Achieving SOC2 Compliance as a Fully Remote Organization
We love talking about security at Float. Whether it's an HR process or changes to our software, we're trained as a team to consider how security and resilience should form the basis of that work.
For the last couple of months, we've been working hard to further increase our security and resilience controls across Float. Today, we've taken a big step forward by officially reaching SOC2 Type 1 compliance!
What is a SOC2 compliance certification?
A SOC2 is a standard industry-recognized compliance certification used globally by companies to prove their continued commitment to delivering secure and resilient software to their customers. As a company, gaining SOC2 compliance certification requires working with an independent auditor, and undergoing a rigorous compliance checklist to prove our commitment to security.
Why did we do a SOC2?
Float has always had excellent processes in place for security through design and resilience, and you can see that through our consistent uptime over the years.
Not only are we growing quickly, but we've also seen an increase in the number of customers asking for documentation on our security processes. As a result, we decided it was time to pursue a higher level of compliance that would satisfy our customers' needs, and to present it to them in an easily digestible way that can be scaled as we grow.
Customers are not only the bedrock of Float, but also the driving force behind everything that we do. Customer feedback is a core part of our identity and continuing evolution. Protecting customer data takes care and attention, and that's why we've put so much focus into security.
Undergoing SOC2 compliance as a remote company
Prior to beginning our SOC compliance certification, we identified several key items that were unique to us as a fully distributed remote company. Chief among them was whether or not we could even become compliant as a remote team (Spoiler alert: Yes we can, and yes we are!).
Some of other considerations included:
- How would we handle workstation management when many team members work from laptops or desktops all over the world?
- Would the additional security required to pass SOC2 impact our ability to continue being a distributed remote team?
- How could we pass security checks without a physical office to conduct them from?
After digging around a bit and performing our own research, we engaged with the security vendor Vanta, who gave us a ton of helpful information as we began the compliance process.
It turned out that we could easily maintain our remote and distributed team on our devices worldwide. Vanta offered an automated collection system to collect and aggregate information from workstations to check that they complied with the SOC2 standards.
When we couldn't automate the systems, we worked with our auditors to implement a system of manual collation that could be reviewed quickly by the audit team (and wouldn't be a huge burden to maintain).
No office required
It turns out you don't need an office to be SOC2 compliant! Being a remote team was actually helpful because we have no physical location to secure and support.
Instead, we were required to update our security policies to reflect our default modes of work—remote and async. We also needed to reiterate our drive to run paperless.
Mandatory security checklist
SOC2 required us to increase the coverage of our existing security measures, and it also helped us codify our security processes into a more standard format. The latter point is becoming increasingly important as our team size grows (we're currently 25+ folks working remotely around the globe).
New Float team members are onboarded remotely, which includes meeting a comprehensive security checklist before being granted access to our internal tools and systems.
Vanta was instrumental in helping us design processes around these new security measures while ensuring that they didn't negatively impact our workflow.
Top 5 tips for undertaking SOC2 compliance
As this was my first experience leading a rigorous compliance certification for a fully distributed remote company, I thought I'd share some lessons learned for others who may embark on a similar process in the future.
1. Plan before you start
It sounds like a no-brainer, but SOC2 compliance is a long process that involves many people. Your chances of success drop dramatically if you just rock up one day, open your laptop, and decide, "Today is the day I start our SOC2." We spent quite a bit of time beforehand on the following:
- Identifying areas of the company that would be affected most by compliance changes.
- Speaking to key members in the company to let them know what we were doing, why, and how it might affect them.
- Looking for areas of improvement in our security processes.
- Discussing the ways our company operates differently from others to see if it might be a barrier to compliance completion.
Planning ahead also allows you to check that a SOC2 is the right compliance for your organization. You don't want to get halfway through a relatively expensive process and find out you actually need some form of PCI compliance or an ISO27001 instead!
My favorite saying is "Failure to plan is planning to fail"—and so we planned.
2. Keep people in the loop
Compliance certifications take effort from your whole team. At some point, everyone will have to read a policy, complete training, make a change, or chip in somehow. It's in everyone's interest to understand how compliance might affect them over time and what level of help or effort you might require of them while you're going through the process.
We tried to be very vocal about our SOC compliance process and regularly let the whole team know how we were progressing (including delivering detailed reports to department heads and product owners). We also gave teams notice of changes up to a month ahead of time, which meant that things on our product roadmap that were impacted could be moved around without long-term impact.
If you feel like you're over-communicating, that's okay. Even though we successfully completed our compliance on time, I still think we could have had even more internal communication.
3. Get a good vendor on board
We spent a bit of time researching vendors before choosing the right one for us. A good vendor will help you through the process almost as much as the auditor will. We had a list of things we wanted from our vendor, with support being a top priority.
I'd advise you to make a list of the things you really want to have during the process and find a vendor who can deliver.
4. Choose an auditor early in the process
Because SOC can be flexible, it's sometimes challenging to interpret the rules based on how your organization operates (or could operate).
You can research on the internet all you want and ask your friends and colleagues how other companies have applied a control, but your auditor is the one who makes the final decision at the end of the day.
Choosing your auditor early on will save you valuable time when you inevitably run into a problem because they will help you understand how to meet a specific requirement.
5. Don't ignore the elephant in the room
There are things that fall by the wayside in every organization—the crumbs we often sweep under the rug to tidy another day.
Those little crumbs can quickly become mountains if you're not careful, and the last thing you want is to get to the end of your SOC compliance only to be blocked by something you knew was there all along. Don't ignore a problem you know exists!
It's best to attack these lingering bits of work early and leave yourself plenty of wiggle room if they do turn out to be bigger issues than you originally bargained.