As Civis’ General Counsel, my day-to-day is filled with a wide-ranging mix of business and legal issues, including leading our data protection efforts… and also a lot of keeping this guy out of my hair. But, today I want to share my thoughts about something I care about deeply:
You — our clients — trust us at Civis to store your data and to be proper scientific and technological stewards of it. It’s humbling, and we take this responsibility heavily and seriously, because the threats are real.
And today, I want to tell you about a quiet but significant investment we’ve made in that trust — we recently completed our certification for SOC 2 Type II compliance for the Civis Platform. ‘SOC 2 Type II compliance’, while quite the mouthful, is one of the highest and most stringent levels of independent third-party validation of a company’s enterprise security. We’re still a small company, but we made this investment early because we take our responsibility to you so seriously.
I can go on (and on) about the significance of a SOC 2 Type II examination or the details of our SOC 2 report, but instead I’ll leave you with our SOC 3 report (the publicly available version of our SOC 2 report). We spent a lot of time with a great team of auditors over the last 18 months, and this report goes through their assessment of our security and confidentiality practices.
I’ve been asked many times how a company like Civis — young, growing quickly, and innovating at a lightning pace — can achieve such a high standard of compliance typically reserved for larger, more established companies, and I want to share some high-level guidance for others that might be looking to do the same. TL;DR — it’s a bear, but if you plan it out and invest properly it’s an achievable goal for any committed enterprise. I’ll focus on the organizational steps that we went through, but you can read some of the technical details here.
So here goes:
We started the SOC 2 process about 18 months ago, when we were a lot smaller. We had a good foundation (device controls, 2-factor authentication, mandatory encryption, etc.), but SOC 2 requires a full suite of administrative, technical, and physical controls, so we had some work to do. Here are the steps:
Step 1: It’s all about culture. Admit you can do better, and get leadership to buy-in:
SOC 2 meant reexamining the way we do things and making some changes. It was critical that leaders across the company and at various levels were on board. Explaining to each of these stakeholders the benefit at a macro- (benefit to company) and micro-level (benefit to the leader and their team) was essential to achieving this.
Step 2: Fix Organizational Practices (Read: Time to Grow Up):
Security is all-encompassing, going well beyond a company’s systems and software and including elements such as physical (on-premise) security, personnel management and training, and vendor management. Before you start thinking about your security controls, take a step back and do a full review of your company’s practices. The goal is for your SOC 2 undertaking to cause as little disruption as possible, so it’s almost more important to identify all the things you can keep in place than it is the areas needing improvement. Without this exercise, you risk establishing unnecessary policies and procedures that clash with the way your teams work.
Step 3: Put together a compliance plan that fits your organization’s culture and the way it works:
Once you’ve done your review, codify the stuff you can keep in place, and get to work identifying the different ways you can improve areas that need shoring up. This second part is critical, and easier said than done. There are multiple ways to meet any security control, but some of those ways will be much less disruptive and intrusive to your workplace than others. For example, monitoring your offices and physical workplaces. You could comply by putting security cameras in every corner of the office and in the bathrooms… and creep out the whole company. Or, you can use a small number of security cameras and place them at office entry points and in limited areas of the office that might need additional monitoring (for instance, if you have any servers on-site). Of course, most of your controls won’t be as easy as figuring out how many and where to put security cameras. So, take the time to work with colleagues in all areas of your organization and truly understand what they do and how they do it. This is the only way for you to identify the best, most efficient, and least disruptive way for your company to meet each control.
Step 4: Once your plan is done, review with the organization to get them onboard:
After you’ve established your controls and proposed changes, it’s time to implement those changes. At a smaller organization, you’ll need to get the whole team on board; be sure to empower and equip managers and stakeholders across the company to discuss them with their teams. We prefer to roll out significant changes and policies by providing the backstory to help everyone understand why they’re being made, but you should communicate your changes in a way that best fits your culture.
Beyond these points, keep in mind that security is much more than firewalls, encryption, and passwords; it’s an effort that involves people and procedures across the organization — all of which are reviewed in a SOC 2 examination.
While we’re extremely proud of this achievement today, we’re never done. The security landscape is always evolving, and you can rest assured that we’ll constantly challenge ourselves to find better, more efficient ways to protect you and your information. More importantly, you can count on us to never take for granted and always work hard to earn and maintain that thing we care so deeply about… your trust.