Source video: https://share.descript.com/view/JlBwfraLdE8
Here’s the thing about SearchPilot: we never settle. This applies whether we’re talking about the performance of our platform, how we support our customers, or, what we’re focusing on today, data security.
We see data security as something that requires constant effort. This means a ton of work for a team of our size, but it's one of our highest priorities. That’s because not only do we care deeply about our customers’ resilience and security, but we also need to comply with a whole raft of regulations.
And it’s this effort that supports us in building a radically resilient organization that successfully proves the value of SEO for our customers.
So, how has this mindset helped us become a more resilient company? And what does ‘continuous compliance’ mean anyway? Here’s what you need to know.
‘Acronym soup’ for the soul: SearchPilot’s data security compliance credentials
At SearchPilot, our customers run large, mission-critical websites. So, if we want to deploy our SEO platform inside their web stack, we must take data security and compliance more seriously than your average startup. This is where continuous compliance comes in. This means we take an ‘always on’ approach to monitoring data security compliance to ensure we meet and exceed changing industry regulations.
Fundamentally, we must comply with the likes of the GDPR and CCPA. We must also:
- Meet the assessment criteria to be a service provider under PCI DSS level one so that we can work with e-commerce organizations.
- Retain HIPAA compliance so we can work with US healthcare companies.
- Maintain an ISO 27001 certification, which involves establishing transparent systems and processes for managing information.
As part of ISO 27001, we face continuous compliance testing. This includes regular automation scans of our systems and routine third-party penetration tests.
From an early stage, we’ve made continuous compliance monitoring one of our highest priorities, and for good reason. According to Drata’s 2023 Compliance Testing Report, 9 out of 10 enterprise companies plan to achieve continuous compliance in the next five years. While we aren’t that size, our customers are, and we want to match and exceed their trajectory when it comes to security and compliance.
How are we doing this? Keep reading…
First and foremost, write everything down
With customers across the globe and team members across at least 9 timezones, we quickly learned the value of writing everything down. And we mean everything. We write things down for ourselves, for our colleagues, and for our clients.
To support our continuous compliance culture, we also write things down for our future selves. By physically documenting progress, we capture things that are important but perhaps not urgent, which gives us a list of things we can continuously improve on.
When we translate this to InfoSec and compliance, this means there’s always a list of activities and ideas to look to for future functionality. These tasks might not be so critical that we tackle them today, tomorrow, or this week. But they’re important enough to capture and keep nudging forward on, inch by inch.
If they’re not urgent, though, how do we get that movement? Well, this takes us to our next point.
Form steering groups to bolster resiliency
Steering groups are an excellent way to ensure progress. Getting small groups together to meet regularly, but not too often, is really effective. It’s an approach many enterprise-level companies take to tackle those non-urgent tasks (like updating IT hardware) that help them stay resilient against external factors (like new and emerging technologies or security threats).
These steering groups can cut across teams and, while someone should own the project, the work itself isn’t reliant on any one individual. As a startup, this is a big perk. Many actions (and distractions) arise when running a smaller company, so having various team members dedicate a small amount of time means you can make effective change happen without impeding all the other day-to-day activities required to keep the ship moving.
The key to steering groups? Run them in a smart and structured way. Take minutes, have action items, review last time’s tasks, and hold each other accountable. Sure, a lot of work might get done the day or the hour before your next meeting or even during the meeting itself. But that doesn’t matter; the point is it’s getting done. And this progress is what helps us build resilience.
Roll out root cause analysis across the entire organization
Root cause analysis (RCA) is something we’ve been doing for years. Most engineering teams will be familiar with this term, but it’s something we’ve rolled out organization-wide. The idea is that you dig into the specific areas of what’s gone wrong when something invariably goes wrong. (We’re all human, after all). Sometimes, it produces customer-facing documents; sometimes, it helps you improve a process.
The idea is it’s a retrospective or blame-free process. People make mistakes, things go wrong, and outside factors come into play. But by focusing on the root cause and subsequently assigning actions to fix these challenges, we slowly but surely reduce the number of things that can go awry in the future.
Using continuous compliance to build radical resiliency
Our ‘continuous compliance’ mindset is baked into everything we do at SearchPilot, not just engineering. We document everything, use steering groups as a catalyst for continuous improvement, and use RCA to ensure problems that occur today don’t occur tomorrow.
And while it can feel heavily engineered for a start-up, it ultimately saves time because we’re not putting out the same fires again and again. It’s how industries like air travel have become as safe as they have. And it’s how I hope we’re building a radically resilient organization.
To learn more about SearchPilot and our compliance credentials or about how our platform works, sign up for a demo today.
