Compliance Uncomplicated Episode 13: Cloud Compliance and Startups
by Alexa Ovenshire
Navigating the complexities of compliance frameworks and regulations is challenging for companies of all sizes, but especially startups. Travis Good, the Co-Founder of Security Yak (now becoming Workstreet), brings a wealth of experience, having helped startups align with multiple compliance frameworks like HIPAA, HITRUST, SOC 2, and GDPR.
On the latest episode of Compliance Uncomplicated, Travis shares valuable insights on how startups can manage expanding compliance requirements and how maturity plays a critical role in developing a compliance program. We also dive into the value of open source contributions and how modern platforms like Drata make it much easier for companies to achieve their compliance goals via continuous compliance.
Workstreet (formerly Security Yak) is a consultancy firm specializing in empowering startups by handling the complexities of their compliance, privacy, and security needs. They primarily target B2B SaaS companies and offer services ranging from establishing initial infosec and compliance programs to refining and formalizing existing, organically-grown ones.
“Our goal is to allow companies to focus on their product, on their customers, on the mandate for growth. And do it in a way where we can enable them with really effective security compliance programs.”
The Power of Open Source and Cloud Compliance
To help startups, Travis and his team open-sourced all the policies, procedures, and training they had created during their journey. They made it easier for startups by providing them with templates and frameworks to kickstart their compliance journey.
Open-sourcing their resources not only benefited the broader community but also had a long-tail benefit for Travis himself. It helped him build a brand and establish credibility in the industry, something he highly recommends to others in the cybersecurity field.
Travis has also authored a book on cloud compliance sharing his extensive knowledge. He believes that understanding compliance is crucial for companies everywhere, not only for implementing policies but also for those who audit them.
As technology evolves, so do the challenges and questions surrounding compliance. Travis mentioned AI and how it’s making it even more important for people in security and compliance to stay up-to-date and understand the implications of these new technologies.
Compliance Advice for Startups
Travis offered a wealth of valuable advice for startups on compliance preparation and implementation throughout the episode.
1. See Compliance and Security as Business Enablers, Not Blockers
One of the critical points Travis emphasized is the need to view compliance not as blockers but as enablers for business. In today's digital age, cybersecurity is a critical component of every sales conversation. By proactively addressing these issues, companies can distinguish themselves in the marketplace.
“Integrating even basic policies and procedures and different types of security monitoring and training into the development or general learning operations of your startup is smart.”
2. Leverage Technology for Compliance
He also highlighted the change in the technological landscape and how platforms like Drata make it easier for startups to establish a robust InfoSec program.
“Platforms like Drata really make it easy for a startup to get up and running with compliance, even if they’re not going through a full audit. Get up and running with something where you start to understand what it means to build an InfoSec program."
3. Engage With Auditors Early
Another tip Travis shared is to engage with auditors early in the process. Whether it’s your first time dealing with a compliance framework, or you’re extending to include more, auditors can offer valuable insights. Engaging with them earlier can help identify control gaps and offer actionable guidance to address them. This not only prepares you for the inevitable audits but also establishes a firm foundation for your compliance programs to grow on.
The Drata Advantage: From Multiple Frameworks to Continuous Compliance
Platforms like Drata have simplified the processes around both multiple compliance programs as well as continuous compliance and cloud compliance. Travis emphasized the importance of not only engaging with an auditor early but also engaging with a compliance platform early.
Expanding to Multiple Frameworks
For startups considering expanding their compliance programs to include multiple frameworks, Travis emphasized that preparation is key. Creating a roadmap that outlines the sequence of frameworks to tackle can set the stage for smoother transitions and less pain down the road.
When his first company started with HIPAA and eventually expanded to include HITRUST, SOC 2, and GDPR, Travis described how the task felt like "restarting every time," especially when it came to crosswalking controls from one framework to another. Today, tools like Drata make it easier to take on multiple frameworks and provide a clear, organized way to identify gaps in controls when adding new frameworks.
Achieving Continuous Compliance
While it is important for startups to lay the foundation for compliance first, continuous compliance should be the end goal. Thankfully tools like Drata continuously pull evidence and update attestations, making it easier for companies to achieve this level of compliance.
Listen to the Episode
Compliance is an ever-evolving landscape that startups must navigate carefully. By planning ahead, focusing on achievable goals, and integrating modern tools and platforms, startups can create robust, scalable compliance programs that attract customers and investors alike. As Travis pointed out, the earlier you start, the better off you'll be in the long run.
Want to be in the know? Subscribe to our newsletter, Trusted, to keep up with the latest news.