Published on March 28th, 2022 📆 | 8474 Views ⚑
0Cybersecurity certifications are the prenups of the business world
Before saying 'I do,' orgs need the right certification to guarantee a match made in heaven.
In a recent webinar I hosted, AndrĂŠ Boucher, CISO at the National Bank of Canada (NBC), used the best analogy Iâve heard in a while. So good, in fact, that Iâve already stolen it for the headline of this piece.
He said, cybersecurity certifications are a lot like prenups: they allow both parties to understand what they are getting into. At first, it might feel heavy-handed (and unromantic) to gather all the information required, but then you both enter the relationship with eyes wide open on risks and benefits.
Cybersecurity certifications are a lot like prenups: they allow both parties to understand what they are getting into.
Â
Â
Cybersecurity certifications are something I get asked about a lot. For early-stage companies, the cost and effort required can be intimidating. I mean, the jargon alone can be headache-inducing: SOC 2/3, ISO27001, PCI-DSS, HIPAA, GDPR, PIPEDA, and CCPA.
Forget that alphabet soup for now. My goal here is to reframe the conversation on certifications away from minimum operational requirements and towards thinking about them as actual strategic capabilities that can drive growth.
So why are certifications so important? And whatâs the best way to implement them in early-stage companies? To answer those questions, I sat down with AndrĂŠ as well as Alexis Smirnov, CTO at Dialogue, a healthcare scale-up founded in 2016 that went public on the Toronto Stock Exchange (TSX) in 2021, and Daniel Infante, CTO at Fondeadora, a Series B FinTech startup based in Mexico.
Together, we discussed three major reasons startups need these certifications and why large organizations often ask for them:
1. They build trust
When it comes to cybersecurity, building a secure system is not enough. You also need to make sure your customers have confidence in your security measures. âThese are two separate initiatives, and both are equally important,â says Smirnov. âRemember nuclear plants? Theyâve been built to be amazingly safe, but people are terrified of them. No one would put them in their backyards. Thatâs a failure.â
The same is true for startups that dodge the work of earning certifications: Certifications provide an instantly recognizable seal of approval. Without them, your potential customers and partners may not trust you with their sensitive data no matter how much you invest in security.
RELATED: CDW survey uncovers troubling data about the state of cybersecurity in Canadian startups
Lack of trust means youâll miss out on big opportunities. Boucher notes a situation where NBC was considering early-stage companies for a partnership and had to reject its first choice in favour of startups that had achieved certifications. Having certifications in place is essentially table stakes for young companies aiming high: âA 100-year-old bank has already earned customersâ comfort and assurance. But for a five-year-old startup, these certifications are a primary tool to gain the trust that allows you to engage in these broader conversations,â says Boucher.
Smirnov adds that achieving SOC 2 Type 2 certificationâone of the strictest ones out thereâearly on was key to Dialogueâs growth. âWe knew from our early days that we were going to be serving large organizations. We needed to make sure that a small MontrĂŠal startup could actually do business with established players in a famously regulated and very sensitive area like healthcare. What weâve learned is that SOC 2 is among the most useful tools to create confidence, and itâs served us quite well.â
2. Certifications provide a common language
While earning security certifications can be onerous, they can ultimately simplify your security efforts. âThey give us a common framework so we donât have to reinvent the wheel,â notes Infante. Last year, Fondeadora acquired a full banking license in Mexico through the ComisiĂłn Nacional Bancaria y de Valores. While the Mexican regulator didnât require a specific international certification, their national requirements overlapped with the ISO27001 standard.
Boucher notes that certifications make it easier for NBC to establish international partnerships. âHaving security certifications in place gives you a common vocabulary and understanding of risk that allows you to innovate, pivot, and onboard new initiatives as quickly as possible,â he says. âAs a multinational bank doing business across different countriesâCanada, US, UK, Ireland, Cambodiaâwe need to make sure weâre speaking the same language as these regulators so we can work together.â
3. Certifications are just a starting point
When it comes to building robust and trustworthy security mechanisms at your startup, doing the bare minimum to appease regulators and partners will only get you so far.
âRemember that the threats that these certifications are meant to tackle will keep evolving, and so will these minimum requirements,â warns Boucher. Rather than going for the lowest common denominator, a much better approach is using certifications as a starting point and making security a central theme of your companyâs culture and product.
As the CTO of an early-stage FinTech company, Infante had to balance the need to implement security compliance with the pressure to innovate and deliver new products quickly. As the company grew, its leaders realized that the trick was to bring the product team on the journey with them. âOur new reality was that we needed to prioritize security and compliance on the same level as product work, and the only way to do that was for the product team to understand that security was a broader responsibility that wasnât separate from product.â
RELATED: BDC report expects tech sector revenue to grow by 22 percent by 2024
All three leaders agreed that to succeed, security initiatives need to be an accepted community effort. Externally, this means seeking experienced advice on how to build these systems, joining relevant networks, and building relationships with regulators. Internally, it means bringing certain security expertise in-house, making it integral to product development, following the 10 percent rule (where 10 percent of your engineering effort goes towards security work), and gaining broad acceptance of the value of security measures early on so you donât have to fight tooth and nail each time you need to invest more time and money into it.
âWe didnât interpret cybersecurity and compliance as a project to finish and move on to better things,â says Smirnov. âWe integrated them into the culture of what we do. As a result, there really is no argument when we plan for the next quarter about whether we need to invest in cybersecurity again. These questions donât come up because there is joint recognition about the importance of the question and a joint understanding that this work is never done.â
Shift the mindset
That said, in my experience working with C-level executives, the single most important thing you can do is shift the mindset. Startup leaders are addicted to the oxygen of growth and innovation, and they often worry that focusing on certifications will lead a young, nimble company to turn bureaucratic and slow. But the opposite is true: these certifications can free you to pursue bigger partnerships and take on even greater risks.
Once you have achieved that certification, you will have laid the groundwork for growth opportunities that might otherwise never have happened. Kind of like a marriage built on the trust that comes from a crystal-clear prenuptial agreement. After all, you want these relationships to be fruitful long after the honeymoon is over.
Feature image by Dan Nelson on Unsplash
Gloss