Post

Start-up Scale-up, a 36 Month Vision: Part 1/4

An overview of the journey in transforming a startup's IT systems from nothing to SOC II Type 2 compliance in 36 months.

Start-up Scale-up, a 36 Month Vision: Part 1/4

Background

This will be the first in a four-part series where I reflect on the journey that I have taken as a System Administrator at Biofourmis, a digital health startup, from having almost nothing in IT systems, to achieving SOC II Type 2 compliance with a suite of top-class IT systems. The journey took 36 months, and I will be writing about my experience as a contributor. All views expressed are in a personal capacity and do not represent the views of any other person or organization.

Problem Statement

How does one account for every person, every piece of software, every piece of hardware? How does one reconcile the need for security with the need for flexibility, especially in a startup which values the latter over the former? How does one ensure that the company’s IT systems are compliant with the highest standards, while still allowing for the rapid growth and change that is the hallmark of a startup? Is it possible for IT systems to cater to the needs of a diverse set of employees?

Solution

The solution to these problems is a strategic vision that encompasses the needs of the company, the employees, the regulatory landscape, and the complex, ever-shifting threat environment. The solution is a tactical approach that sees how resources can be best acquired, deployed and maintained, with each employee knowing their role in the bigger picture. The solution is an operational capability that startups are known for, moving quickly and decisively to meet immediate challenges which may be unplanned, and resolve them as if they were.

From my personal point of view, it was my privilege to be part of this remarkable transformation, and to play my part in ensuring this vision was realized. I had the opportunity to work with a team of talented individuals, each bringing their unique skills and perspectives to the table.

Do not just hear from me, but also from Jamf themselves. We valued their partnership throughout this journey, and they have written the case study Biofourmis and Jamf deliver best-in-class security and regulatory compliance to showcase elements of our journey that made us the success story we are today.

Technologies Used

All technologies mentioned in the below list are the primary responsibility of the IT team and mentioned at least once in at least one part of this series. Omission of any technology is intentional as they have been referred to under the genericized term, or are not the primary responsibility of the IT team. Technologies not described by name are intentionally obfuscated to protect the company’s privacy. Technologies described by name in this series are public knowledge and will be referenced to in the References section.

  • Product J: A cloud-based directory service that allows for the management of user identities and devices.
  • Product G: A domain registrar and web hosting service that provided the company’s initial web presence and business productivity suite.
  • Product S: A ticketing system that allows for the tracking of IT issues and requests.
  • Okta: An identity and access management service that provides secure access to applications and data.
  • Jamf Pro: A mobile device management solution that helps organizations manage and secure their Apple devices.
  • Jamf Protect: An endpoint security solution that provides advanced threat protection for macOS.
  • Jamf Connect: A solution that streamlines Mac authentication and identity management.

Lessons Learnt

The key things I learnt throughout this journey include:

  • Establishing the success of our IT supply chain through vendor relationships
  • Strategic, tactical, and operational planning for IT systems
  • Designing an office space where the human element is the forefront
  • Understanding the single source of truth: the identity provider
  • Striking a balance between university studies and work
  • Succession planning: ensuring the continuity of knowledge in the IT team
  • Migrating critical systems from one vendor to another
  • Accurately tracking metrics to measure the success of IT systems
  • Leveraging the power of goodwill to ensure minimal resistance to change
  • Understanding the threat landscape and how to protect in a remote-first world
  • Granting automated privileged access in a zero-trust environment
  • The importance of threat intelligence through multiple sources
  • Functionally Magic: The workflow of a zero-touch deployment process
  • Empowering employees to self-serve their IT needs
  • Documentation is key: the importance of a knowledge base
  • Bringing it all together: A bottom-up approach from procedure to policy

Structure

Introduction: Start-up Scale-up, a 36 Month Vision

This post will serve as an introduction to the series, providing an overview of the journey that I have taken as a System Administrator at Biofourmis. It will outline the problems faced, the solutions implemented, lessons learnt, and the technologies used throughout the 36-month period.

Year 1: Planting the Seeds

A then-25 year old me walked into a small office full of promise, only to find that the company had a long road ahead in terms of IT systems. Though a small team existed with several tools in place, how would I navigate this first year and plant the seeds for the future?

Year 2: Period of Growth

Before the year began, I was faced with the decision to pursue my degree or to continue implementing this grand vision. I chose to do both, and I did not regret my decision. This was a time of rapid growth for the company, and the cracks were beginning to show. How would I play a part in this period of growth?

Year 3: Harvesting the Fruits

With the hardships of the past two years behind us, it was time to prepare to harvest the fruits of our labor. Though the hardest part was over, the journey was far from complete. How would I build upon the foundation laid in the past two years, and look back to see how far we had come?

What’s Next?

This is my first professional post on the blog, and I hope to continue writing more on this series. The next post will be about the first year of my journey at Biofourmis, which will be a similarly non-technical post. I hope this first part has given you a good overview of my professional life and I hope you will be pleased with the upcoming posts.

1
2
nicholaschua@youread.me:~$ exit
logout

References

  1. Biofourmis and Jamf deliver best-in-class security and regulatory compliance
  2. Okta
  3. Jamf Pro
  4. Jamf Protect
  5. Jamf Connect
  6. Jamf Trust

Return to Top

This post is licensed under CC BY 4.0 by the author.