How Canva embarked on its cyber security maturity journey and achieved ISO 27001 Certification
Canva wanted to establish a strong security foundation in an incredibly fast changing and growing company. ‘Bake-in’ security in a start-up culture and operations for security to scale with the business.
We had already worked with several tech giants, and was no stranger to the Canva way of working and understood well its values, culture and the importance of implementing a solution which preserved them.
Beyond our proven track record of implementing ISMS certified to ISO 27001, Canva chose to work with us because of our cultural fit, flexibility, and the shared ideology in achieving security and risk management outcomes without hindering business growth.
- Established a security roadmap with ownership at founders and senior leaders’ level.
- Improved security controls with a company-wide focus on security.
- Attained ISO 27001 certification.
“We needed someone who would take into account the state of Canva as it was before we started this project. Not only the state of our security and risk management maturity at the time, but also very importantly, the culture of the organisation. Privasec [Sekuro founding company] was very good at this. They had a high level of expertise, are very communicative and we had incredible engagement.” – Geoff Chiang, Security Governance, Risk & Compliance Manager, Canva
Cyber security for start-ups: How to achieve compliance without hindering culture or growth
Canva was looking beyond ‘just’ ISO 27001 certification for real security and risk management outcomes that would help the unicorn sustainably ‘bake-in’ security into everything they do without compromising its culture nor its growth.
- Improve Canva’s security posture and maturity by establishing a lasting risk management framework;
- Implement security as a culture so that it is ‘baked-in’ in its operations and can inherently scale alongside the business;
- Increase the enterprise market credibility and trust by accelerating the security initiatives already in play;
- Toughen security ecosystem to reduce the likelihood of future information security.
Why ISO 27001 Certification?Canva has over 60 million monthly active users across 190 countries who have collectively created over seven billion designs to date! Initially launched as a B2C platform, Canva quickly became the design application of choice for marketing and content creating teams within businesses, and now offers a fully-fledged enterprise platform for larger business users.
“We are really particular about positive security and risk management outcomes because that is what’s going to drive the growth in the future.” – Geoff Chiang, Security Governance, Risk & Compliance Manager, CanvaHousing and protecting its IP as well as its users’ data is mission-critical to Canva, which embarked on a significant security uplift journey at the back of a data breach in 2019. As part of this journey, Canva wanted to adopt a risk approach that would ‘bake-in’ security in its culture and operations. Given the rapid growth in cyber attacks and the ever-increasing footprint of Canva, Canva was also determined to demonstrate its security commitment to its users. Many of the professional users of Canva do require their suppliers and contractors demonstrate a secure environment as a mandatory requirement for doing business.
“We had to build a risk management framework from the ground up. Once something’s in production, it’s in legacy and it takes effort to keep up with security that gets introduced after you’ve jumped into a technology.” Geoff Chiang, Security Governance, Risk & Compliance Manager, CanvaThink Silicon Valley fast-paced and agile technology company. That’s Canva. The challenge was to establish a strong security culture within a fast-growing company with a lot of competing priorities. With the constant change in an organisation that is continually building and incorporating technology at a rapid rate, there becomes a crucial need to ‘bake-in’ security in all operations so that it can grow and keep up with the pace of the business. Canva also has a critical mission to ensure that the increasingly growing user information being amassed daily is secured and personal information exposure is reduced to a minimum. Lastly, to enable its incredible growth, Canvanauts (the people working at Canva) had historically been given huge autonomy and agility. Canva needed to preserve that culture whilst at the same time introduce better security governance and oversight in its operations.
Our Solution for Canva
Sekuro’s governance approach is centred on the principle that ‘no two organisations are the same’. This means no two effective Information Security Management Systems (ISMS) are ever the same.
“As an organisation, we are based on very strong values of ownership, flexibility, and have an overall no-nonsense commitment that allows us to easily adapt to the working style at Canva,”
We worked with Canva to design an ISMS around this constant growth and change that the team at Canva thrives on, ensuring that the methodology was customised to fit the culture and precise needs of Canva and its operations. This was an essential step in the implementation process – “if the risk methodology does not fit with how the business is run, the staff will be unable execute, resulting in a near certain breakdown of the ISMS in the longer term”.
Implementing a system that every ‘Canvanaut’ will, and can, use themselves was also a key consideration. We typically offers our clients a Microsoft SharePoint ISMS portal which has been built and matured over years of practical security operations and auditing. This approach would not work with Canva, which needed something tailored to their existing productivity tools. We were already very familiar with the tools and technologies used by Canva, using many of these daily. In addition to the fact that Canva did not have to purchase any new security governance platform, Canva’s stakeholders were also much more willing to adopt the ISMS.
In conjunction with Cava, we conducted over 40+ interviews and workshops, from the new starters to the founders, to identify and formulate security risks at a level that Canva could manage, along with an actionable list of items which would work with the organisation, existing culture, processes and technology choices.
“The team at Canva has truly been inspirational both in eagerness to improve and in their dedication to get things done”
- Canva implemented an ISMS specifically designed to best meet its ways of working and its ever-changing organisation
- Security was given organisational level priority and is owned directly at the founder level
- Canva achieved certification to ISO27001. We acted on behalf of Canva through the certification process
- Canva successfully set up a team of security champions across the different group functions, ensuring all key business stakeholders are involved, and are having conversations about security.
Canva found it exceptionally helpful to have us guiding their team through the entire audit itself.
“Facing off to the auditor was essential”, Geoff remarked, “it was helpful to have someone who knew our organisation, and also what the auditor was looking for.”
“In a well-designed ISMS, everything flows naturally, driven by business need. You shouldn’t have to do anything for the sole purpose of compliance. If you do, not only are you wasting time and money, but you are potentially exposing yourself to a hard landing in the future.” Romain Rallu, Co-Founder and COO at Sekuro.
Setting the trend
In the few months since its certification and using a risk approach to manage security, Canva grew its security investments and security resources 5-fold, with no plan to slow down or stop. Some of the brightest security minds in the industry have joined the security group which now has a dedicated response and adversarial simulation capabilities. Security uplifts are now baked in both company-wide and team-level goals and every Canvanaut knows and understands why security is core to Canva’s business.
What is ISO 27001?
ISO 27001 is the international standard that sets out the specification for an information security management system (ISMS). It contains a set of best practices to allow organisations to implement a world class risk management system to strategise and coordinate their security investments whilst getting marketable recognition for it.
Many organisations, including governments, are now insisting that their suppliers and contractors demonstrate that they manage security in compliance with ISO 27001.
What does an ISMS do for you?
- Greater security awareness across all levels of the organisation
- Understanding and ownership of security risks by business leaders, and commitment to an actionable security improvement roadmap
- Make easier investment decision with better business cases based on risks
- Recognised certification & enhanced customer confidence and perception of the organisation
- End to end visibility & centralised view of security risks
- Translates cyber security problems into tangible business impacts
“We used the certification as a framework to prioritise security roadmap and have an external entity that holds Canva accountable for milestones defined.”
– Canva Engineering Leader
ISO 27001 clauses 4 to 10 prescribe the minimum requirements of the ISO 27001 standard for the establishment of an Information Security Management System (ISMS). It follows the continuous improvement cycle – Plan-Do-Check-Act (PDCA) – which an organisation must establish in order to be able to go through certification.
- Plan – Identify Risk to the Confidentiality, Integrity and Availability (CIA) of assets
- Do – Put relevant controls in place
- Check – Audit the implementation for efficiency and effectiveness
- Act – Improve ineffective or inefficient controls
To design the best possible system, Sekuro begins by understanding the business environment, business objectives, constraints, values and culture. We then conduct an initial information risk assessment to identify the actions and priorities for managing information security risks. This highlights major gaps and areas for improvement, allowing us to create an associated and tailored risk treatment plan. Lastly, Sekuro helps our clients to remediate their gaps and executes an internal audit program to report on security control effectiveness, progress of risk remediation and provides assurance back to the business for review and action.
To ensure that its clients are fully prepared for its certification audit, Sekuro leverages the internal audit process to help stakeholders get familiarised and comfortable with the process. Sekuro also liaises with the chosen Certification Body to guide the entire process and acts on its client’s behalf during the certification audits.