May 23, 2023

Staffing and Compliance: A Strategic Approach to Hiring

Devon Lane
Founder and CEO
at Flowbase

As the founder or CEO of a growing business, you’ve likely traveled down a bumpy road. 

The good thing about that is that you’ve likely learned some valuable lessons along the way. These lessons might include knowing that shortcuts are rarely what they seem. You should always trust but verify. Plus, now you know how to see the value in your offerings that your enterprise clients don’t see, and vice versa.

At this point, as your company grows and you struggle to balance regulatory compliance with increasingly complex data management responsibilities, you’re probably facing a new challenge: staffing.

The demands of SOC 2 and the five trust principles (plus the demands of the GDPR or HIPAA, if they apply to your company), are pushing you beyond your current staffing capabilities, and it’s time to bring on some new faces and expand your team. Here are a few things to keep in mind as you take this critical step.

Understand your legal requirements before you start writing your job post

Do you need a compliance officer or Data Security Specialist? And if so, what legal or regulatory mandate requires you to make this move? If you don’t really need to create a new position just yet, hold off until you’re sure and until you can clearly define the responsibilities of the position. Confirm that you can’t find those skills on your current team, or from an existing third-party relationship. There are few bigger headaches or more expensive mistakes than those that come with hasty or unnecessary hiring.

Max out your current team before adding someone new

Trust that each member of your team will speak up honestly about their bandwidth, and push the limits of your current capability before bringing a new person on board. Four people with a steady work rhythm, a strong social fabric and a sense of personal commitment are better than five people burdened by holdups, clashes, and miscommunications. This will require fostering a culture of open communication within your team, so that each individual has a chance to speak up when they feel they’re at their limit or that they are taking on work that isn’t valuable to them.

Recognize the responsibilities of having an employee

Your current team may consist of co-founders connected by clear contract terms and compensated with company shares as well as paychecks. A new employee will bring an entirely different set of terms, obligations, tax requirements, and workplace accommodations that you’ll need to understand before you hire. Will you apply an at-will agreement? A six-month contract open to renewal? A full-time position with benefits, or a part-time hourly role? What will you owe your employee in exchange for their labor and intellectual property? How will you protect your own intellectual property when the person decides to leave?

Before you begin the sourcing, interviewing, and hiring process, talk to our team of compliance experts and make sure you understand both the benefits and the responsibilities of inviting a new person into your workplace and your data infrastructure. 

You can reach out to us on our contact page

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog