Preparing to Transition to an IPO

Problem

I work for a private company that plans to IPO in the future. This requires a fair amount of preparative work across the entire organization. Different departments needed to meet different standards of compliance. We needed to undergo a SOC 2 audit, and I wanted to make sure that we were prepared to be assessed as a company.

When you work with major, enterprise-level customers, they want to know whether or not you’re SOC 2 compliant, or up to the standard of any of a number of other bodies of certification. Earning official certification in cybersecurity checks off many indicators of a company worth trusting your data with.

Privacy and security are company-wide issues, not just the concern of engineering or IT. Each department has different things that they can do in order to contribute to this holistic effort.

Actions taken

Three years before this, I was already working toward a more refined engineering organization in terms of our focus on security. We were always looking for new ways to implement various processes throughout the company. We had grown from twelve to forty-five during this time.

We wanted to ensure that, as we grew, we remained just as productive as we were before. This included making sure that communication on who was doing what within the company was very clear. When you’re still small, it’s easy to simply talk to one another. As you scale, it becomes more difficult to sustain this direct way of exchanging information at every level.

Our QA team needed to be informed on what they had coming so that they could prepare themselves for any changes in our weekly releases. Before preparing to go IPO as we scaled, this process was much more ad hoc. One of my goals was to find a more efficient process for them. Change management control was another area that I wanted to focus on. We needed a better way of organizing the work to be done in regard to our product.

We put plenty of documentation in place after institutionalizing these changes. We wanted to make sure that the team knew what we were doing; the process of refining ourselves needed to be very collaborative. It was important to me that we earned everybody’s buy-in honestly.

My documentation describing our processes was also necessary to have in place before being audited. This included documentation on everything from code reviews to design estimation.

Earning this certification involved protecting not only our internal data, but the data of our customers, as well. The work involved taking a closer look at how our product could be built more securely. We used source code scanning to identify security vulnerabilities and we do bi-annual penetration tests. Last time, no major security issues were uncovered, which is something that we’re all really proud of. Our last audit necessitated zero corrective action.

Lessons learned

• If you’re building a cloud-based app or some other cloud-adjacent service or product, security has to be a top priority for the entire company. We were lucky enough to have the resources to incorporate this priority into our work as an engineering team right from the beginning. This put us in a very good position to prepare for all of the assessments that an IPO company requires.
• Our company built an entire internal cybersecurity organization last year. They have been able to provide company-level security for us. A couple of engineers on my own team focus specifically on application-level security. These devoted experts help us maintain compliance with all of the rigorous standards that operating out of California requires of us. Our customers’ data is protected at every intersection.
• Being proactive about a lot of these things allowed us to naturally prepare ourselves to become an IPO. My advice for engineering leaders is to always do the right thing. We are often working without processes already in place; thinking about processes that enhance security within the company is always time well-spent.