via Ripjaw56

Congratulations, you’ve got in hand your first SOC 2 report, so SOC 2 is done right? Let’s not underestimate the wisdom of Daft Punk when they say, “More than ever, hour after hour, Work is never over” as this is not the finish line for your company and SOC 2. It’s just the first lap of many in the SOC 2 marathon, as we focus on continuous security and compliance.

My name is Daniel Tobin, and I’ve been working at the intersection of DevOps, Security, and IT for the past 20 years and have been the first or only Security hire for each of my companies. Of those 20 years, I’ve been leading SOC 2 efforts for over 10 years and I can tell you, that I have over 10 different experiences of audits, even within the same audit firm and company. I can also tell you that I’ve probably had to explain nearly every year that SOC 2 is never over, we’re already in the next audit period.

A more cynical version of myself would refer to the myth of Sisyphus, pushing the rock of compliance up a hill only to start over every year when I think of all the checklists and matrices on our journey to that next waypoint. Yet, as Daft Punk correctly points out, it is not about pointless labor but continuous improvement. Instead the focus should be on making the company better and stronger year after year. Compliance does not need to be a test of meaningless work. Instead, compliance should be viewed in the light of continuous improvement and habit-building. It is wise to set out each new day by tackling the most difficult thing first; with that challenge out of the way, the rest of the day will be a breeze, right? Right?

Now that it’s morning again after your audit and we can start anew, let’s return to the beginning of Daft Punk’s wise words: “Work it harder, make it better, Do it faster, makes us stronger.” To make the entire process of addressing compliance better and faster, make it a priority to partner with an automated compliance solution for continuous security and compliance. The new class of automated compliance solutions like SecureFrame, Vanta, Drata, etc., have not only made audits easier for everyone, they have greatly simplified and standardized best practices. These solutions offer continuous assurance instead of haphazardly relying on point-in-time screenshots. This automation takes the guesswork out of compliance and provides continuous security monitoring. With automation in place, we can move faster and instead focus on critical features for the platform we’ll be rolling out and in-depth security-focused projects.

So with all this talk about good habits, racing, Greek myth, and Daft Punk, what is SOC 2? Why does anyone care about it? For that, we look to the AICPA, the standards organization responsible for developing SOC 2: 

SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. (1)

In essence, the AICPA created a framework to be applied across various parts of an organization and developed controls for companies to follow to attest that they have assurances for the security and overall integrity of their systems. SOC 2 has become the gold standard for companies in the US to ensure that the companies they are working with have a baseline of assurances when entrusting each other with valuable and sensitive data. In Europe, ISO 27001 is the gold standard for companies instead of SOC 2. At your company, you should weigh where your customers and their data is and the business needs of also obtaining ISO 27001. ISO 27001 is generally considered the more technical of the two, but it does have minimums of audit time based on company size.

Now that your company has gone through the SOC 2 process, does that mean anyone who signs up for your service, no matter the service, will also automatically receive SOC 2? I’m sorry, but that’s not how it works. Working with vendors who have SOC 2 can speed up your due diligence and remove the need for filling out custom security questionnaires, but you would still need to go through the process yourself to obtain your own SOC 2. Numerous SOC 2 controls are unrelated to technical components and are more about your company policies. For example, a key element is vendor management and organizational controls like hiring and employee and CEO performance.

As Graduation Kanye says “Now that, that don't kill me, Can only make me stronger”, SOC 2, when used as part of a larger security strategy and especially with todays automated security tools can make your company more secure. Even as your company is telling you “I need you to hurry up now, 'Cause I can't wait much longer”, remind yourself and them of the overall process. This audit might be done, but SOC 2 is never over.