The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

37. Founder's Guide to Compliance: The Introduction SOC2, ISO, NIST, HITRUST, PCI-DSS, FIPS, and more

Hello everyone and welcome to a brand new series. This is the first episode of a new series called the Founder's Guide to Compliance. This is a no BS zone where we will dissect everything that founders need to know and understand about all of these compliance standards and SOC and ISO and NIST and cybersecurity, all that. Well, I'm joined with my co-host, Nasher Sinkovit.

Hi everyone. We have started companies. We've worked at big companies. We have helped with all of these different standards.

We're right there where the rubber hits the road. We have cybersecurity backgrounds. And our aim here is to get to just the essence very quickly. What's behind these standards?

I think it sounds like a very good foundation and a high level description of this new series. John, would you like to give a little bit of introduction about yourself if people have not met you before? Thank you, Sasha. So I grew up in Minnesota.

I launched my career as a security engineer at Apple, worked on security in iTunes. Security for me has been an irrational passion. Irrational because I can't explain it. I just need to accept it.

There it is. And there is different types of security people in this world, but I'm not one who just avoids risk. In order to do great things and to experience great joys in life, you have to take risks. You're all forced to take risks.

You have to take risks. For myself, I couldn't imagine living life without motorcycles, even though that's a huge risk. I understand that's a huge risk. So in that spirit, I have had the great honor and privilege to meet amazing teams and startups and companies, little companies, my own company, and just happy to be here.

Do this podcast as an authentic give back to the community and engage with entrepreneurs and founders like yourself. So Sasha, how about you? What's your story? Well, I've started my career in cybersecurity about a decade ago in the Silicon Valley.

I've been very fortunate to work with extremely knowledgeable people who have taught me things that I know today. I would definitely not be here today without amazing people in the Valley and people who have been working closely with me. Started my career doing security with amazing security team, serving extremely regulated companies, all of the financial global institutions that you think of. We have created products for those companies.

And so I'm quite familiar with compliance and regulations firsthand. We've built startups ourselves. And that taught me a lot of different things from a very different angle. So having done both a large corporate space and having done small startup from zero, there is a lot of experience and there's a lot of knowledge that I would like to be able to share with people who are fairly new to the space.

Compliance in general sounds very complicated. No one wants to even try to dig into compliance. It's dry. It's complicated.

There is often a lot of legal caveats involved. But that's the whole point of this year's. We would like to translate complexities around compliance into a simple English. By the way, none of us are lawyers or attorneys.

However, we have a ton of experience behind us. We have experience in dissecting and translating complex compliance requirements through the language of engineering into simple digestible ideas. So having said all of that, we should kick off. So what is our mission here, Sasha?

Our mission here is straightforward. The whole purpose is to demystify compliance. No BS. We're here to talk about these standards.

We want to make sure that you're not blindsided by them. And we want you to understand how they will impact your business when your customers or your potential customers start asking. You know what? Sometimes these standards are just going to open the door and you've got a lot more work to do on top of that.

And sometimes these standards are going to help you close the deal. We'll help you understand the difference between those two types of customers. We'll help you understand what's the trade-off between executing earlier and raising your security maturity inside your startup versus waiting. Sometimes the right answer is to wait, but it's not always.

And there is going to be a price to pay. Get into those. And I think we both have noticed that in the past decade, things have changed dramatically. It used to be you would go for a certain framework or certain standard and you would try to achieve SOC or ISO.

So only when one of your customers have told you that in order to close this deal, we absolutely need you to be compliant with the standard. However, in 2024, what we have been noticing is that even before you start the initial conversation with a potential customer, one of the very first questions that your customers will ask is whether or not you have SOC 2 or if you have ISO. It depends on the type of business. It depends on the type of the product that you and your company produce.

Your customers will ask for different compliance specifications and they will try to make sure that you adhere to the minimum security practices that they follow themselves. And one of the best ways to do that is to have a third party, a test on your behalf, that you do your very best to make sure that your customers data is safe at bay. If you're feeling a little bit teased right now, then we are doing a very good job of introducing the topics. And if you're not, please let us know.

Yeah. If you don't feel teased, do reach out and let us know. Feedback is always most important. Our game here with all of the following episodes is to cut to the heart of the matter of what, the why, and the how you might want to or have to or you're forced to think about these standards.

We're going to do it in a way that cuts through the BS. These are authentic gives. We want nothing more than to see you and your startups, all of the startups out there as successful as they possibly can. Okay, so Sasha, who is our target audience?

Who should absolutely be listening? Anyone who is thinking about starting this startup, anyone who has just started the startup, anyone who is in the process of building a company, we will be talking to people who have questions about compliance. Maybe a customer of yours just reached out and told you, hey, can you share with me your SOC 2 Type 2 report? Or maybe they reached out and they gave you a security questionnaire with 800 different questions.

All of this are very stressful engagements from your potential customers as your main goal is to close sales. Like we mentioned earlier, compliance becomes part of normal process closing sales. And we would like to make sure that we can make that process a lot more seamless or less stressful. When you go to market, it doesn't matter if you're doing top down or bottom up, you're going to get these questions.

You're going to get, hey, do you have SOC 2? Do you have ISA? Do you have NIST? Yeah, and I think it's important to remember that you'll get these questions and inquiries not because someone wants to burn your time.

It's not because someone wants to burn their time on your customers. And it's all about bringing security more in the space. And it's driven through different regulations. It's a very good thing that there is a lot more laws around data privacy, data security.

A lot of your potential customers, they have commitments to their customers. So it becomes this type of a web or a tree where one player in this chain is required and it's in their interest and in the interest of their customers to make sure that the next link in the chain is compliant with the same level of security and privacy around critical components and critical systems. That's right. If a customer is going to hand you their data and you're going to help them with it, you're going to process it, you're going to save it, you're going to store it.

You're going to back it up. They're putting a piece of their business in your hand. That is why they care. At the end of the day, that is why they care.

They have to hold us as founders, as entrepreneurs to the same bar that they hold themselves. And for a Fortune 500, for a Fortune 100, guess what? That's a pretty high bar. These standards help us get there.

They signal. They signal to the market that we're mature enough to be able to handle that type of responsibility. And to be successful at it, knock it out of the park. And as founders, as entrepreneurs, we can use these techniques to scale our business.

It is impossible to be part of every single decision that is made in your organization. So how do you know that those decisions being made underneath the hood are aligned with the interests of where you're trying to take the company, with the interests of the potential customers that you're trying to close? Well, you can use standards to help do that. You can use a very high rigorous bar.

Different verticals will have their own standards too. Healthcare has their own standards. In tech, they have their own set of expectations as well. Some of these are clear cutting.

They will come across different markets. Some of them will not. They'll be market specific. We're going to get into all of that.

There is so much grit underneath the hood. Tasha and I have been through the ringer on different markets and different startups at different stages, trying to break into markets with different products. You know what? And it's a sign of success.

It's a sign of success to be able to be in a position where you're starting to engage these things, starting to think about these things. So would you say that compliance is the essential part of doing business in 2024? It's a clear signal that you are taking your startup seriously. You're growing and you're growing aggressively and that you understand how to navigate cybersecurity and risk with that growth.

What's your experience been, Sasha? Well, my experience has been pretty, I don't want to say eye-opening. There is nothing eye-opening about compliance. However, it becomes very clear that in order to do business in certain verticals, it's absolutely essential to meet minimum standards that your customers present.

And also, what is compliance in general? Compliance tends to drive engineering controls. These controls should not be done as a checkmark. And there are a lot of lessons to be taken out of sometimes dry documents.

The standards are geared towards making sure that the basics are implemented properly. So there's a lot of good that could be extracted from standards and frameworks that we will discuss in the end of this series. Thank you, Sasha. As we mentioned before, this is a no BS zone.

And so we will pick those standards. We'll take those details and we're going to dissect them and actually show you how you can position them within your org, with your goals, with your sales goals, your growth goals, even maybe your investment goals. You mentioned investors and we'll definitely talk about what does it mean for the investors. This in itself deserves its own episode.

It's important that we protect investors' money, whether we launch our own company or if you work for a larger company, there's always an investor in any venture. And like I mentioned earlier, every one of those controls are aimed on protecting the company and the customers. A simple breach could result in huge losses for a company. It could result in people's lives to be disrupted.

There are a lot of private lives and every private life deserves to be private unless the person who owns the life, who owns the private data, chooses not to. And it's their decision. It's the people who should be able to say, make it public and not an adversary, not the attacker, not a honest mistake. It's all about connecting back to the real life, connecting back to the life of people and connecting back to the life of companies.

I love connecting these things back to the real lives of people. And I think, especially in the States, a lot of the privacy stuff is lost on us. There are a lot of people that use computer systems and they depend on the privacy that those systems claim or purports to provide. It is not a free world.

It might be like the United States might be free, but the world is not. Look what happened in Russia, right? Navalny was now has passed away. They're not releasing his body.

There was a memorial in Moscow. They arrested like a hundred people. It is not a free world. I think as founders, as we build new technologies, we need to be cognizant of that.

Yeah. Okay. So grab your coffee, folks. Sit down.

I don't care if your startup is in the garage or if you're brainstorming your next big raise that you're doing. This podcast is going to help you navigate that complex space of compliance. At the end of the day, when we talk to founders, when we talk to people that don't have any experience in data security, data privacy, compliance and regulations, it's a very heavy. It's a very delicate and to many, it's a very expensive discussion.

We would like to make sure that there is a simplified view of what is this? When do I need it? And how much time does it take me to implement the standards? So what standards are we going to go over?

We will for sure cover ISO. We will cover SOC. We will cover GTPR. We will cover HITRUST, FIPS, and we will definitely talk about NIST.

We will cover basics. However, if there is more interest, we can definitely dive into more standards. If you want us to cover a topic, we would love to hear from you. And if you like what you've heard, we would really appreciate a like and subscribe.

How can people reach out to us? Where can people find you, John? Anywhere that you listen to podcasts, you can subscribe to this podcast series. This podcast is a YSecurity production.

I would just like to take a moment to say thank you to all of our new listeners for tuning into this new series on compliance. I've guided tour for founders. We're delighted to have you be part of this journey. We want to be part of your entrepreneurial journey.

I'm a simple guy. This is not going to be a complex journey. Complexity kills innovation. It's pretty clear that robust solutions are always simple.

This is the approach that we take in for compliance as well. We try to simplify. We try to boil down to the core principles of what does it mean to follow or to be compliant with certain standards. This is what we would like to share with you.

If you would like to reach us, you can contact us using the email, the contact at YSecurity. io, or you can reach out to us directly via LinkedIn. Super happy if you do. We hope that you get something out of this and so much out of this that you're compelled to share this with all of your entrepreneurial buddies who are struggling with the same pains as you're struggling with around compliance.

And thank you so much for taking time to listen to this podcast. And we look forward to sharing some time with you on the next one. Thank you for tuning in to the first episode of a new series called The Founder's Guide to Compliance. We are your hosts, John and Sasha.

And stay tuned for the next episode, which will be Sock 2. All the sweet Sock 2. I hope you have clean socks. Till the next time.

‹ 38. Nick Sullivan on Cryptography, Cloudflare, and Building a Better Internet

36. Feross Aboukhadijeh, Founder and CEO of Socket.dev, a startup improving security and privacy on the web ›