eqlpy - Python bindings for EQLCheck out the eqlpy repo 

← Back to blog

Compliance doesn’t have to be scary

Paul
Paul Hawkins

Does the word “compliance” fill you with dread? It doesn’t have to. You probably imagine the time that’s going to be taken away from your important day-to-day work, but as our recent experience at CipherStash shows, there’s another way. We approached SOC 2 compliance in a way that got us to our compliance goal without annoying our engineering team. We’re a company with fewer than 20 people – if we can go from the start of an audit to having the compliance logo on our website in less than 30 days, you could too!

CipherStash attained SOC 2 Type 1 certification in December 2024 (announcement here). We granted our auditor access to Vanta on 12th November and the cert was issued on 11th December. 

As you may expect the work didn’t start on the 12th November; we’d been working on it for a while. The main thing that we did during the audit was demonstrate that we had the right principles and mechanisms in place.

We couldn’t have achieved the certification without our two main partners – our auditors: AssuranceLab, and our risk technology partner: Vanta.

Why should you care?

Compliance builds trust with your customers. As a security company we want our customers to trust that we build and operate our systems in a secure way. The most scalable way of doing this is to provide self-service access to our compliance reports. We’re starting with SOC 2 and we’ll expand to other frameworks over time.

Even if we weren’t aiming to achieve compliance certification we’d still be doing the work to maintain a good security posture. My role as CISO is to help the rest of the team understand what they need to do to build and run our systems in a way that aligns with our risk appetite. So we need to do two things. Firstly, understand our security posture and make people, process and technology decisions appropriately. Secondly, demonstrate (or evidence, if you will) that we’re doing this.

How can your security program help?

The most important aspect of your security team — and of my CISO role at CipherStash — is to help the team to do what I call ‘ship securely’. This means providing guidance on how to reason about the security properties of our systems; building mechanisms that reduce the friction for our engineering team to achieve secure outcomes; and make demonstrating compliance as easy as possible.

The best advice I can provide here is that security needs to be part of the consideration for how work is prioritised. In CipherStash the CISO is part of the leadership team. I have really strong partnerships with our CTO and CPO. We track the security program tasks in the same system as engineering work. I attend our weekly work planning sessions, which allows me to understand what the team are working on as well as provide regular visibility on what the security program cares about. This regular dialog means that when there are additional asks of the engineers they understand the context. I can also see where we can look to improve the engineer experience. Sometimes this is identifying where I can help engineers to do threat modelling on our systems, or implementing tooling (such as Vanta) that makes it easier for us to understand our security posture.

So, what did we do?

You can reduce the overwhelm by breaking your compliance journey into simpler steps. We found it useful to approach our compliance journey in three stages:

  1. Baseline security posture

  2. Compliance gap analysis

  3. Audit

Set a solid baseline security posture

Getting your basics right provides a strong foundation for your compliance journey. Before CipherStash embarked on our journey to SOC 2 Type 1 compliance, we put in place some fundamental security principles and capabilities. These are fairly common whatever industry you’re in.

  • Centralise human identity as much as possible.

    So that onboarding and off-boarding can be handled in one place.

  • Rely on automation where you can to test and deploy systems.

    So environments are repeatable and engineers have a common understanding of how the components are developed and deployed.

  • Keep humans away from systems.

    Removes the need for interactive access to environments where sensitive data is stored.

  • Clearly state security goals, especially when it comes to evaluating how SaaS providers fit into your organization.

    Gives the whole team guidance on tool selection and what capabilities we prefer (like SSO, MFA, and logging), streamlining 3rd party diligence.

  • Be clear that security is everyone’s job, and that the security team is ALWAYS there to help.

    This mitigates ‘if it’s everyone’s job it’s no-one’s job’ thinking. Culture is super important, and as a startup we empower our people to make informed decisions.

Focus on gaps

To drive your process forward, try to focus on gaps rather than the whole set of requirements. At CipherStash, after checking out available options, and based on previous use, we decided to use Vanta to help with our compliance program. This gave us a bunch of useful integration with our existing systems, coverage for both SOC 2 and ISO 27001 compliance, and a central place to streamline the process. For each of the compliance frameworks the coverage is split into either tests or documents. Tests are things that are automatically checked via integrations. Documents cover the things that can’t be obtained programmatically, like employee policies, architecture diagrams, or board documents.

The first step was to connect our key systems into Vanta — GSuite, AWS, GitHub, Linear, and Notion. This gave us a really quick way to see the gaps that we had between our baseline security posture and where we needed to be, without having to go into each system and look at the configuration. We were already using other posture management tooling, but Vanta gave us a combined configuration and process view. The Vanta home page and the reports page were both useful for understanding and communicating how we were tracking on the path to SOC 2.

Progress graph for tests of different types relating to SOC 2

The next step was to look at the gaps in policies, vendor management, and documents. Using Vanta templates to speed up the writing of new policies saved us several days’ work. The integration with our identity provider meant that when we shared the policies with the team we were easily able to track progress. To make it easy for the team to ask questions (and hopefully a little more fun!) we had a “policy party” on a Friday afternoon, which allowed folks to make time to review the documents they were agreeing to.

Vanta also helped us with the final step: managing our vendors and identity lifecycle. Being able to track risk assessments for our vendors allowed us to easily demonstrate that we were doing 3rd party diligence without digging into our document management system to provide evidence to the auditor.

Categorising vendors by risk level then feeds into the identity lifecycle activity. This means we can review access to higher-risk systems more frequently and empower the business owners to do this rather than it being a security-only task.

Now we had a view of the gaps in our evidence, it was time to engage an auditor. We chose AssuranceLab as they’ve got tons of experience working with startups and interacting with Vanta. As part of the initial discussion we were able to use the framework completion percentage to decide exactly the right time to formally engage the auditor. Once we reached 85% coverage, we kicked off the audit.

Audits in a startup don’t need to be scary!

I’m here to reassure you — the actual audit process was really simple. We granted AssuranceLab access to Vanta so they could see updated evidence in near real time.

The main chunk of work needed to complete the last 15% to get to SOC 2 Type 1 was making sure that we had evidence for the work we were already doing. Being able to see which evidence addressed which control objectives meant we could check off the big-impact items first. Whenever our auditor needed clarification, they were able to flag it in Vanta or drop us a message in the shared Slack channel. We could then update Vanta and validate with the auditor. This extremely collaborative approach meant we could move very quickly.

It’s all about your customers

SOC 2 compliance helps us help our customers understand how we approach security. Using partners who understand how startups work (for us, Vanta and AssuranceLab) meant that we could get there fast and with very little stress.

Once we’d passed the audit it took me 5 minutes to get our trust center live in Vanta at trust.cipherstash.com — it gives our customers a graphical view of the control posture as well as request access to the SOC2 Type 1 audit report. We also get data on which parts of the trust centre are of most interest to our customers.

Subset of data from CipherStash trust center

The journey continues

Our compliance journey continues as we work towards SOC 2 Type 2 and ISO 27001 certification. Vanta and AssuranceLab will continue to be a key part of how we’ll get there. Security is core to what we do at CipherStash, and compliance certification helps us demonstrate that externally. Our internal culture is what keeps us raising the bar as we build and run our system. Visit CipherStash to find out more about searchable encryption and how raising the bar for security doesn’t mean slowing down your engineering team.

Start protecting your data

Check us out on Github, or book a discovery call to learn more.

 Try it out yourselfBook a discovery call →