So, your SOC 2/SEC auditor just performed a startup risk assessment on your cute little enterprise and now they’ve dump-trucked on you a gap list so long that you can’t even. Unclench those fists because it’s all good. Gaps mean knowledge and knowledge is power – power to create and carry out an action plan that will close up those gaps and get you on the road to Complianceville, Ky.
Let’s take a shallow dive into the wholesome world of gap remediation. After that startup risk assessment, where do you even start?
Gap Remediation: Start Here
1. Understand Your Goals
Okay, so you’ve already figured out what’s wrong. Now it’s time to take a good look at your goals because they’re gonna tell you what to do next.
For example, let’s say you wanna get SOC 2 compliant. In that case, you must close all the gaps related to SOC 2’s must-haves. It’s pretty straightforward, really, because you don’t have much of a choice. But if you wanna work with clients who require SOC 2 compliance, you’ll need to make sure you meet their specific requirements. And if you have to jump through the hoops of a bigger, scarier corporation, you better believe you’ll have to close all their gaps too. Let’s face it, if you wanna work with those folks, you gotta play by their rules.
At the end of the day, it all comes down to your goals and the specific compliance requirements of the people you wanna work with. So get clear on that, and you’ll know exactly what steps to take next.
If your gaps don’t relate to regulations, but to a general “We want our startup to be bullet-proof security-wise,” your auditor might have assessed your gaps within a traffic stop system. They’ve done all the risk work for you, assessing what risk attaches to which gaps and putting them in order on your to-do list, perhaps a bit like this:
Red: FOR PETE’S SAKE CLOSE THIS GAP NOW **crying hysterically**.
Amber: This needs looking at after you’ve sorted those red bad boys.
Pale amber, kind of sickly-looking: Low risk but review in six months or whenever you can be bothered.
Green: Hey, you’re good at this!
Try Playing the “Who Cares?” Game
It all boils down to the “Who cares?” test. Ask yourself: “Who cares if this gap remains open?”
If it’s for a regulatory framework audit | Those regulators will care. And so will you if they don’t validate you because of that gap. |
If it’s for Big Rich Corp | You’ll care, as you want to work with them for the big bucks. |
If it’s a gap that puts customer data at risk | Your customers will care, and so will you, because your reputation and sales will be shot. |
OK, you’ve picked a gap to close. Now what? Read on, dear reader.
2. Understand Your Gap
To close a gap, you have to understand it. You need to know what the gap is and how it happened. You’re going to have to talk with the imperfect, very human people (just like you) who have “lived around” this gap.
Suppose you’ve discovered that Big Rich Corp you’ve been sending cookies to wants you to have best-in-industry InfoSec policies ready for their review. You promptly discover that these policies don’t actually exist in your startup. Gak, now you gotta understand what went wrong. When you ask about these policies, you get shrugs and a story about how someone downloaded some templates and then lost them. Or maybe policies were kind of forgotten by the CIO or shouted down by the CEO. You’re going to have to learn why the policies don’t exist and which control broke in getting them created. It’s going to mean getting out there among your people, figuring out what you need, and learning what to document and how.
Bottom Line: If you don’t understand the gap’s root cause, you’ll be hunting in the dark to close it. Hastily closed gaps often erupt into gaping holes later. Ouch!
3. Create an Action Plan
Now that you understand the gap, where it came from, and why it matters, it’s time to develop an action plan to close it. If you’re missing InfoSec policies, for example, the fix could be improving or capturing the InfoSec policies you already have, documenting (and implementing) the ones you want, or realizing you need a hand from a top IT security, compliance, and support team (hmm…wonder who that could be?) to get it done right.
Whatever the gap, cause, and fix, develop those good ol’ SMART goals to address it. Those goals need to be:
- Specific
- Measurable
- Attainable
- Relevant
- Time-bound
Beyond those requirements, SMART goals need to be documented – because your to-do list won’t get done if you can’t remember what is on it.
Bottom Line: SMART goals will help you close your gaps. Without an action plan, gaps stay gappy.
4. Do The Action Plan
Action plans are great. They look good, they smell good, and they’re full of energy, hope, and optimism. But, they’re even better when they’re actually carried out. You have a much better chance of getting things done if:
- Responsibilities and accountabilities are clear. Don’t forget to allocate resources of time, equipment, decision-making power, etc. to the people doing the work.
- Check-in with the workers. Monitoring is important, as it offers you the chance to course-correct during gap mitigation instead of completing a gory post-mortem review to find out what went wrong.
You kind of knew all this already, didn’t you? But, what if:
- You don’t have time before that funding round.
- You have the expertise, but not in gap remediation.
- You’re happy to pay a decent corp (ahem, us) to do it for you.
Good news!
Pain-Free Gap Remediation After Your Startup Risk Assessment
We know you. Not like your dog knows you. We don’t need to sniff your butt to know that you need reliable IT support/security to be able to do what you do best. Our gap remediation services bring you security and scalability so you can delight your customers, go through all the shiny startup stages, then do that IPO thing you always wanted. We’re just a phone call away or, if you’re in San Francisco, stand on the top of your building and wave at us.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about startup risk assessment (and other IT nerd things) is our favorite thing to do!