As a cloud platform, getting your SOC2 security certification is seen as a right of passage for teams that have made it. The cost and operational constraints of SOC2 mean that you would only get it once the business is out of the startup phase and into the growth phase. However, it is universally recognized as a grinder for an already busy team. There are hundreds of policies and procedures, auditors, deadlines and reports.
SOC2 was developed by the American Institute of CPAs (or the accountants). SOC2 is an operational security program for managing customer data that is based on five trust service principles: security, availability, processing integrity, confidentiality and privacy. SOC2 is a modern equivalent to ISO 27001 certifications - but designed for cloud platforms. ISO 27001 is more suitable that operate their own data centers. Since Athennian uses AWS as our hosting providers, AWS carries ISO 27001 certifications for their physical data warehouses.
Similar to any business process, the process is only as effective as the team’s buy-in. Otherwise, it’s not worth the paper it’s written on. SOC2 compliance requires significant changes to team behaviour to ensure operational security. If the SOC2 certification process was a hellish experience - which it often is - we would have low team buy-in after getting the certification. So we decided we would intentionally make the process a fun, team sport.
Here are some strategies we used to make our SOC2 journey fun. Hopefully they will be useful to other teams pursuing SOC2 or other operational security certifications.
Declare a dedicated war room: Having a dedicated and marked space for the project team signals a couple important elements. Occupying physical space in communal places like meeting rooms signals that the project is important. It adds visibility so the entire team can see that it is happening. It makes it real for everyone outside of the project team. For the project team it reinforces that the project is special.
Having dedicated space also allowed us to create a scoreboard of tasks, status and assignee. Although we tracked this in a shared Google Sheet, having it also tracked on a whiteboard in the War Room added to the gravity of the project and helped keep meetings focused.
Keep meeting short: There’s lots of commentary and research on the negative impact of long meetings. By being organized and concise, we kept meeting as short as possible even while covering complex topics.
Use memes: We use memes internally to communicate how we’re feeling about situations in a comedic medium. This helps keep serious work less stressful by introducing funny memes.