Back to all posts
Ingo Schommer

Leveling Up Runn's Security with SOC2: What We Learned

Runn is now SOC2 Type I certified! It was a journey, but we learned many valuable lessons on the way. And now, we'd like to share those lessons with you.

Runn has had a strong focus on security and privacy from day one. And today, we are proud to announce that Runn has achieved SOC2 Type I certification. 

It is great to get independent verification on our approach to security, and a major step forward in safeguarding our customers' data. We have approached this challenge like everything else at Runn: with pragmatism, creativity, and teamwork. And now, we want to share what we learned in the process.

Do it while you’re small and nimble

It’s tempting to leave certification until you’re large, and can no longer avoid it because enterprise customers insist on it. But as your headcount grows, the complexity of any organization-wide changes grows exponentially. 

There will be more stakeholders to convince, more edge cases to consider, more bad habits to break, and a larger variety of technology stacks to secure. Some of us have past experience with introducing these changes in larger companies, and we’re glad to have tackled it proactively.

Do it with the whole org

What’s the point of having secure infrastructure with all the bells and whistles if all your staff share the root account? In most cases, the scope of a SOC2 audit will encompass your whole organization, rather than just the tech. 

This often requires working with the whole team to change habits, adopt new processes, and watch some corny security training videos! It is important to explain the drivers for these changes proactively, tailoring the message to your target audience, and giving staff a chance to digest and provide feedback before it's too late. 

Do it transparently

Everything at Runn is very open (even our salaries!). When rolling out SOC2, we were inspired by the Honest Security framework: it values a positive relationship between all staff and the security team, with transparency and informed consent where oversight is necessary. 

This is why we really dug deep with our auditors on the rationale for invasive endpoint protection products on staff devices. In the end, we settled on Kolide as a transparent and light-touch solution. 

With this approach, every staff member knows exactly what the security team can see on their laptops, and they perform any required changes (e.g. screen lock configuration) themselves.

Do it yourself, but check with the experts

Certifications like SOC2 come with new rules, established as policies and processes. A typical set of SOC2 policies weighs in at 20-30 A4 pages to be compliant, plus all the processes to put these into day-to-day practice.

It can be tempting to “outsource” this to a temporary security contractor, but your current staff is generally in the best position to know what will “stick” and how to introduce it into the org. We engaged Vanta as a compliance platform that comes with specialist support (often former SOC2 auditors). This enabled us to get the basics right ourselves, and then ask the battle-hardened experts about edge cases and vague requirements. 

All up, we’ve sent Vanta over 50 detailed questions, and their informative and timely answers were crucial to our success.

Integrate and automate

Compliance is often considered a dirty word for startups because it slows things down. While it is true that SOC2 requires a considered approach (e.g. change management), it only lays out foundational principles to follow. We invested in understanding these principles upfront, and then right-sized our approach and integrated it into our existing ways of working. 

As an example, access requests are handled simply in a dedicated Slack channel with a basic template and inline approvals in Slack threads. Policies and risk management are placed alongside our other organizational knowledge in Notion, and security tasks are tracked alongside other bugs in Linear

Vanta has been useful to suggest and automate recurring tasks (there are quite a few!) and to ensure we don’t fall behind on our commitments.

Engage with your auditor

We weren’t quite sure what to expect from the auditors. There are lots of myths and scary stories around. We interviewed a few that work well with the Vanta platform, and ensured their approach is “right-sized” for our current startup phase. 

By engaging auditors well before our projected audit period, we had the chance to double-check some crucial parts of our approach with them (and decrease the risk of failing). Johanson Group has been a great partner to guide us towards compliance.

Conclusion

We spent about four FTE months with part-time contributions across our security team to get certified. Looking back, it was well worth the investment since it created resiliency within Runn, and reduced the “bus factor” risk. 

By taking our time to get the basics right and bring everyone along the journey, we’ve set up solid foundations on which to grow our startup. Keeping our customers secure is an ongoing commitment, and annually recurring certifications as well as pen tests are a great way to keep us on our toes. 

In terms of next steps, we are currently in our observation window for SOC2 Type II (what’s the difference?). We are looking forward to leveling up security along with our customers!

SIGN-UP FOR MORE
Enjoy the post? Sign up for the latest strategies, stories and product updates.

You might also like

Try Runn today for free!

Join over 10k users worldwide.
Start scheduling in less than 10 minutes.
No credit card needed