Ian's (not so) technical blog

Linear, Carta, and Breakglass

Posted on Jan 7, 2024

There was some drama over the weekend on X, where the CEO of Linear posted on her timeline that someone from Carta’s Liquidity division is reaching out to angel investors directly about selling linear shares to their buyers. What makes this even more egregious was the response from Henry Ward, Carta’s CEO – who made it seem like this was a lone employee doing something shady and using their break glass to access customer data. It comes out in the thread that Carta has done this before, has promised to stop, but, it keeps on happening.

Carta has a SOC2 type II, and one of the things that they specifically call out in their blog post is that they “Monitor[ing] and restrict[ing] access to customer data.” If they truly are monitoring and restricting access, how do things like this happen? A breakglass is supposed to be – to quote Troye Sivan – “Messy”. When someone breaks the break glass, it should fire off a security alert, letting the security team know that it’s been used, so they can investigate why it was broken and if the access needs of the organization need to change. If something is ‘broken’ frequently, the security team should either see if there’s a legitimate need for that specific team or group of individuals who keep ‘breaking the glass’ to have access to the product, or, start the conversation of implementing corrective actions on the employees who are using this tool.

I don’t believe that every information security rule breakage should result in someone’s firing: if there’s a legitimate customer need, I will be much more lenient than I would be if someone is rule breaking for malicious intent…but I also don’t feel comfortable with having my personal and financial information with a company that allows just about anyone to look at that information; with that said, while I don’t always as an employee have the decision as to where my employer manages their cap space, but, should I become an executive at a startup, I definitely have the ability to determine who manages my cap space and cap table, and Carta won’t be on that list at all.

Do I think anything will change at Carta? No.

Would I like to be proven wrong? 100 percent yes.