Josh Pugmire is Director of Security and Compliance at Podium, a growing customer messaging platform. Prior to joining Podium in 2019, he served as a security engagement specialist at Adobe, where he educated customers on the security controls and processes of Adobe’s Digital Experience Cloud solutions.
We spoke with Josh about what he’s learned from doing compliance at both the startup and enterprise level, as well as where he sees the industry heading in 2021 and beyond.
What does your compliance team look like right now at Podium? What have you been working on lately?
Podium was founded in 2014, but as an early-stage start-up our GRC program didn’t take shape until mid-2019 when we hired our first security engineer. He established a rudimentary security program and kicked off a few things on the compliance side for GRC, and then he hired an app sec engineer and an operations security engineer. I came onboard in the fall of 2019.
My initial task was to get our SOC 2 Type 1 certification, which we did. In 2021, our goal is to get ISO 27001, and we are looking at packaging PCI and SOC 2 Type 2 into that to make managing the overlapping controls easier. We have a new hire coming on who will run the GRC side of things with dedicated time towards a compliance program. I’ve been splitting my time across security, privacy, and GRC, so we’re going to bring someone on who will be 100% focused on GRC.
You were at Adobe for eight years. What were some of the changes you saw during that time?
At Adobe, I focused on security engagement and completing vendor assessments for customers. I was at Adobe before they got SOC 2; that and ISO 27001 were just starting to become a thing a couple of years into my time there. I saw firsthand the amount of work that it took to go through those certifications. As a large corporation, the understanding was that we had these controls in place, but there was still a lot of room for improvement. It's hard when you get to a company of that size—if you want something to move, it takes a lot of effort.
Were there challenges you faced specifically doing GRC at such a large company?
Adobe has its own data center, which presents a unique set of challenges. Customers were concerned about how we managed compliance within that data center. We often had financial service companies demand that we host them onsite and do a customer audit. The walkthrough was pretty much everything that we would normally walk through with a SOC 2 auditor, and since we already shared our SOC 2 with customers it seemed like a waste of everyone’s time. I generally don't see a huge benefit to having onsite audits. For example, SOC 2 can be extremely demanding on not just the GRC team’s time, but on multiple teams’ time including engineering or HR. So to provide a SOC 2 report with everything else they request and then have the customer come back and say, “We also need to come onsite and do an audit— and if we sign with you, we're going to do an annual audit,” just seemed over the top.
So we did a couple of things to push back. The first one was to say, “Great, you can come on site but you can't ask for any of the evidence that’s already included in what we've handed over to you.” The thought was we're not going to hold customers’ hands through the same things that we've already been audited against, especially when we've brought in an accredited CPA firm. While some customers didn't like it very much, most agreed to that condition.
We also structured deals so that if any customers were really demanding and didn’t agree to the restrictions, we would charge for our time. We would say, “If you're going to come on site then you need to pay for your auditor and you need to pay for professional services on our team to sit down with you and walk you through all the evidence.” If it was something truly valuable to them, they were willing to pay for it, if not they would typically drop it.
Do customer audits and assessments look different at Podium?
Assessments definitely look different because as a maturing startup, we don't have as much documentation. We often find ourselves on the phone instead, explaining what we have in place. Our sales team works with me so that when customers come to them, they get a brief understanding of our current security; anything more complicated or detailed they’ll bring to our team so we can answer those questions.
We also see more healthcare customers, who tend to ask a lot more questions, so getting them the information they need takes more time. Most of their questions revolve around product functionality to make sure that they've got everything aligned for HIPAA compliance. Coming from Adobe where I was handling a lot of customer requests coming in for security assessments, I know requests for SOC 2 and ISO 27001 are coming for us at Podium too. We’re smaller than Adobe, and I feel fortunate right now because there's not that many requests coming in, but I know it's coming. It’s on our roadmap to get some automation in place.
Another difference is that we don’t have a data center, which is an advantage in some ways. We’re able to lean on AWS and their compliance posture. AWS takes care of a lot as far as the physical facilities and how they're protecting them. Some customers ask for more information around the kinds of configurations and standards we have in place for our AWS environment, because without proper configuration, the AWS compliance certificates only carry so much weight.
As far as customer audits, at Podium we haven't had a ton of customers ask us for the right to audit. We have had it show up a few times in contracts where they'll reserve that right, but most of the time it’s a remote or an annual assessment, which feels like a natural thing to do in the industry. Trying to limit the onsite audit itself has been a little less burdensome here anyway; customers are welcome to come on site to see the way that we've structured things and built out the platform. They can see our engineering team, talk to the sales team and get a sales pitch, see the HR, security, privacy, and legal teams—but they're not going to see a data center, so it probably doesn’t meet the requirements that they have if they’re looking to see a data center.
It’s such an interesting difference. Adobe is a really big, well oiled machine. When I came on at Podium, it lived up to the startup expectations—there's a lot of moving parts and rapid growth. We've quickly adopted new technologies that help us move faster, whereas Adobe has one foot in their cloud provider and another in their existing data centers. And that makes the GRC world more complicated for them.
SOC 2 was an early priority for you at Podium. Where do you see the industry heading with certifications and questionnaire requirements?
At Adobe I saw a lot of assessments coming through—SAQs, CIAQs, and SIGs—on top of the requirements for the SOC 2 and ISO 27001. I don't think any of those are going away anytime soon. It would be nice if, as an industry, we could come to a consensus on a common standard across all technology stakeholders, in the US and internationally. I’ve sat through more than a few forums where that topic has come up—and people talk about the Cloud Security Alliance, SOC 2, and ISO 27001 and how those were intended to be standards that were readily accepted. And yet we're still here, making each other jump through a lot of hoops.
I understand why:
Nobody wants to be breached or have a vendor that they're using be breached. But sometimes I ask myself if we’re making it too hard on each other with all the assessments that we're going through, in addition to the audits that we’re already subjecting ourselves to. Are we pushing it too far?
The pressure tends to come from the enterprise-size customers who like seeing more than the initial package that you hand over with your certification documentation or some statement on your standing with HIPAA. You can hand over a fully completed SIG and then they still come back to you and say it isn't enough. It's frustrating being on the engagement side where you're doing your best to get information in the customer’s hands for them to make an informed decision. The sales team is depending on you to get the deal done. You're trying to work with the customer, and they keep throwing more and more at you; it can start to get “head-butty” between compliance and sales. They complain, you get escalations, sometimes executive sponsors get involved and ask why you’re dragging your feet—when in reality, you're just jumping through all the hoops that the customer is throwing up for you.
I personally would like to see assessments be simplified across the industry. It would be vastly easier for us to put more weight on the audits that we all go through so that we're not causing more headaches and doing more harm than good.
Was there culture shock for you transitioning from Adobe to a smaller startup like Podium?
When I came over to Podium, I saw gaps that needed to be addressed for our compliance. But when I got in with the teams and started explaining what needed to be changed, instead of slow movement forward it was rapid adoption: “Yeah, we get it. This is a value add for compliance. It's important from a security perspective, so let's do it.” That's been a really big difference.
At Podium, the buy-in comes from the top down. We're a startup, so we still want these big customers, but if they’re being too demanding and trying to throw their weight around, I feel like I have a little bit more support from the CTO and CEO. If the customer is going to be overly demanding to work with, we try to push back. We feel pretty confident that we've got a great solution that not many have or can offer.
So you haven’t gotten any pushback from the Podium team about implementing new controls and policies?
No, there’s always pushback! One thing that I've tried to do at Podium is create a culture where GRC is not an afterthought or something that people resent. If I come to a team and say we have to implement something for compliance, I want them to feel like it’s a partnership. I’ve tried to establish really good relationships, and I think that's been really beneficial.
A startup is like the Wild West where everybody's so maverick; they do their own thing to quickly adapt and push out products and capture the market, which is great. It’s needed in the startup environment. When you come in and start to put some red tape in place, you’ll have people who don't really like that. That’s the nature of a rapidly growing company.
I’ve tried to approach it in a creative way so as not to be heavy handed. I'll work with them to come up with a solution. With change management, for example, from an engineering perspective I'll say, “We need controls around change management as far as approval: who's seeing it, how it gets approved, and then how it's pushed to production. Let’s come up with a creative solution that everyone will buy into.”
A big focus for me has been trying to partner with people and help them see why we're asking for these things to be in place from a GRC perspective.
Once they have that understanding, it's a lot easier for them to do the work and see how it's impacting the business as a whole. And as we roll this out to the rest of the organization from the top down, the leaders are bought into it so that everyone else on the team can adopt the new processes or controls.
Another thing I’ll do is a customer showcase, where I highlight someone who recently signed with us. I’ll say, “This customer signed with us because we had compliance in place, but we made a promise to them about ISO 27001 this year. This is how much revenue came in, and it’s tied to the work that you're doing with us for compliance. We're a growing company. As long as we continue to see the revenue we are seeing, we're only going to need more of these controls in place.” I'll bring it all home and close the loop with them, and show them why compliance, and the work they’re doing for compliance, matters to the bottom line.
No matter how many features and functionalities we have within our product, if we don't have good controls in place, a customer isn’t going to come to us and say we want you, compliance is table stakes. It's like the autonomous Tesla, right? You just trust that they have all these things in place. If you put it on autopilot, you trust that it’s got the monitoring and braking down so it can identify a car in front of you and stop. The same principle applies to products and a SaaS solution. Without the compliance and security side of things, it’s not a complete offering. Security and compliance don't add anything as far as a feature or functionality to our products, but it's the peace of mind that the customer needs. It’s important, culturally, for our team to understand that and make that part of our processes.