In a recent webinar I hosted, André Boucher, CISO at the National Bank of Canada (NBC), used the best analogy I’ve heard in a while. So good, in fact, that I’ve already stolen it for the headline of this piece.
He said, cybersecurity certifications are a lot like prenups: they allow both parties to understand what they are getting into. At first, it might feel heavy-handed (and unromantic) to gather all the information required, but then you both enter the relationship with eyes wide open on risks and benefits.
Cybersecurity certifications are a lot like prenups: they allow both parties to understand what they are getting into.
Cybersecurity certifications are something I get asked about a lot. For early-stage companies, the cost and effort required can be intimidating. I mean, the jargon alone can be headache-inducing: SOC 2/3, ISO27001, PCI-DSS, HIPAA, GDPR, PIPEDA, and CCPA.
Forget that alphabet soup for now. My goal here is to reframe the conversation on certifications away from minimum operational requirements and towards thinking about them as actual strategic capabilities that can drive growth.
So why are certifications so important? And what’s the best way to implement them in early-stage companies? To answer those questions, I sat down with André as well as Alexis Smirnov, CTO at Dialogue, a healthcare scale-up founded in 2016 that went public on the Toronto Stock Exchange (TSX) in 2021, and Daniel Infante, CTO at Fondeadora, a Series B FinTech startup based in Mexico.
Together, we discussed three major reasons startups need these certifications and why large organizations often ask for them:
1. They build trust
When it comes to cybersecurity, building a secure system is not enough. You also need to make sure your customers have confidence in your security measures. “These are two separate initiatives, and both are equally important,” says Smirnov. “Remember nuclear plants? They’ve been built to be amazingly safe, but people are terrified of them. No one would put them in their backyards. That’s a failure.”
The same is true for startups that dodge the work of earning certifications: Certifications provide an instantly recognizable seal of approval. Without them, your potential customers and partners may not trust you with their sensitive data no matter how much you invest in security.
Lack of trust means you’ll miss out on big opportunities. Boucher notes a situation where NBC was considering early-stage companies for a partnership and had to reject its first choice in favour of startups that had achieved certifications. Having certifications in place is essentially table stakes for young companies aiming high: “A 100-year-old bank has already earned customers’ comfort and assurance. But for a five-year-old startup, these certifications are a primary tool to gain the trust that allows you to engage in these broader conversations,” says Boucher.
Smirnov adds that achieving SOC 2 Type 2 certification—one of the strictest ones out there—early on was key to Dialogue’s growth. “We knew from our early days that we were going to be serving large organizations. We needed to make sure that a small Montréal startup could actually do business with established players in a famously regulated and very sensitive area like healthcare. What we’ve learned is that SOC 2 is among the most useful tools to create confidence, and it’s served us quite well.”
2. Certifications provide a common language
While earning security certifications can be onerous, they can ultimately simplify your security efforts. “They give us a common framework so we don’t have to reinvent the wheel,” notes Infante. Last year, Fondeadora acquired a full banking license in Mexico through the Comisión Nacional Bancaria y de Valores. While the Mexican regulator didn’t require a specific international certification, their national requirements overlapped with the ISO27001 standard.
Boucher notes that certifications make it easier for NBC to establish international partnerships. “Having security certifications in place gives you a common vocabulary and understanding of risk that allows you to innovate, pivot, and onboard new initiatives as quickly as possible,” he says. “As a multinational bank doing business across different countries—Canada, US, UK, Ireland, Cambodia—we need to make sure we’re speaking the same language as these regulators so we can work together.”
3. Certifications are just a starting point
When it comes to building robust and trustworthy security mechanisms at your startup, doing the bare minimum to appease regulators and partners will only get you so far.
“Remember that the threats that these certifications are meant to tackle will keep evolving, and so will these minimum requirements,” warns Boucher. Rather than going for the lowest common denominator, a much better approach is using certifications as a starting point and making security a central theme of your company’s culture and product.
As the CTO of an early-stage FinTech company, Infante had to balance the need to implement security compliance with the pressure to innovate and deliver new products quickly. As the company grew, its leaders realized that the trick was to bring the product team on the journey with them. “Our new reality was that we needed to prioritize security and compliance on the same level as product work, and the only way to do that was for the product team to understand that security was a broader responsibility that wasn’t separate from product.”
All three leaders agreed that to succeed, security initiatives need to be an accepted community effort. Externally, this means seeking experienced advice on how to build these systems, joining relevant networks, and building relationships with regulators. Internally, it means bringing certain security expertise in-house, making it integral to product development, following the 10 percent rule (where 10 percent of your engineering effort goes towards security work), and gaining broad acceptance of the value of security measures early on so you don’t have to fight tooth and nail each time you need to invest more time and money into it.
“We didn’t interpret cybersecurity and compliance as a project to finish and move on to better things,” says Smirnov. “We integrated them into the culture of what we do. As a result, there really is no argument when we plan for the next quarter about whether we need to invest in cybersecurity again. These questions don’t come up because there is joint recognition about the importance of the question and a joint understanding that this work is never done.”
Shift the mindset
That said, in my experience working with C-level executives, the single most important thing you can do is shift the mindset. Startup leaders are addicted to the oxygen of growth and innovation, and they often worry that focusing on certifications will lead a young, nimble company to turn bureaucratic and slow. But the opposite is true: these certifications can free you to pursue bigger partnerships and take on even greater risks.
Once you have achieved that certification, you will have laid the groundwork for growth opportunities that might otherwise never have happened. Kind of like a marriage built on the trust that comes from a crystal-clear prenuptial agreement. After all, you want these relationships to be fruitful long after the honeymoon is over.