Start-ups committed to becoming something special begin building their new business as they mean to go on, particularly in the potentially business velocity-killing areas of security and compliance.
For start-ups in highly regulated industries like healthcare and finance, the requirement to have the right technical and organizational controls in place is nothing less than existential. Without confidence that your tech is built to support and protect sensitive data flows securely, and the assurance that you’re on the right side of the data regulations, you’re unlikely to get past the start line.
In the early days, sound data governance should be foundational as you bake privacy and security by design into every element of your product and proposition. But what about the scale stage? Your product is being rapidly adopted by the market, your team is growing, and you need to invest in the technical capability and talent to give you the strength you need to scale your data security and management efforts. At this stage you’ll be moving from a smaller founding team who have been able to task switch, to dedicated experts who’ll build world-class features. You may even call on external consultants’ expertise too.
So how do you scale with product-led growth without adding friction and creating silos? How do you embody good data custodianship without implementing enterprise-grade compliance tools that aren’t designed for a company of your scale? If you want to comply in agile ways, and maintain control without slamming on the brakes, then read on. We are keen to share an approach that works for Bearer, as a scaling, cloud-first company.
What was the approach?
Practicing what we preach
Bearer is on a mission to help organizations protect sensitive data, so naturally that mission starts with the internal approach to good data management.
A progressive program
When first setting up Bearer’s compliance program, and working with the team, we knew that a cumbersome path was not going to cut it. Excel sheets, paper policies, and a project-based approach to information security, governance, and privacy are the domain of enterprise.
A principle based approach as a global, remote-first company
Bearer is a cloud-native, remote-first company so, while traditional policies are based on legal jurisdiction, a key objective was to accommodate a dispersed team. Thus, the approach was to take a pragmatic, global and risk-based approach first when designing and implementing policies.
Joined up, programmatic data management
Bearer knew that hiring a set of subject-matter experts on security, privacy, and governance would be inefficient and only lead to the creation of silos and disconnects—not to mention significantly ramping up costs. Instead, we put theory and experience into practice, using Bearer’s application and philosophy for holistic compliance to align everything with the Bearer values. We created a connected program, bringing security, privacy, data management, and risk together.
“ CEOs should consolidate the data governance, data analytics, data privacy and information security functions, and assign accountability”. — PWC
Applied policies; creating good habits
Instead of implementing new processes, Bearer built on what they already had in order to create good habits. As their Privacy and Security lead, I worked with the CTO to leverage settings and technical controls to directly apply policies. Retention and backup of data is a case in point: we aligned infrastructure and security settings with legal requirements for how long data should be stored. This way, Bearer doesn’t have multiple processes at odds with each other.
The most important component, however, is investing in continual learning for the Bearer team and sharing expertise and knowledge. Bearer’s objective is to build and democratize domain expertise across every role in Bearer. From 101 sessions on data security to deeper dives into Privacy Enhancing Technologies, the learning program sets a baseline and taps into individuals’ passions. Some are drawn to ethics and privacy. For others, it’s data management. This broad and deep approach will aid in owning compliance and innovating in this industry.
So, what do we mean by holistic data governance?
Holistic data management recognizes that the disciplines of privacy, risk, and security intersect. Your program needs to be at the nexus of them all if you are to be a responsible custodian of data, respect people’s information rights, and implement proper safeguards to deliver data resilience.
And putting theory into practice means working with the whole of the business and team to federate processes and design for security. Holistic data management is proactive; when it is really meaningful, it recognizes that people and culture are as important as technical controls and process design. Embedding this approach means that in a progressive, cloud native global company you move away from the term ‘governance’ and towards data management with design-driven data security and privacy.
How can you put a joined-up approach to data management into practice with your team?
As a leader in a scaling tech company, it’s no longer enough to be a subject-matter expert in a single discipline. In fact, it’s probably unhelpful to think in terms of single disciplines at all.
Instead, general expertise across the interlocking domains of governance, privacy, and security is required. Only then can you design a program which gives appropriate weight to all three across your whole stack. You cannot operationalize data management properly any other way.
That is a big ask. There is a phenomenal amount of reading, horizon scanning, and learning to keep up with in each of these domains. It’s all too easy to get lost in the weeds or fall down a rabbit hole.
This is why it takes the support of the entire team so that continual learning works—rather than just being a whole lot of work.
Here are the lessons we’ve learned building the Bearer program and what we would recommend for tech startups seeking to embrace data management in a scalable way:
- Connect your program to your cultural values and your approach to risk. At Bearer, the core values include trust and responsibility, so doing the right thing with data and building processes which aligned to a clear RACI model with the team was critical, as was aligning to Bearer’s risk appetite and model. This approach helped build belief and buy-in for the higher purpose of the program, while using risk management as a practical lever for delivery.
- Communications and words matter. Governance and compliance may be instantly meaningful for those of us who have worked in this area for years, but for them to be meaningful to a wider, tech-savvy team it is vital to use terms which relate to what they do practically—and why. For example: “we look after people’s information to build trust.”. Bring policies to life. Explain them simply, use plain English, and add graphics and video when more explanation is needed.
- Build a ‘kaizen culture’ of continual learning and growth, and champion general expertise. The killer of traditional compliance is inertia. Things start with good intentions, but a paper-based process soon falls by the wayside when it’s left to one person. Instead, as a Data Security and Privacy leader, bring colleagues in. Make the case for learning by doing and share processes with the wider team so that you can build their skill set in progressive data security and management. There can be no doubt these skills are mission critical for the next decade and beyond for the whole team, so make learning practical and focussed on developing relevant skills.