Beyond a Great Idea: What Successful Startups Bring to the Table
For startups that want to work with organizations like ours, the first priority is to have a great idea that solves a known problem in our industry or enables us to take advantage of an identified opportunity. That's an obvious requirement. What's not always obvious (or not always appreciated) by some entrepreneurs we see is the importance of meeting non-functional, behind-the-scenes requirements, such as industry-standard controls for security, regulatory compliance, confidentiality and privacy of data. Yep, the not-so-glamorous, but very important, stuff.
Most mature startups get it. They understand that to work with a Fortune 100 company, especially one in a highly regulated industry like financial services, they must consider and implement controls for these non-functional factors. And they typically come to the table prepared to show that the requirements have been met, or can be met, quickly. That makes it a lot easier for us to engage.
Without non-functional controls in place, engaging a startup beyond the discussion phase is much more challenging. Even if the startup has an idea we want to pursue, there can be a 3- to 6-month delay as the team works to meet the non-functional requirements. And at today’s fast-moving pace, that can feel like a lifetime. While we wait for the startup to build the controls, other projects may take priority or, worse yet, our confidence in the startup’s ability to deliver may decrease.
So, what exactly are our non-functional requirements? I teamed up with two of my colleagues – Katie Anderson and Rupinder Sandhawalia, both senior engineers, to identify some of the key things we, and other large companies, look for:
Does the solution have robust information security controls?
- Does it offer a way to integrate with our application authentication process? We need to know who is accessing and using the solution and the data.
- Multi-factor authentication has become a common feature for internet-facing applications. Does the solution offer this capability?
- For the user, is the authentication process a seamless experience? Can the solution support single sign-on?
- Can you demonstrate that security procedures are in place to protect against intrusion?
- Can you show evidence of data encryption for data/media while it is in transit, as well as while it is at rest?
Does the solution have backup and disaster recovery procedures?
- Do you have robust and verifiable disaster recovery plans to recover data, and a way to notify stakeholders about the health of the application?
- Do you capture adequate system information for key events and user action in the form of logs, and is that information available to the enterprise?
- How do you ensure the application will be up when we need it? What are your SLAs?
One way a startup can demonstrate that non-functional requirements have been met is to produce an SOC 2® compliance report from the American Institute of CPAs (AICPA). When prepared by an independent service auditor, the SOC 2® report helps us accelerate the process for review, adoption and on-boarding of the startup's solution. Speed is critical. It's one of the ways our success is measured, which is why we want to partner with startups, because we think they can help us solve a business need quickly. If that can't happen because non-functional requirements haven't been met, or details about the controls are not verifiable, then an opportunity may be lost—for both our company and for startups.