We recently had the opportunity to interview Gtmhub’s Co-Founder and CTO Radoslav Georgiev and Information Security Manager Ivan Dichev for a case study. We discussed the importance of security in a rapidly growing tech company, their decision to pursue SOC 2 and ISO 27001 certification, and how Carbide’s information security management platform accelerated their compliance journey.
Tell us a little about Gtmhub and what you do.
Radoslav: Gtmhub provides the world’s most flexible enterprise orchestration platform based on the objectives and key results (OKR) management methodology. We work with organizations all across the spectrum, from small and medium businesses to nonprofit organizations and large enterprises that have thousands of employees worldwide. And we help them with the management, tracking, and operation of their OKR performance cycles.
What kind of data do you hold for your customers?
Radoslav: OKR data can include different parts of every business function. For example, sometimes a customer may choose to sync Gtmhub with their customer relationship management (CRM) system or some other business system that they use in their day-to-day work. Data from such systems helps Gtmhub analyze performance against the company’s strategic goals and initiatives.
That means that Gtmhub might have access to data that you typically have in your CRM system or your support management system. That’s why we want to make sure our customers’ data is protected so that we prevent any leaks or unintentional exposure to confidential customer information. We deem all the customer data that resides in Gtmhub as strictly confidential, and we have implemented the necessary data classification and management policies.
Why did you choose to pursue SOC 2 compliance?
Ivan: Almost every customer has expectations that if you’re a cloud application vendor, then you should already comply with security standards and apply certain security practices. We had a security program, but we wanted a universal approach to security that was well recognized and accepted by our customers, prospects, and the industry. So in 2019, we decided to implement the SOC 2 framework, which basically provides assurance about how vendors manage customer data.
Radoslav: We saw SOC 2 as a matter of validation against our internal security program. Achieving SOC 2 compliance is just one very visible way to attest to our customers and other interesting parties that our platform is a solid one. We’re talking about the main trust service principles of security, reliability, and availability.
Does SOC 2 compliance make an impact on your sales cycle? If so, how?
Radoslav: SOC 2 streamlines the procurement process with our customers. When we’re in a typical sales life cycle with a more established organization, they’re usually already running a security program that has a vendor management component to it. That vendor management piece basically requires a vendor organization to comply with certain principles, usually around security or business continuity, etc.
So for example, some of our largest customers are Société Générale, one of the biggest French banks. We have another big bank from South Africa called Absa. You can guess why data security is important for such types of organizations when you have your performance metrics and strategy and execution information added into Gtmhub.
By demonstrating SOC 2 compliance, we can streamline this vendor management process. Instead of having to go through a rigorous security audit by every single customer, we just present them with the already made attestation by an external third party that we comply with their security requirements.
Did the SOC 2 process change the way you managed security at all?
Radoslav: We used to manage our security program internally in SharePoint, basically in combination with a Confluence Space where we outlined every procedure and every plan. For example, when you have an incident response, procedure, and plan, and this would be defined in Confluence, and then we would have a policy backing it in SharePoint.
When we started to reevaluate our security program both for SOC 2 and also as a prelude to achieving ISO 27001 compliance, we confirmed that a lot of the policies and procedures were reasonably well developed and defined, but that we had a few areas that needed additional focus, particularly around business continuity.
In addition, we didn’t have a big security team, and we needed to be able to scale the program pretty quickly. There is a lot of documentation; there are a lot of policies and procedures that have to be adopted and onboarded. And then you have to train your whole company on working with those policies, what they mean and why we are adopting them.
That’s when we started looking for a tool that could help us systematically drive our security program and identify areas for improvement. We found Carbide through the Techstars network.
Did Carbide help with the SOC 2 process?
Radoslav: It really did. Carbide provided us with a lot of knowledge that we were missing when it came to SOC 2 program management. Carbide really helped us get through the initial phase, further developing what was missing or identified as gaps in our security program.
Carbide also provided us with a clear direction for the program, including all aspects: from policy definition to communication, acceptance, and training of our employees.
We achieved SOC 2 compliance quicker than we would have without Carbide, mainly because it gave us knowledge and best practices in areas where we had some gaps in our program.
Ivan: Carbide had a number of features that facilitated the SOC 2 audit. For us, the security awareness and the business continuity modules, in particular, helped us to show the auditors that we have a strong information security program, which is in compliance with the control requirements of the framework. We also heavily used the reporting capabilities during the SOC 2 audit to showcase the security controls we have in place.
Could you explain the awareness training piece a little more?
Radoslav: After helping us develop all the new policies we needed for SOC 2 compliance, Carbide then facilitated the communication, onboarding, and review of those new policies across our entire team, helping us ensure they got trained, and managing the process after the program has been adopted.
Ivan: Carbide has become an integral part of the learning process at Gtmhub. During the new employment boarding process, people need to understand all these policies and procedures so that they perform according to our internal security standards.
They also need to acknowledge their responsibilities. We can track the progress of each training for each employee. And later on, if there is a change in the content, notifications can be sent directly from the application. So, this can also facilitate refresher trainings. Since it’s all online, people can learn at their own pace, and they can also bookmark the information that they find and access it whenever it’s needed.
Beyond SOC 2 support, what kind of benefits have you experienced with Carbide?
Radoslav: Carbide provides peace of mind and saves us a lot of time when running the program, because we automate a lot of the menial tasks when it comes to program compliance. We only have to focus on maintaining the program, ensuring that the controls are in place, and reviewing for any deficiencies.
For me, the biggest benefit is the simplification of the security management program. You immediately know what needs to be done for each part of the security program. For example, if you are talking about information security and data encryption and data classification policies, Carbide gives you a customized template that helps you develop your program, and then you also get pretty neat project management capabilities within the platform that you will use later on to communicate and train your company to be on board on those policies.
Once you set it up, you don’t have to think a lot about it.
Can you provide a real-world example of how Carbide reduces effort on an ongoing basis?
Radoslav: A good example is during employee onboarding. It’s critical that every employee understands and follows our policies and best practices. With Carbide, we just add the employees into the platform within their relevant roles and groups. They automatically get assigned to what policies are applicable to them because not every policy is applicable to different roles at Gtmhub. But once you set the roles in Carbide, that program is basically on autopilot.
Ivan: Through that functionality, Carbide allows us to create tailored training for each role in the company. As a result, we can onboard and train new team members rapidly, which saves us time and resources, without sacrificing our security standards.
So what’s next on the security front from Gtmhub?
Ivan: Now that we have the SOC 2 audit behind us, we’re aiming to achieve ISO 27001 certification. Both frameworks have some common controls like security awareness, risk management, business continuity, etc., and Carbide helps us understand the overlap and the gaps.
We’ll be able to reuse most of the information that we already have in Carbide.
Making SOC 2 Compliance Easier with Carbide
We know what a time-consuming ordeal achieving SOC 2 compliance can be — that’s why we have SOC 2 controls, policies, tasks, and planning tools built into the Carbide platform. With a custom-generated security program based on the SOC 2 framework and your unique business operations, you can quickly start checking off items on your SOC 2 to-do list. Talk with us about our mission to make SOC 2 readiness as painless as possible.
Talk with us about how Carbide can save you time and money on SOC 2.