In 2013, Magnulf Pilskog found himself in a tiny room in Norway with sticky notes plastered all over the walls. He was working as an IT consultant for one of the country’s largest banks and mapping out all the applications in their system — one sticky note per application. 

He ended up with a complex network where teams were able to complete their own tasks, but were lost when it came to understanding the bigger picture. Data was constantly added, changed, and archived, but nothing was communicated to other teams.

With no satisfactory solution in sight, Pilskog and his former colleague and now-cofounder, Erik Bakstad, decided to create Ardoq, a cloud-native collaboration platform that reinvents traditional enterprise architecture. 

“Essentially, you can model a digital twin of your organization in a graph database,” says Nicholas Murison, Ardoq’s Chief Information Security Officer (CISO). By mapping all data, people, and systems, the platform helps stakeholders visualize and analyze how everything is interconnected and the potential impact of changing a single piece. 

Ardoq has gone through its own share of changes, as well. “In the first five years, we didn't get many customers. But then in the past five years, we've gone to over 300 customers with steady growth on top of that,” says Murison. This includes the likes of Carlsberg, BT Group, The University of British Columbia, and several financial service institutions.

Since then, Ardoq has become a recognized industry leader, helping organizations successfully navigate their change management and digital transformation projects. Platform users include enterprise architects, project managers, C-level executives, and other key stakeholders.

“We don’t have a change management process”

When Murison joined Ardoq in 2019 to build its security program, he met an interesting challenge: A lot of the correct controls and processes were already implemented. Safeguards were in place to protect critical systems. And the developers knew what they were doing from a security point of view. But the organization wasn’t effectively communicating these efforts.  

“Large financial institutions, for example, would say to us, ‘Well, I'm sure you've got stuff in order, but how does that fit into a language we understand?’,” says Murison. 

A gap analysis of Ardoq’s existing security program revealed the same thing. According to external consultants, the team was doing a lot of the right tasks, but lacked the ability to describe how they were doing them. 

“I took that feedback and made a very bold and stupid claim to the product and engineering team, saying, ‘Oh well, we don't have a change management process.’,” says Murison. “That wasn't exactly correct. I was just using auditor language and calling it a change management process. While internally, we have a ‘Pull Request Manifesto’ for how engineering expects changes to be done — essentially, a change management document.” 

This was a huge ‘aha’ moment for Murison. Instead of assuming that all processes use the standard’s exact terminology, he takes his cue from Ardoq’s internal teams. How do they develop and test products? How do they deploy changes? Once the existing processes are clear, it’s a matter of figuring out how they fit into the requirements of the standard.  

“Look at what your customers care about”

Being able to document the details of Ardoq’s security operations was a big effort that took the team about a year to complete. 

“We were figuring out how to communicate to our customers that we take security seriously and we have the right investment and program,” he says. “Possibly the biggest driver to get certified is the stamp of approval for customers who go through our sales process and say, ‘You know, it would be helpful if you had this.’ So there’s a huge commercial incentive to put these in place.”

To lighten their workload, the company focused on standards that were most important to customers — SOC 2 for the US market and ISO 27001 for the Europe and greater market. Rather than certifying their entire operations, which would require significantly more time and effort, the team narrowed the compliance scope to product, engineering, and other support functions directly involved in developing and maintaining the platform. 

The team also used OneTrust Certification Automation to help with the process. “I had never seen the tool before and thought, ‘Okay, this looks interesting.’ If you want ISO 27001 compliance, it takes you through specific questions: What kind of organization are you? What kind of things do you have going on? And then it suggests the controls that are applicable to you,” says Murison. “It really helped us understand what areas we needed to work on and gave us a roadmap.” 

“Implementing security will slow down everything else”

“For decades, security teams were known as the people you go to if you want to hear the word ‘no’,” Murison says. “If you don’t know the full picture, it’s easy to just be risk-averse and default to saying no to any new application or new feature on the platform. That's going to really hurt productivity.”

Finding a way to balance the two — security and productivity — was a priority from day one. Murison kicked off Ardoq’s ISO 27001 compliance initiative at an all-hands meeting, explaining the need to safeguard its increasing stores of customer data. By posing the problem to the entire organization, he encouraged those who knew the systems best to participate in the conversation. 

“There's going to be a natural amount of concern and resistance. Understanding where that resistance is coming from, and figuring out how we can go forward together is quite important for us,” he says.

“When I joined, I had a one-on-one with our CEO and one of the things he said to me was, ‘If you aren't embarrassed by the number of times you've said something, you probably haven't said it enough times.’”

“If it hurts, automate it”

As Ardoq continues to grow — with more than 200 employees across four global offices — there are more non-technical users across the organization. “They know how to do their job, but they don't necessarily know why they have to patch their laptop,” says Murison. 

Instead of requiring everyone to manually keep pace with the rapid changes in security, the team leans heavily on automating as much as possible. “If you're going to implement a new process or a new endpoint security solution, make it really, really easy for them to do the right thing. Don't put obstacles in the way and don't create friction that will slow them down,” he says.

Using Certification Automation to centrally manage Ardoq’s compliance portfolio further simplifies these critical security tasks. The tool automatically scopes applicable compliance requirements, maps common controls that apply across multiple frameworks, and invites auditors into the platform to enable real-time collaboration. 

“Certification Automation is very good at holding your hand through this stuff,” says Murison. “We do one control and then by being able to evidence it in one platform, we can point auditors to the same control, which is hugely valuable and saves us a lot of time.” 

When it comes to the best way to approach security, Murison references the Chinese proverb of a paper tiger. “The concept is that you make something much bigger than it needs to be, so you become scared of the size and magnitude of the task,” he says. “But when you pick it apart, you realize you don't need to make it that difficult for yourself. Don't create a paper tiger.”