July 7, 2020
SOC2 Type II security compliance. It’s the gold standard for providing buyers assurance you have your shit together information security-wise. With few trusted independent authorities in the world for information security, the American Institute of Certified Public Accountants (AICPA) - yes, accountants - have stepped in to provide their audit prowess. With this certification in hand, your customers and partners can trust an independent party has verified you follow a playbook of security best practices.
We achieved SOC2 Type II, aka SOC2, compliance recently…yay! For those of you considering it, or currently going through it, here are five things we learned along the way.
Do a “readiness assessment”. Most if not all SOC2 auditors offer you the ability to do an early audit, to tell you directionally how close or how far away from the requirements you currently are. It’s usually an optional service. In our experience, it was worth it. It’s better to know where you stand early so you can plan & prepare.
SOC2 can be used as a force for good. In that it requires practices you should (mostly) be doing anyway. In a nutshell, SOC2 involves documenting how decisions are made and changes are implemented, ensuring changes are auditable if something goes wrong, and putting some thought into your top risks. In the right proportion, every company worth anything needs these.
Conversely, you should focus on the intent vs following every requirement to the letter. It's easy to go overboard, focusing on the SOC2 requirements as a checklist. For example, one requirement is to ensure your vendors and partners critical to delivering your service have as good or better security controls than you. Makes sense right? However it is also easy to interpret this as “you need an exhaustive list of every vendor you’ve ever paid money to, along with 3 years of documented contact, security reviews, and or certifications for each and every one of them.” Huge difference in scope, with zero difference in value.
Focus on your actual security risks. Related to the previous point, you can easily spend a disproportionate amount of time “peanut butter spreading” your effort in all areas. If most of your risks are from rogue or accidental insiders, like it is with most companies, then spend your time training your team on the dangers of phishing and putting in place controls and auditing for superuser-type access. If your service depends on 2 or 3 key vendors or partners, dig in particularly deep with them. You can assess risk with a simple threat model, developing a comprehensive list of risks then prioritizing the ones to act on based on probability and severity.
It's worth it! The badge of legitimacy is worth way more than any whitepapers or other actual proof you provide. We’re fairly sophisticated security-wise and have a lot of evidence to show, and yet are amazed how disproportionately customers and our team get excited by our SOC2 in hand. It’ll get you into and keep you from getting kicked out of deals.