Runn is now SOC2 Type I certified! It was a journey, but we learned many valuable lessons on the way. And now, we'd like to share those lessons with you.
It is great to get independent verification on our approach to security, and a major step forward in safeguarding our customers' data. We have approached this challenge like everything else at Runn: with pragmatism, creativity, and teamwork. And now, we want to share what we learned in the process.
It’s tempting to leave certification until you’re large, and can no longer avoid it because enterprise customers insist on it. But as your headcount grows, the complexity of any organization-wide changes grows exponentially.
There will be more stakeholders to convince, more edge cases to consider, more bad habits to break, and a larger variety of technology stacks to secure. Some of us have past experience with introducing these changes in larger companies, and we’re glad to have tackled it proactively.
What’s the point of having secure infrastructure with all the bells and whistles if all your staff share the root account? In most cases, the scope of a SOC2 audit will encompass your whole organization, rather than just the tech.
This often requires working with the whole team to change habits, adopt new processes, and watch some corny security training videos! It is important to explain the drivers for these changes proactively, tailoring the message to your target audience, and giving staff a chance to digest and provide feedback before it's too late.
Everything at Runn is very open (even our salaries!). When rolling out SOC2, we were inspired by the Honest Security framework: it values a positive relationship between all staff and the security team, with transparency and informed consent where oversight is necessary.
This is why we really dug deep with our auditors on the rationale for invasive endpoint protection products on staff devices. In the end, we settled on Kolide as a transparent and light-touch solution.
With this approach, every staff member knows exactly what the security team can see on their laptops, and they perform any required changes (e.g. screen lock configuration) themselves.
Certifications like SOC2 come with new rules, established as policies and processes. A typical set of SOC2 policies weighs in at 20-30 A4 pages to be compliant, plus all the processes to put these into day-to-day practice.
It can be tempting to “outsource” this to a temporary security contractor, but your current staff is generally in the best position to know what will “stick” and how to introduce it into the org. We engaged Vanta as a compliance platform that comes with specialist support (often former SOC2 auditors). This enabled us to get the basics right ourselves, and then ask the battle-hardened experts about edge cases and vague requirements.
All up, we’ve sent Vanta over 50 detailed questions, and their informative and timely answers were crucial to our success.
Compliance is often considered a dirty word for startups because it slows things down. While it is true that SOC2 requires a considered approach (e.g. change management), it only lays out foundational principles to follow. We invested in understanding these principles upfront, and then right-sized our approach and integrated it into our existing ways of working.
As an example, access requests are handled simply in a dedicated Slack channel with a basic template and inline approvals in Slack threads. Policies and risk management are placed alongside our other organizational knowledge in Notion, and security tasks are tracked alongside other bugs in Linear.
Vanta has been useful to suggest and automate recurring tasks (there are quite a few!) and to ensure we don’t fall behind on our commitments.
We weren’t quite sure what to expect from the auditors. There are lots of myths and scary stories around. We interviewed a few that work well with the Vanta platform, and ensured their approach is “right-sized” for our current startup phase.
By engaging auditors well before our projected audit period, we had the chance to double-check some crucial parts of our approach with them (and decrease the risk of failing). Johanson Group has been a great partner to guide us towards compliance.
We spent about four FTE months with part-time contributions across our security team to get certified. Looking back, it was well worth the investment since it created resiliency within Runn, and reduced the “bus factor” risk.
By taking our time to get the basics right and bring everyone along the journey, we’ve set up solid foundations on which to grow our startup. Keeping our customers secure is an ongoing commitment, and annually recurring certifications as well as pen tests are a great way to keep us on our toes.
In terms of next steps, we are currently in our observation window for SOC2 Type II (what’s the difference?). We are looking forward to leveling up security along with our customers!
Learn about our journey to SOC2 Type II compliance - delivering exacting standards of security so that our customers can rest easy, knowing they are in safe hands.
As part of our deep dive into how to build a healthy team, we caught up with Rowan Savage, the co-founder and Chief Technology Officer at Runn. Rowan shared his thoughts on team building, work-life balance, and always having the humility to ask for help.