Back to Blog
Industry 7 min read

Security and Compliance Convergence: One Team, Two Goals

Security and compliance are converging in modern SaaS companies. How to build a unified function that achieves both without duplicating work.

Key Takeaways
  • Security and compliance are increasingly treated as one function at companies with 50–200 employees.
  • Unified security and compliance reduces duplicated work — evidence collected for security monitoring also satisfies SOC 2.
  • The Security/Compliance function owns both the technical controls and the evidence that demonstrates them.
  • Separate teams create gaps: security implements controls that compliance does not document, or compliance documents controls that are not actually implemented.
  • For Indian SaaS companies, a single owner for SOC 2 + DPDP + security programme is the most efficient model.

In this guide

  1. The Convergence Trend
  2. Why Separate Teams Fail
  3. The Unified Security/Compliance Model
  4. Unified Tooling
  5. Roles and Staffing
  6. Measuring Success

The Convergence Trend

Five years ago, "security" and "compliance" were distinct organisational functions at even mid-size companies. Security owned firewalls, vulnerability scans, and incident response. Compliance owned SOC 2, policy documents, and auditor relationships. They communicated poorly and often duplicated work.

In 2026, the most effective B2B SaaS companies — particularly those that have been through multiple SOC 2 audits — have converged these functions. A single team (or individual at smaller companies) owns both the technical controls and the evidence that demonstrates them.

Why Separate Teams Fail

The implementation gap: security implements MFA, but no one documents it for SOC 2. Compliance writes a policy requiring MFA, but security never confirms all users actually have it enabled. The gap between implementation and documentation is where SOC 2 exceptions live.

The evidence gap: security monitors GuardDuty findings daily but does not export them as SOC 2 evidence. Compliance knows they need evidence but does not have access to the security tooling. Evidence that exists operationally but is not organised for auditors is effectively missing.

The language gap: security thinks in threats and technical controls. Compliance thinks in criteria and evidence requirements. A unified team develops shared language that bridges both.

The Unified Security/Compliance Model

In the unified model: one function owns the control framework, the technical implementation, and the evidence collection. Security work is designed from the start to generate compliance evidence. Compliance requirements drive security investment priorities.

Practically: when GuardDuty is configured, it is configured both for security value (detecting threats) and for compliance value (generating CC7.2 evidence). The two goals are designed together, not retrofitted.

The control owner — the person who implements a security control — is also the person who owns the evidence for that control. This eliminates the gap between implementation and documentation.

Unified Tooling

A compliance automation tool like AuditPath functions as the unified tool for both security monitoring and compliance evidence management. It pulls data from security tools (GuardDuty, Security Hub, Okta) and organises it as compliance evidence automatically.

This eliminates the need for security to maintain a parallel evidence export process alongside their operational work. Security tools generate findings; the compliance tool captures those findings as evidence; the evidence is available to auditors.

Evaluate tools based on whether they bridge security operations and compliance evidence — not just whether they manage compliance documentation.

Roles and Staffing

0–30 employees: CTO or technical co-founder owns security/compliance. 10–15% of time on security/compliance activities during steady state, 25–30% during audit preparation.

30–100 employees: Head of Security (or Security Engineer) owns both security programme and SOC 2/DPDP compliance. This person is the primary auditor contact, evidence owner, and security incident response lead. Budget: 1 FTE.

100–300 employees: Security function with 2–3 people. One owns SOC 2/compliance (GRC function), one owns security operations (monitoring, incident response), one owns security engineering (controls implementation). Shared tooling and control framework.

300+ employees: dedicated Security and GRC functions with separate management, but shared control framework and tooling to prevent divergence.

Measuring Success

Control coverage: what percentage of your SOC 2 controls have current, complete evidence? Target 95%+ at all times during the observation period, not just at audit time.

Time-to-evidence: when an auditor sends a PBC request, how long does it take to respond? Target: 1 business day for 90% of items. Long response times indicate evidence is not organised or readily accessible.

Security-compliance alignment: compare your implemented security controls to your documented controls. Any gap between what security has implemented and what compliance has documented is an alignment failure.

Audit finding trend: track exceptions over multiple audit cycles. A programme that improves year-over-year (fewer exceptions, higher scope) is demonstrating effective continuous improvement.

Frequently Asked Questions

Should security and compliance report to the same person?
In companies with fewer than 100 employees, yes — a single owner is most efficient. Above 100 employees, having them report to the same VP (of Engineering, CTO, or COO) with different managers is effective. The key is shared tooling and control framework, not necessarily identical management structure.
How do we measure the maturity of our security/compliance programme?
CMMI for security or NIST CSF maturity levels provide frameworks. Practically: at the lowest level, controls are ad-hoc and documented only under audit pressure. At the highest level, controls are continuously monitored, automated, and improving based on metrics. SOC 2 Type II with zero exceptions over multiple years is a strong indicator of programme maturity.
What is GRC and how does it relate to security/compliance?
GRC stands for Governance, Risk, and Compliance. At enterprise scale, GRC is a distinct function that manages compliance frameworks, risk registers, and policy governance across the organisation. At startup and scale-up stage, GRC responsibilities are typically absorbed within the security function.
Does the security/compliance function own the incident response process?
Yes, in most companies at scale-up stage. The security function owns the incident response plan, leads tabletop exercises, and acts as Incident Commander for significant security incidents. For product availability incidents without security implications, engineering owns incident response separately.
How do we prevent compliance from becoming a bottleneck on engineering velocity?
Design compliance controls that are embedded in normal engineering workflow rather than separate from it. Required PR reviews (change management), automated security scanning in CI/CD (vulnerability management), and SSO-based access control (access management) happen as side effects of normal engineering work — not as separate compliance overhead.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

Industry

Building a Compliance Culture in Your Engineering Team

Industry

Building an Annual SOC 2 Compliance Programme

How-To

How to Prepare for a SOC 2 Audit: 90-Day Plan