Some milestones in the life of a company arrive because of a sudden victory—the winning of an RFP, or the latest R&D breakthrough. Others arrive because of quiet, persistent, behind-the-scenes work. It gives me great pleasure to announce that Pica9 has recently achieved a milestone of the latter type: certification for SOC 2 Type II compliance.
For those of you not familiar with it, the SOC 2 standard (also known as SSAE 18) was created by the American Institute of Certified Public Accountants (AICPA) to provide a benchmark for System and Organization Controls for Service Organizations, like Software-as-a-Service organizations.
There's a lot of talk in the SaaS industry (and in the world at large) about the importance of data privacy and security. More often than we'd like to admit, that talk is just that—lip service to an ideal. But SOC 2 Type II compliance isn't achieved with talk. It comes about because the entire organization makes a commitment to information security, because it adapts a thousand daily behaviors and practices to ensure that commitment is met, and because it undergoes a review by independent auditors to ensure that it is living up to the promises it makes regarding security to its customers.
When Pica9 receives its annual certification for data security, privacy, and availability, we like to take a moment to celebrate the fact. That's because security isn't just a matter of technology. It's a matter of human practice and discipline.
Type II compliance means every single person in the organization taking an extra few seconds, a couple dozen times each day, to make sure we keep our customers' data secure and available.
It's a developer—running that extra test on her code, based on OWASP standards. Or checking in her latest feature for code-review.
It's a customer success manager—taking the extra minute to fire up her password manager and ensure ALL her passwords are unique and strong.
It's a controller, checking the user community for each application in the company's technology stack, to ensure that everybody has the access they need, and nothing more.
It's the marketing team, cleaning our prospect database to ensure we send emails to people who welcome them -- and not to people who don't.
It's our information security coordinator making sure that every member of the team updates their operating systems and browsers as fast as Apple and Microsoft and Google release new versions—which can sometimes feel like multiple times per day.
It takes a thousand little things like that, executed day after day, to be a SOC 2 Type II organization.
Some folks might say that that kind of requirement slows us down—that it's a regulatory burden that makes us less nimble, or "agile."
But folks who understand SaaS know that these disciplines all help to make a faster, safer, and more effective solution—and a stronger, more resilient organization.
So, yes—we are thrilled to announce our SOC 2 compliance, achieved with the support and guidance of our auditors at Prescient Security, and with the able assistance of our security platform, TrustCloud.
But what excites us the most isn't the badge we get to place at the top of this blog post or in our security portal. What really gets us going is how a commitment to security has made us a better company today than we were a year ago. And how it will have made us even stronger in the months and years ahead.
