Compliance is a key consideration and pain point for founders — especially as they navigate regulation while expanding internationally because understanding and tackling regulatory environments in different countries can be a challenging and time-consuming process.
Regulatory compliance can broadly be defined as a company’s adherence to state, federal and international laws and regulations, relevant to its operations, to ensure product safety and quality, data and cybersecurity, safe working conditions for employees and so on.
So, for our latest Sifted Talks we focused on compliance and security challenges during expansion — and how to tackle them efficiently.
Our experts were:
- Rudy Martin, head of security at Maze, a product research platform;
- Victoria Martin, head of compliance and regulatory affairs at 10x Banking, a fintech with a focus on cloud banking;
- Paulo Rodriguez, head of international growth at Vanta, a compliance software startup.
This is what we learnt about how to avoid compliance risk.
1/ Pick standards that suit your business and client needs
There's no one-size-fits-all approach to security and compliance regulations. While there are different sets of standards that can be used to demonstrate a company’s security posture — the overall strength of the company’s cybersecurity and how secure it is from data breaches and theft of intellectual property — it’s crucial to consider your specific business needs and the corresponding security and compliance requirements.
Victoria Martin said that startups had to consider the intent of the regulation to understand which standard was best suited to the needs of their business and clients. She pointed out that while some standards were great at identifying minimum compliance requirements, it’s important to look at what would help you survive if you were to be challenged in a data breach scenario.
Rudy Martin agreed, adding that in highly regulated industries such as fintech, there’s a need to work out how to prove to your customers that you are compliant. This conveys what your customers need before they share their data with you so that they can trust and use your services — which can then be correlated with your business risk to understand which standards are the perfect fit.
You can’t look at [security and compliance regulations] as a tick-box exercise — you need to look at it holistically on your business processes” — Victoria Martin, 10x Banking
2/ Embed security champions across teams
Often in early-stage startups, senior leaders such as the founder or CTO wear many hats and hence also take up security and compliance-related responsibilities.
Rudy Martin highlighted this point, adding that it’s no longer effective for the founder or CTO to lead compliance roles as companies scale and get bigger. He added that as head of security at Maze, he makes sure “security champions” are embedded across teams so that each team can think about security in their own capacity.
Martin added that it was vital to ensure that compliance teams were engaged with other teams — such as product and engineering — so that there's a collaborative and open relationship.
Rodriguez pointed out that companies in highly regulated industries such as fintech and healthtech tend to be prepared early on by hiring profiles geared towards risk management. However, other companies in industries that aren’t as heavily regulated function more on a per-need basis and start to think about their security posture only as they scale and acquire bigger customers.
“Instead of me scaling my resources and having a bigger team under me, I try to empower each team to think about security in certain ways within the organisation” — Rudy Martin, Maze
3/ Understand international regulatory environments
While your compliance and security posture may not be an urgent requirement while functioning in local markets, it most definitely should be a priority while scaling in international markets, said Rodriguez. He emphasised the importance of evaluating your security posture especially while scaling from Europe to the US — given the wide gap in regulatory environments of both countries.
Victoria Martin laid out the different areas that need attention in a new regulatory environment: understanding the regulations that affect your product, regulations around storing client data, security accreditation requirements such as ISO27001 and SOC2, and regulatory requirements on material outsourcing to make sure you are operating your business safely for your customers.
“It’s about trying to work out what kind of regulations you are bound to in the location where you are trying to do business and trying to find out a way to unify that with what you are doing right now” — Rudy Martin, Maze
4/ Align the needs of current and new customers
Victoria Martin pointed out that when entering new markets, it’s important to understand whether existing frameworks within the company can be used to comply with regulations or if an uplift is required, which is often the case. She added that it’s also key to check whether the updated framework suits the needs of the company’s existing customer base to avoid hurdles in scaling.
Rodriguez further emphasised that new frameworks should align with the overall direction of growth and business strategy of the company. He added that to avoid a slowdown due to security and compliance needs in a new jurisdiction, the company can focus on meeting the bare minimum requirements when entering a new market and gradually develop the framework.
Panellists also highlighted the importance of having a healthy security posture in order to earn the trust of customers — especially when it comes to storing their data, and using that to communicate the value of your product in existing as well as new markets.
“Your level of security can be used to take away competition and to establish a trust relationship [with customers]. And more than anything, it removes barriers to entry and allows you to talk about your product and the value that you’re bringing to your customers” — Paulo Rodriguez, Vanta
Like this and want more? Watch the full Sifted Talks here: