Overview
A blockchain infrastructure provider in scale-up mode, expanding globally and attracting institutional investors, suddenly had to conform to the most stringent security and governance requirements. Quickly coming into compliance with many, arcane standards such as ISO 27001, NIST, SOC2, and BSIG posed significant challenges.
Key Challenges
Meeting institutional-grade compliance requirements posed a few challenges for this innovative company, including:
- compliance requests for a new market from old players
- defining the ISMS scope for a technical innovation with little precedence
- a globally distributed, remote-first workforce
Outcome
Right at the outset we all agreed that balancing a culture of innovation with institutional-grade security and governance was the main thing that had to happen.
To achieve this a multi-year compliance strategy was developed focused on:
- balancing the organisation’s and customers’ immediate needs
- establishing processes for addressing risks in the mid and long-terms
- ensuring that information security practices were embedded ‘bottom-up’ and diffused across the organisation.
A strategic, measured approach to information security led to an ISO 27001-compliant ISMS. Globally recognized, it allowed us to satisfy the broadest set of requirements while achieving certification in just a few months.
Customer demands were satisfied, the organisation was secured, and sales cycles were accelerated with a single effort.
Challenges in depth
Compliance demands from institutional customers
A common challenge that organisations face with innovation is that customers themselves are often working from static or outdated information security requirements. Requests come in as thousand-question spreadsheets that are often a mish-mash of SIG CORE, NIST, ISO and other governance standards. Additional compliance requirements like AML & KYC/KYB compound the problem.
This creates a situation that pits sales & marketing people against compliance, security, and engineering teams. It slows down sales cycles and sucks up precious time from engineers and tech leads who should be writing code, not filling out compliance forms and going to meetings.
Responses can get locked up in endless interpretations of questions about systems that are often in flux.
Information security compliance shouldn’t slow innovation and sales cycles.
Solutions
The key to overcoming this problem is taking the perspective that InfoSec is part of the overall product development lifecycle. Rather than a hindrance to sales and innovation, customer compliance requests should be taken head-on and considered as an expression of customer needs, even if they’re sometimes misguided.
Working with customers to interpret their requests into the language and context of new technology is important. As with other product demands, it’s also important to understand how customer compliance requests will evolve and get ahead of them.
Approaching compliance demands as product development allows you to then apply known strategies:
- agree on a baseline MVP processes
- develop prioritised backlog
- evolve toward automation, APIs, and dashboards
Finally, where needs are urgent, or limited to a small cohort of customers, develop bespoke service agreements.
Compliance requirements don’t have to be a scary set of demands or a cost centre. When treated correctly, they can be an asset to your business.
Defining ISMS Scope, Assets, and Risk for Blockchain Platforming
One of the first exercises that many organisations go through when embarking on the ISO 27001 certification journey – or developing any ISMS - is called a “gap analysis” where compliance experts query the tech team to establish InfoSec requirements.
Too often, the biggest gap is between the team that’s developed the innovation and compliance experts who are neither technical or subject matter experts. This then leads to problems, delays, or even failure for ISMS efforts.
For an organisation selling an innovative product such as blockchain platforming to a banking organisation, agreeing a scope starts with some pretty big questions:
- what is it?
- how do you define an asset in this context?
- what’s in / what’s out (of scope)?
- what are the risks & how do we measure them?
- whose responsibility are they?
In the blockchain environment the concerns about risk are more specific:
- encryptions keys are required at various stages
- server downtime can be accompanied by financial or other penalties for slashing
- global legal compliance requirements are emerging on a day-by-day basis
Solutions
Defining information security scope for an innovation requires the application of experience with contracts and legal agreements for tech services, a background in architecture, and risk management.
The first step is to work with the legal and sales teams to understand the nature of the service, expectations, and agreements. The second is to ensure that they’re all in agreement with what’s actually technically feasible. Ensuring these things are set in the legal agreements establishes a solid foundation of an ISMS scope.
For this effort, establishing what was technically feasible meant applying experience with providing multi-tenant cloud services with strategic analysis of the new blockchain platform technology.
Finally, knowing how to define an asset – a thing of value – is about combining all of the above to establish where the risks that matter to all parties are manifest. This allows for tech teams to clearly define risks that can be measured and communicated to customers, auditors, and internal leadership.
The scope is what you, your customers, the law, and your context say it is. Understanding all of them to develop a solid scope requires the ability to work across all areas in depth.
A Globally Distributed, Remote-first Workforce
A globally distributed workforce has many advantages, but governance processes can be difficult to establish:
- enterprise practices are still predicated on everything being on-site
- ISO 27001 compliance issues extend to HR & legal, crossing many jurisdictions
- data privacy and retention requirements vary globally
- asset management for device lifecycles presents new and interesting risks and challenges
Solutions
The key to managing an organisation that’s not always in the same place at the same time is capturing risks and best practices quickly and communicating them across the organisation as procedures and policies.
A clear information security policy for home & remote work addressed risks such as working in cafes and shared spaces, as well as home networks. Operational practices such as the use of VPNs and hotspots were also enacted. Most importantly, a zero-trust ethos was established.
Finally, special attention was given to the global distribution and management of devices. This included mobile device management that balanced cyber security risks with the reality that developers require open access.