Recently, I had a great conversation with Sam Smith, the Chief Architect for Sigstr, a fast-growing SaaS platform for email signature marketing. Sigstr’s infrastructure is hosted and managed on AWS and secured by Threat Stack. Every day, Sigstr consumes and processes employee contact information from HRIS systems, customer information from marketing automation platforms, and email behavior data — which makes cloud security and data privacy key concerns for both Sigstr and its customers.
Sam’s team is a great model of how to make security a top business differentiator and sales driver. Since many of Sigstr’s customers are enterprise companies with significant risk concerns, the team has consistently been responsive to questions such as:
- How does Sigstr access, store, and protect data?
- How is the application’s infrastructure monitored and secured?
- Had Sigstr undergone SOC 2 compliance or ISO 27001 compliance audits?
- How could Sigstr help them meet GDPR requirements?
During the webinar, he shared information on how the startup managed to be so responsive to its customers’ security needs, while still maintaining a rapid pace of growth.
Note: Click here to listen to the full webinar.
Establishing Cloud Security Best Practices
From the outset, the decision for Sigstr to build on AWS infrastructure was a no-brainer. The team had prior experience and drew on AWS security best practices such as configuration auditing and CloudTrail monitoring. Sigstr set up separate accounts for staging and production infrastructure, leveraged Amazon Virtual Private Clouds (VPCs) and security group controls to minimize access, and used cross-Availability Zone instances. In addition, security controls were set up for “as-needed access,” only giving engineers and DevOps teams access to what’s required in order to do a job or support a new feature. Internal systems followed the same protocol, only talking to each other and nothing else.
As Sigstr grew to more than 30 employees and started to expand its market to enterprise customers, Sam’s team started to face additional pressure around security. Enterprise procurement cycles and third-party security audits surfaced the same questions over and over again. To face these growing concerns, Sam focused on three key things:
- Creating Home-Grown Policies: The team looked at the recurring customer requests and created their own Information Security Policy as a foundational asset. Over time, the policy is updated as improvements are implemented for new customers and markets.
- Mapping Customer Security Requirements to Roadmap: Customer security obligations became like any other feature roadmap item. Engineering and IT were responsible for delivery of both product and security features. Customer security requests acted like a product feedback loop in the long run and have become a business enabler, rather than a blocker.
- Growing Sales Team and Prospect Maturity: The company’s data protection officer has become a more prominent figure on sales calls. Bigger customers mean more in-depth security reviews and longer sales cycles. Bigger sales teams mean a larger volume of security requests and obligations. It’s a great problem to have, but must be managed consistently while educating customers in the process.
Getting the Right Tools & Undergoing SOC 2 Compliance
As a next step for the organization, Sam’s team decided they needed to invest in the right security tools and make a commitment to a SOC 2 compliance audit. As a startup with limited resources, the build vs. buy debate didn’t last long. The team decided to invest in Threat Stack instead of leveraging open source tools; considering MSSPs; or building its own intrusion detection system (IDS), security event alerting, and file integrity monitoring (FIM) systems. The integration with AWS, as well as the ease of implementation and configuration helped solidify this decision.
While Threat Stack helped satisfy some of Sigtr’s customer compliance requests, the team decided that 2018 was the year to undergo a SOC 2 compliance audit. Achieving SOC 2 compliance as a growing startup with limited resources is hard, but assigning ownership and tapping the right outside experts were key in getting the process set up. The Sigstr team appointed a data protection officer to manage the process and found the right CPA firm to conduct the audit. From there, the team did a gap analysis and assigned roles and responsibilities. Threat Stack and AWS compliance features helped Sigstr gain visibility into its current state, and incrementally improve as needed.
From an internal communications perspective, it was important to get organizational buy in on SOC 2. Part of that meant resetting expectations, so the team understood that their hard work would help them close deals from enterprise customers. Since employee bonuses are structured around the addition of net-new revenue within a quarter, this gave employees an incentive to view compliance positively, rather than as a burden.
Having these security tools and a SOC 2 letter of intent has helped drive sales and ensure both customer- and board-level confidence. With Threat Stack, the Sigstr team has increased visibility and detailed reporting into security events, taking the guesswork out of compliance. For customers, the combination of Threat Stack and AWS provides reassurance that the infrastructure environment is secure.
Key Takeaways: Aligning Security With Business Priorities
While the task of aligning security with business priorities is never easy, Sam provided these key takeaways that other startups can consider during their journeys:
- Don’t be afraid to be transparent. Customers who care will tell you what you need to do.
- Leverage well-known standards. Don’t go it alone; stand on the shoulders of giants. The Sigstr team leaned on the expertise of AWS and Threat Stack.
- Make security a part of your roadmap. Expect that security will fall into the lap of your engineers.
- Write it down. Documentation might seem like an annoyance, but having the answers to common customer concerns on hand will help sales scale more efficiently.
- Get SOC 2 buy in. SOC 2 compliance requires help from everyone — be sure to get buy in on the commitment needed before proceeding.
- Recognize market needs. When building a new product, it can be difficult a new to realize how much pressure the market imposes with regard to security, privacy, and compliance.
- Stay authentic. An organic approach to security practices speaks to Sigstr’s core value of “Staying Authentic.” Transparency with customers will help an organization grow and mature along the way.
Finally, we’d like to thank Sam for sharing his story, and encourage you to take Threat Stack for a test drive by signing up for a free demo.