This news triggered a wave of congratulations and many questions about our approach to the compliance process.
I joined Scalingo as "Head of Information Security" in May 2020, and in this article, I propose to answer some of the questions that come up frequently. So if you want to get started... follow me behind the scenes of these two years of learning.
I was recently talking to a CTO who said he wanted to embark on an ISO 27001 compliance process.
Surprisingly, he wanted to strengthen security measures on his own initiative, without discussing it with the CEO.
Strengthening security measures can have a significant impact on development times. So I warned him and immediately encouraged him to be well aligned with the management team.
This support is needed to:
Without this support, you won't get very far. Managers need to be convinced of the opportunities and benefits to the business.
There is no shortage of arguments:
But beware, the cost is not negligible. Hence the importance of thinking ahead to identify market opportunities and expectations.
Fortunately, at Scalingo, the co-founders and managers were aware of the security importance from the start. It was in line with this strategy that my job was created: to obtain certifications and maintain a high level of security. The "boss" told you about it in the article ISO 27001, HDS, and SecNumCloud: What does it mean for Scalingo?
Compliance and increased security measures are software quality improvement initiatives. As such, they have an impact on the famous "Quality-Cost-Delivery" triangle of production and must be implemented in accordance with the company's management and strategy.
Fictional conversation between a developper and a Chief Information Security Officer:
In a startup, efficiency is the key word. Wasted time is a luxury you can't afford.
Telling a developer that he or she will have to add control measures to the development process is a sure way to have lively discussions (!).
In fact, the first interactions between colleagues were not easy when it came to talking about compliance.
Firstly, because the word “security” brings with it fears of austerity and control which can feed the concerns of your interlocutors even before you have opened your mouth.
Secondly, because your colleagues will potentially have a lot of ideas about what to do or not to do. And the most anxious people are likely to project themselves into disaster scenarios.
It took me a while to realize that part of my job was going to be what we call “change management”.
Any change in a company gives rise to “resistance” strategies. Your colleagues have something to gain, but also something to lose.
For a change in the way of working to be accepted by your colleagues, they must first understand the benefits.
Here are some fears that developers may have, objectively or subjectively, when starting to introduce additional security and control measures:
These fears need to be addressed while highlighting the benefits of certification:
In the process of compliance, your mission will be to provide constant visibility on the progress of your work and to make the final objective concrete and clear for the whole team.
If you do not have the support of the "core", who will apply the new measures on a daily basis? You will not succeed in transforming practices in the company in the long term.
Thanks to ChatGPT for this fictional but very real answering machine message.
When I took my job at Scalingo, I thought someone had posted my phone number on the DarkWeb. My LinkedIn account started to flood with notifications.
I regularly get calls or contact requests from sales people who have no idea what my company does, and don't know if the tool they offer is of any use to us.
In the field of cybersecurity, some salespeople play on fear and often promise a "magic" solution to problems that you don't have.
You will therefore need to read up on the different areas covered by security, or you will make the wrong choice.
Having a technical, project management or quality management background is certainly a prerequisite, but fortunately, there is a certain amount of content available online to train you or bring you up to date, such as
When I started in this field, the first thing I did was to interview startups and players in our ecosystem who were already involved in a certification process: AR24, Synovo, Outscale, Kiwi Backup. Thanks to them!
These interviews were rich in lessons learned. I found common points, good and bad practices
Interviews are not the only way to find information:
Cybersecurity is a field that evolves so quickly and is full of so much information that you can't be satisfied with your skills alone. Networking, leaning on others and sharing knowledge is essential.
After studying the subject and doing a pre-audit, we had to face the fact that it was going to be expensive...
To have the means to match our ambitions, we had to set up a budget.
I got out my best spreadsheet, my memories of my life as an entrepreneur and I started to draw up the budget.
It was very interesting! Because to do it, you have to consider assumptions (number of tasks, task durations, company growth, number of tool licences). To refine it, it requires very enriching conversations with the teams.
At the same time, it allows you to think about the planning: what to do first? What is a prerequisite?
Getting involved in a certification or compliance process is going to cost you a lot. The cost will depend on a lot of factors. But you can be sure of one thing: getting started without having planned a budget, an objective and a timetable is a recipe for failure.
At Scalingo, our mantra is to help tech teams focus on their added value, i.e. the code that will help the customers.
InfoSec is a field where you have to constantly juggle between two imperatives: outsource too easily and get locked into a proprietary solution, or persist in solving yourself a problem that others solve better than you.
The question of "build or buy" has often arisen and we have always taken the following approach: try to do it ourselves to understand the difficulties. Then, if we reach the limit of our capabilities, we find a trusted subcontractor that meets our security requirements.
For example, Scalingo relies on Outscale's IaaS services which are ISO 27001, HDS and SecNumCloud compliant.
Learn the difficulties of implementing different security measures in order to understand the constraints, and then outsource effectively.
The 12 labours of Asterix (Goscinny, Uderzo), looking for the pass A38
As I counted the number of documents we were going to have to write and review, I was very afraid. Afraid of the complexity of document management, of versioning hell and of going back and forth. So I didn't want to go in the direction that some colleagues had chosen, based on Word documents, nor did I want to introduce a new tool. Notion, which we use internally, did not offer me the traceability and formalism I needed.
We therefore chose to use existing tools and build on them.
At the same time, it was also a way to put some code into my daily life, I love developing.
So we used a static blog engine (Gridsome) to write and collaborate with colleagues on Markdown files and build an intranet of security policies. Git gives us traceability and versioning, and we are free to generate a PDF and an HTML version while controlling the layout and still having a textual version.
Similarly, as far as development is concerned, there is no need to modify the current Pull Request-based processes, which provide sufficient traceability. Developers are already doing PR and code reviews, just make sure that this process is followed consistently.
There is no need to turn your company's operations upside down. You probably have good practices that need to be strengthened, tools that just need to be set up properly to bring you into better compliance.
Follow the adage "If it works, don't fix it". Only if your tools reach their limits should you consider changing them.
The certification process is an undeniable asset for a company. It demonstrates a certain maturity and provides an objective assessment of the security process.
The human and financial effort is no less significant. It is necessary to be attentive to the relevance of the target standard and to be realistic about the deadlines and speed of compliance, while taking into account production requirements.
Communication throughout the project and constant dialogue with the teams, by calling on their skills and the tools already deployed, is the key factor in a smooth deployment.
Finally, it is important to be surrounded and to consult multiple sources of information, building up a personal background to form your own opinion.
These are some of the lessons learned on the road to certification. I wanted to share them both to answer the questions I've been asked and to help people who are hesitant to start.
Next Scalingo step on the certification road: SecNumCloud!