last few years and the need to change some established ways of working that I thought of sharing a few considerations on very small companies aiming for comprehensive compliance frameworks and more specifically why a SOC 2 “badge-of-honour” is within reach for any organisation, assuming the approach to this journey is with the right mindset and by streamlining execution; same principles, though, apply to an ISO-27001 implementation project.

Those who know me well from a professional standpoint will be surprised to see me writing about compliance with possibly some reactions being: “Seriously? A long-term Agile practitioner who writes about one of the strongholds in the Waterfall-execution realm that comes to mind??

I typically focus on helping organisations develop and scale their tech operations (product development, engineering, customer success) thanks to more practical applications of agile and lean principles (practising-by-the-book can only pay so much!), although I’ve also been exposed to compliance-related activities for several years now; that said, in the past I’d only consider this kind of topic as something relevant to organisations with 500+ strong workforce, therefore not something that the CEO, CTO or COO of a small company (15-20 people) would bring up as an operational requirement.

But that was in the past… and with the pandemic things have not just changed in terms of working remotely as opposed to full-time colocation… other things have also changed.

A Business Development driver

Smaller organisations such as start-ups and scale-ups, are now more often asked about evidence of due diligence in their day-to-day operations (documented policies, controls and security), especially when engaging in pre-agreement talks with much larger entities that are now, more than ever, keen to prove internally that they followed their due own diligence when choosing partners and vendors in order to favour those which have demonstrated solid foundations in their ability to execute and serve customers, often requiring to also have frameworks in place such as SOC 2 (and/or ISO-27001).

So the likelihood of small, highly innovative and ambitious companies having to deal with this expectation, especially if they are aiming to land a deal with a larger and well-known customer (or partner), has definitely grown in the last few years because of how much operational resilience has become a hot-topic after experiencing the disruption brought in by a global pandemic.
Many C-suite stakeholders and decision-makers then start anticipating the challenges with great apprehension (the “!?” in the title of this post), so the first thought is to bring in some consulting expertise to show exactly what such compliance journey means in terms of efforts and costs; no offence, but if one thinks of involving any of the “Big 4s” for these early discussions, then don’t expect smooth-sailing, let alone being cost-effective, simply because their target audience are large organisations.

The “necessary evil” can, however, be flipped upside down and potentially turned into an opportunity, as long as you are “well-supported”, obviously; a real-life example for me to share: for the contract we were awarded a few months’ back (and progressing ahead of schedule!), I’ve managed to reassure about a future SOC 2 attestation being within reach across 6-9 months after the founders of this highly innovative start-up thought of calling-in one of the “Big 4s” only to be overwhelmed by paperwork and their functional requirements which also meant internal resources having to be regularly allocated.

The latter may still work for large organisations, but definitely not for the smaller ones.

1st iteration: BUILD

The recipe for supporting small (and very) small companies in a journey that will take them from zero to SOC 2 (or ISO-27001) operational status, starts from reducing to the barebone minimum the active involvement of internal people until, at least, there is a foundational layer of policies, procedures and controls established; the point is having someone (like me) operating as a hands-on subject-matter-expert during the initial phase of this journey (typically a few months’ long) developing what’s required based on knowledge and experience and not by just delegating internal people to do things, since I’d rather keep them focused on their roles and responsibilities… therefore we keep execution as lean as possible!

2nd iteration: ASSESSMENT

This a “Readiness Assessment”, which I always recommend doing ahead of the formal audit, especially for companies who are planning for the first time a SOC 2 compliance journey, is an opportunity not just to carry out a pre-audit gap analysis, but also to start getting (only) a few selected internal stakeholders involved so that knowledge and awareness can start building for those who’ll likely be managing the compliance framework once this is in place.

3rd iteration: AUDIT

During the actual review period when the auditor will be inspecting the operational side of existing policies, procedures and controls, it’s when I start helping define internal roles and responsibilities by possibly avoiding spinning-up new functions for the sake of long-term maintenance of the SOC 2 framework; we’re again thinking lean and, although many of these smaller companies may have been very successful in raising outside investment (seed, series A, B, etc.), there is no need to start splashing out cash on non-core headcount growth, unless the decision-makers are willing to do so for reasons of their own.

Here is when I also provide business and operational coaching since, while aiming for a goal such as SOC 2, the organisation as a whole has the opportunity to embrace one of the not-so-well advertised foundational elements of Agile ways of working: individual responsibilities over tasks and activities.

I’m saying this because the emphasis that frameworks such as SOC 2 and ISO-27001 put on roles and responsibilities (with recurrent tasks in need of execution), coupled with targeted coaching, will help the organisation empower existing Agile practices to make the system (how an organisation is described in SOC 2 terms) more predictable and scalable in its day-to-day running; this also explains why, earlier, I wrote about flipping upside-down the “necessary evil”.

Conclusions

A few facts from a recently concluded SOC 2 Readiness Assessment that proves the effectiveness of my proposal:

  • 190 check-points spanning across multiple tech and non-tech controls
  • 20+ policies and procedures developed from scratch in a matter of weeks
  • Less than 5% of the overall controls in need of corrective actions ahead of audit

Not bad for an organisation that, only a few months’ ago, had not much in place relevant to a comprehensive framework such as SOC 2!

More work to do to achieve formal attestation before year-end, but by mastering Agile delivery methods and lean management principles, what could be considered unreachable for a very small organisation (15-30 people), becomes a more cost-effective project with a far more predictable outcome!

Needless to say that there are many details that have been purposely left out not to make this reading longer than what it is, so I hope you’ve found what you’ve read of interest and if so, feel free to reach out via email to the address below, even if just to schedule an informal conversation… “no-strings” attached!

Thank you very much for your attention.

Andrew Celi