Despite thousands of articles, there’s shockingly little actionable advice to help startups complete SOC 2. When you don’t have dedicated compliance teams or six figure budgets, we set out to answer:
- When to pull the trigger on SOC 2.
- Who needs to be involved in prep work & what tasks can/can not be delegated.
- How to narrow the scope and save as much time as possible.
- What are achievable best practices for each policy.
- How to gather evidence for auditors.
One area that usually requires some remediation is access controls. Most teams don’t have answers when auditors ask “who has access to a specific database or server and what queries did they execute?” That’s why we started strongDM- to manage and monitor access to every database, server, & environment. Click here to see for yourself.
Hey everybody, thanks for joining today. I’m Schuyler, co-founder of strongDM. And we have an awesome panel lined up. We’re just waiting for a couple of more attendees. So
sit tight, and, and we’ll get started in just a minute or two. And the structure for today is that the panel will be walking through for about 20 minutes an overview of the practical steps to achieve success. And I know many of you have submitted questions in advance and really appreciate you taking the time to do that. We’ll make sure we we save some time on the backend to address them directly. And the goal here is for for us to just share some of the practical advice and that we’ve lived through completing our own SOC 2 audit and with the help of Troy
we’ll share an auditor’s perspective and Martin, a compliance consultant’s perspective on common mistakes. And the premise for
everybody is that all of you have already taken the leap and are ready to dig into a SOC 2 audit. So we won’t be talking about the sort of theoretical high level of what a SOC 2 audit is
and whether it’s right for you. And we’re just going to assume that you’ve already come to that conclusion and you’re looking for some operational advice on how the heck to to to successfully complete your first on it. Let me now introduce the three panelists. So we’ve got Martin from Marana and Troy from Schneider Downs. And you guys want to take just a second and share a little bit of background about yourself?
Sure, I can get started.
My background essentially is in software engineering, work with many, many startups in the past 10 years and somehow ended up running a sock to program for one of the companies I was working at. And a couple years later decided to launch my own business to help out others. SAAS companies essentially become compliant with suck too. And that’s kind of how I met Troy right here.
Yeah, yeah, thanks. I look a lot better my picture on here that I do on this camera. But uh,
yeah, so I work it started out. We’re a top 60 CPA firm out of Pittsburgh, PA.
And I specialize in performing a SOC 2 audit.
I’ve been probably doing these for the last eight to 10 years now.
Working from all startups, you know, with 110 employees all the way up to public companies doing site to audit so I’ve kind of see the range of how to kind of get prepared for one of these
from all different types of views and different industries and client size,
and just kind of looking forward to sharing some that insight with all the viewers here
and we’ve got my co founder, strongDM, Justin. Alright, so yeah, let’s go there said I’m on the team. At strongDM we do access controls all day every day for all sorts of technical systems. And as part of that, we also had to go through the SOC 2 Type 1 and Type 2 process over the last couple years. And so I guess, if these other folks are on sort of the the people that help you with yourself too many examples, someone that’s a customer of success. So why don’t we kick things off?
By starting with the premise of go No, go? When are you ready to actually jump into the stock to your planning process?
Is anybody ever ready for it?
I mean, I like what you got here on this slide you know in my notes
I mean obviously you know you have a demand from your client you’ve decided to to to go forward with a SOC 2 audit and the first step really I think is to get executive buy in is going to be
the difference between a successful audit and and and almost smooth ride versus just you on own your own trying to make it happen and just not really getting the support that he needed that say that’s really important.
Could you share a little bit about the kind of support that you’re, you’re talking about? I can I share a bit about what the kind of support that that’s absolutely I mean, it’s one of the first question that I asked when, when when I talk with someone who’s interested in a SOC 2 audit is whether your founders will back you up, you know, are you going to have the time and and the resources to actually do the work that is involved with succeed because
It goes so much beyond what people initially think, you know, it’s not just about having a strong password policy. But there are controls and processes that you have to have across the board, including HR, including recruiting, customer success, engineering, obviously. And so it’s so important in to sort of set the tone and make sure that your, your founders, the founders of the business that you’re working with, are actually behind you, and understand the time and effort and money resources that have to be allocated for successful start to this project. Right. It is just like developing a new feature, or adding new departments for your company. And so it’s really hard to do when it’s just you whether your engineering or it to be able to do it on your own really.
Yeah, I think just to add to that,
Martin brought up a good point about executive buy in but as an auditor, you know, these things take time to
Complete so if your company or your your executive sponsors email if you have buy in if they think this is a quick you know thing that’s going to get done in one month and we’re going to make the customers happy and give them a report, you need to sit down with them and kind of explain how this process is going to go and and kind of have a good roadmap to lay this out to meet customer expectations on a lot of times, in the beginning stages, we get a call, hey, we got to get this SOC 2 report to a customer in two months. And they’ve never done this before as because some salesperson agreed, didn’t know what they were agreeing to. And just kind of got the company on the hook with a big customer to do this. So I think even before you start this it’s really explain to everybody okay, what does this actually mean? Who are we going to need involved and, and we really need to be a team when we’re going to do this. We can’t just expect that check the box and get this done in one month. It’s really a culture shift almost sometimes companies you know, so when I when I think
About the go no go decision actually on the slide here the realistic alternative is kind of where I start from because SOC 2 and the way that you express your customers that you’re you’re taking your business seriously and that you take your operation seriously. So actually is the is the gold standard for that and it’s not going away so they’re they’re actually are limited alternatives to it so but i think it’s it’s it is clearly is important to have that go no go It is important to bring the team together and to not be seduced by the idea that you could do it yourself in a couple of weeks. It’s it’s a big project but the good news is you’re getting asked about it and you’re sort of dealing with the sticker shock of all the all the tasks like there isn’t at some point there isn’t an alternative. So
I love what you just said, you know, essentially it’s going to transform your business is going to change your company. It’s going to be a little difficult but ultimately you should come out of it stronger with better processes and and
And, you know, remaining so to compliance is once you started, you just have to keep going. Right? So it’s so important that everybody understands realistically what it is. And when we’re talking about realistic alternative, they’re not so many out there. That being said, if you have a no go, you can still get prepared in case to go happens down the road, right, you can still write your security policies, you can still do your pen test, you can start understanding traceability and limiting a cat who’s got access to what internally, so many companies when they when they start, everybody has access to everything, right. And so looking that down and understanding, you know, ultimately it’s it’s the data of your customers that is at risk. And so that’s why your customers are asking you how your business is operated. That’s that’s the reason behind it. And that’s another reason why the the amount of change that needs to happen, so the reason why in addition to the budget addition to all of having the right staffing, so that you can sort of actually get all the work done, of having the executive sponsor that un derstands the
market need and then understands how to
basically forcefully represent the requirements when those groups do need to change their behavior. And they here I can no longer look at every record in the business. They’re inevitably some political consequences to that. And so you need to you need a very strong internal voice that can that can continue to reinforce the reason for doing it.
So let’s talk through the timeline. What do you need to accomplish in the first 30 days?
I’m, I’m happy to get started on that. I mean, I get brought in usually right at the beginning, and after the executive buy-in has happened, you know, the first thing is understanding the scope of what you’re trying to do. If you have multiple products, are you just scoping it to the one? What again, understanding what your customers are asking right? Does your entire company need to finish a SOC 2 audit or is it this particular API or endpoint or something?
thing like that.
Understanding the various teams and then interviewing the process owners is essentially, you know, coming in and trying to be as familiar as possible with thebusiness- way more than some people who have been working there for just a year or two. That’s why you must involve everybody, right? So talk to us about customer success, HR, recruiting legal engineering, obviously it as well. And so from the get go, you know, just understanding whWere the company is at and where it needs to be so that you can identify those gaps and bridge them. e will try to do that within the first 10 days, right and involve everybody. And this, this can take up to 30 days sometimes, and that’s usually when, actually a lot of people realize, Oh, this is hard.
They’re the gaps that that I find, you know, some examples are, again, everybody having access to this internal tool with very limited security, but it’s so critical.
Running the business that people get used to it, right. So the, the first 30 days are really getting familiar with what a company is and why they need to be SOC 2 compliant.
Once they make it past that, you know, we make it to the 90 days.
And you can start writing your controls at this point. I mean, the controls are essentially capturing the processes that business already has, right so that’s why it’s so important to get familiar with all the different departments if you’re the lead of a SOC 2 effort. Because it’s if your engineering you have to understand that in the ins and outs of your recruiting processes, no matter what because those have to be translated into again controls which are processes which someone like Troy will then look at an audit and they have to really map what what the company is doing because ultimately that’s what an audit is, is someone like like Troy coming in and validating that you are doing what you say you’re doing. That’s what the whole point of the audit
So if team formation is sort of foundational, let’s talk through who needs to be on your SOC 2 team.
I mean, I’d be curious to hear from Justin, because you guys went through it, of course. So I think the I think what actually you’re seeing on the screen here is a great is a great way to, to think about it. You just you need that executive sponsor and needs to be anchored in in the market. So ultimately you’re you’re doing this so that you can continue to succeed and selling more of your product. But then in terms of the implementation, there’s no getting around it. There’s a lot of writing that needs to be done. And that writing has to comprehend, essentially all aspects of how you operate your business. So it doesn’t have to be a technical writer doesn’t have to be a person that’s that has writing in their background, but they’re going to be doing it for weeks or months.
So there’s just a lot of writing, keep that in mind. There is an even though
Selecting speaks to every department, HR and legal and finance and everything. There’s a large portion of it that of the burden that is shouldered by technology teams so, so there so there is going to be somebody that’s going to be specifically focused on an expert in how your access controls work to your most sensitive data, for example. And then and then you also going to need to liaise with other with other departments like like legal and HR. So somebody from each of those teams is going to need to be present in in whatever committee meeting or having to move the project forward. And then if you do choose to augment your internal team with with someone like Martin,
the consultant would be be part of every one of those meetings as well.
Yeah, and to add to this really having a team lead. Well, there’s two things right, having a tech lead is so important for the communication between the auditors and the consultant and the rest of the company and also
For the execution of the project, I mean as an external party coming in, and whether it’s 20 or hundred employees business, I can tell you all day what to do, but I have no power of execution, right? So having that tech lead, that will actually be given the sort of this power of execution by the executive sponsor to go out there and say, hey, my socks, your projects is just as important as this new feature you’re developing, or whatever is going on, we’ll just make such a major difference in the execution of the project. And then, you know, having one team lead PR department is also really important because you’re going to end up with controls in each of those departments. And having these people should own this control, like the control ownership, which again, a control is just a process that you’ve written down. It’s just so important, right? Like who’s in charge of making sure that background checks are happening or who’s in charge of making sure that there’s a code review for every single pull request that type of things right? Ultimately, you can now just have the one person internally
In charge of suck tour is just going to be a miserable time for everybody.
Yeah, and from from an auditor’s perspective, you know, I don’t have the customer, I’m not involved with the customer side of it, per se. But I can tell you that from an honor when there is a person that’s kind of leading the audit, and taking ownership of the audit internally, so that as an auditor, if I have two people working on this audit, I don’t need to have these two people reach out to 10 different people internally at a customer and we can kind of go through that one person and he kinda distributes it, because they understand the bureaucracy maybe or the politics being involved, it really makes a better audit run a lot better when the auditor kind of has that go to person that they can funnel questions through and then they can distribute to the people appropriately. And that person internally kind of keeps track of everything as well. So, you know, I, in my experience, that’s when the audit really, really goes the most smooth is is when I can rely on somebody internally to kind of distribute what I need to get from people. And then also, I don’t be afraid to get your auditor involved on some of these teams, you know, when I do an audit, you know, we can do a readiness assessment before you actually do an audit, right? And you can see, okay, is this going to meet this requirement? Is this evidence good? And we try to take a really collaborative approach, right? Like, yes, I’m external, and I have to be objective. At the same time. I don’t as an otter, I don’t want you guys to fail, right? Like I want to help my clients get to the end goal and have better security. So don’t be afraid to ask your auditor questions. They should be open to answering them and giving you some advice. I mean, there’s a gray line there and you don’t want to cross it, but your otter will tell you if he can’t give you an answer or she can’t give you an answer. So don’t be afraid to ask questions.
And then one thing I think I’d add is, it is
It is absolutely impossible for any one person to shoulder the entire burden of sock to you’re going to have to delegate. And you’re going to have to figure out who can shoulder those tasks. So just maybe could you share a little bit of just practical advice about how you thought about identifying who was an ideal candidate for each of these roles and and then how you thought about carving up some of those tasks.
Sure, also, the what I can offer is that it’s easy to make a mistake here. And my mistake has traditionally been to, to try to do all the more have more than my fair share of the tasks myself. So like actually not being a bottleneck as the coordinator. And actually being quick with the delegation, I think is, is the main takeaway, like like have whoever is coordinating and is the project manager should feel very comfortable assigning and then following up on tasks.
You know, I would say that’s my principal advice. There.
So let’s get down to some of the brass tacks from a dollars and time resource perspective.
Justin, you maybe want to talk through some of these numbers and and the budgeting of productivity and headcount here.
Sure. So you know, that obviously, I would say the bigger part that’s not on this ledger is going to be is going to be the the productivity impact and opportunity costs you’re going to feel throughout the team. But hopefully, all of that is offset by the reason that you’re doing it right. So hopefully, that makes the equation something like what you see in front of you here, you have direct external costs, certainly or otter costs can go higher than that. If you if you do want to calculate for whoever’s leading the project, if you do want to sort of compute for their salary during the during the period where this is their primary focus, I think that’s I think that’s a fine way to account for it. The readiness assessment whether it’s performed by someone like Martin orn concert with your auditor, I don’t know, we don’t have a line item for that there. But that definitely I can definitely endorse undertaking something like that. It can, it can help you to succeed with the rest of your project for sure. There are going to be some legal costs. And then in the final thing is there there are just certain choices in in tools and sort of off the shelf security training where it’s just faster to get the whole project done if you just if you essentially just buy something rather than waiting to set it up. So it’s not a huge budget for that.
The other piece of knowledge and in here that I know that I knew we decided to just commit to is just regular external third party penetration testing. So that’s something that it just makes it easier. And that ends up being another significant line item as well.
Yeah, have your experience roughly how much was that?
It’s it varies depending on the various advance the data
It’s definitely a five figure, probably five, figuring out a six figure expense. Right? I’ve seen them run from $10,000 to $40,000. All depends who you go with and how of ten you run them. And you know, Big Ten firm similar with the auditor, right? You want to, I mean, I don’t recommend you go with like one of the Big Four, but that number, it can go way up, right? But then do you really want a team of 10 people at your office when you’re only 15?
But yeah, I love seeing those numbers there. I would say that the productivity cost can be alleviated. If you bring extra help, obviously, the idea is to like, try to not really slow down the process too much and the product pipeline because, I mean, you’re a founder company, you’ve got us or you’re profitable, this or even more rare, but
you know, like, if it takes you six months to get complete a SOC 2 audit,
you know, usually a round of funding lasts 18 months, right and
so that’s like one third of all your funding. And you have, you cannot have a third of your staff being sort of stuck trying to finish a SOC 2 audit. So it’s a,
it’s nice to be able to parallel-ize some of the work , as well, like you said, just spending extra money, but get the tools get the help and get there faster.
So let’s let’s dig into the remediation process a little bit.
Justin, in your experience, what what was that like for for us?
Sure, well, actually, I encounter people in the remediation phase often actually when they purchase strongDM in order to enforce access controls. After completing the first part of the SOC 2 audit, they identified some gaps in processes to manage access to databases, servers or systems and strongDM helps to close those gaps.
If your infrastructure is complex, you may need to introduce a lot of controls. So if that may be a reality, expect to pause between setting up all the controls, and then ultimately performing the SOC 2 Type 2 audit, that that seems to be pretty, a pretty normal par for the course.
Yeah, that’s, I think, and then in terms of the build versus by I think that’s just like every other build versus by decision you ever make. So there, there are certain things that building is straightforward, but then there’s a whole host of things where you can you can get to an answer more quickly by just going with an off the shelf product.
Typically, when when we do a readiness assessment, and we identify gaps, assuming that, they’ve never done this before, and they’ve just reached out to us. I would say the remediation process usually, is probably three to six months to get everything in place.
And then three months is really fast. And you have a big customer saying, Hey, we need this now. So everybody’s just on board doing this. But it’s probably more closer to the six month is typically how long it takes to remediate after that readiness assessment. Right? I mean, I will say that you’re shifting your business, you’re transforming it. And if you’re changing things too fast, it’s not going to stick.
You know, the The other thing that I see some people do is they’ll hire an auditor, they’ll get that sort of gap assessment done. And then they just start creating all kinds of processes that are time consuming, expensive, and quite frankly, useless. Don’t do that. Because you you’re trying to transform your business to become a better business, you know, trying to create more bureaucracy and more paperwork, right? So yes, you do have to record some of the evidence so that you can look at it down the road. But if you I mean, I heard someone who were having meetings after the meetings to take notes or the previous meetings for the other. That’s just
absolutely ridiculous, right? Like, if it doesn’t make sense, don’t do it.
The remediation part should really be a phase where you think about the type of business you’re trying to become, to satisfy these larger customers. And you should feel good about it, right? A SOC 2 audit offers you that flexibility. It’s not just a checklist, it’s not a black and white. And that’s why I think it’s really important to pick the right controls and find the right auditing firm as well, that can sort of help they want to help you with the remediation, but they will help you understanding whether or not the path that you you know, taking is is making sense.
So let’s get dig into the fun part. Once you are in execution mode for your type one, just to maybe share a little bit about your experience and any lessons learned during fieldwork
Sure so the SOC 2 Type 1 is that’s obviously the the
phase where you are sort of producing evidence that you have controls in place, but you’re not actually testing the controls themselves.
I would say, and this applies to both Type 1 and Type 2, the important part when you actually go through the audit is to make the most of the focused period where you’re actually working hour by hour, day by day directly with the auditor, because that typically ends up being a constraint time period. So just really don’t, don’t try to split your attention in that in that week or two, and really be as authentic as possible because otherwise, it’s going to drag out for four weeks and months. So get get get all the evidence in advance and handed over during the audit period.
Troy, is there anything from your experience that that you’ve seen, that separates the successful teams from those that that end up struggling?
Well, obviously the main thing that we’ve mentioned, the teamwork and
The executive sponsor,
but I think it’s another another piece
to collaborating with your auditor, to be honest. You know, a lot of people, I think view auditors, it’s an audit, they’re going to find somebody, there’s out to get us. But I think if you have the mindset that hey, this auditor, you know, they’re trying to make us better, right? Let’s do this exercise to make us better. Right? Are we going to be perfect the first time?
Probably not. I mean, it’s hard to get perfection perfection is the enemy of progress. What I tell people so you know, just being open to understanding Hey, the auditor is here to help us and if you have that, that mindset
that really goes a long way and just having a better relationship and, and, and not doing a check the box exercise. I think if you if you just want to do a check the box exercise. I mean, there probably are firms out there that are
That are more inclined to do that. But when we do an audit, you know, we really want to be your partner, and help you guys feel more secure. So if you’re working with an auditor, and you’re done, don’t understand, as Martin said before, why am I doing this control? This doesn’t make sense. And they’re not giving you an answer, or not trying to work with you to try to understand what does make sense,
then I think that’s kind of a red flag. So use your auditor as a partner rather than an auditor, so to speak, I just think that that goes a long way.
So I do want to switch into two questions. Some of some of them have been submitted in advance. So thanks to anybody who, who did take the time to share those. I am also including everyone’s contact info here. So if you have any follow up after we wrap up today, certainly don’t be shy. We’re all here to help and we’ve all lived through it. So we are happy to continue the conversation but let’s start with the first
which was, What do you wish you had known before starting your first SOC 2 audit ? Justin, you want to tackle that?
Sure. So I so I would just say the number one, I wish that, that I had been more realistic about how much of my attention was going to it was going to require and then also, I wish I had known how good I was gonna feel after it’s done.
When when you finally do get a clean bill of health, and then you can say that with confidence to your next customer that asks, feels really good. So anyway, I wish I had had that that visceral feeling before because then I would have understood how much of my time and attention as I was advocating that time and attention that would have would have sustained me emotionally during that period.
And it really takes everyone’s involvement to be successful. Again, we I know we mentioned a couple times, but just really need help from everybody. It’s
Not a one man show type of deal here.
All right, just the interest of time to try and get through as many of these questions as we can.
What is the impact of inclusive verse carve-out sub-service providers for outsourced IT departments on an audit? Do sub-service providers such as an independent contractor that follow all of the appropriate company policies and procedures become compliant? Or do they need to be SOC 2 compliant as well?
Yeah, I mean, I get, I guess I could take the first part of that at least just kind of the impacts of if you’re doing a car by let’s say, you’re using Amazon Web Services, because they have their own SOC 2 audit. You can carve them out. And what that means is you do we’re not going to test controls that are being formed by AWS. So physical security, your servers, environmental controls, we’re not worried about that. AWS has her own SOC 2 audit. They’re independently audited so we can carve them out of the
Report. If you’re using an IT
outsourced provider, and they have access to your systems, and they’re using their own infrastructure to access your systems, then sometimes you have to use the inclusive method, which means I’m going to include this third party in your audit, and now I’m going to test their controls. Are they performing background checks on their people? Well, how do they access their machines? If they’re backing up your data? Are they performing appropriate backups for you guys? Are they patching your servers? So when you guys do the inclusive method, it means we have to include them in your audit and test their controls.
The last part of that a contractor? Of course, the The answer is depends. If that contractors using your machines, and they’re not and they’re accessing everything on your company owned devices, I would say they just you don’t do the inclusive method. They’re just part of your your audit, inherently right. We might test a contractor Be sure to sign an NDA, but you don’t have to do the
Inclusive if that contractors using their own machines to access your environment, then you probably have to call them out and do kind of an inclusive audit.
I hope that kind of answered the question.
That’s great. How do you manage controls within comply? Not TASC, but the list of controls that satisfy a TASC? In our case it’s an Excel file with a list of artifacts that we need to supply for each control that we need to supply to the sock auditor. But surely there’s a better solution that involves comply and for anyone I should I should qualify for anyone’s not familiar Comply is the open source SOC 2 policy repository and workflow management tool that that we at strongDM built and shared with the world.
I’ll take that one. Sobasically the intent with that particular open source
Project, the intent is to be able to add a sort of policy and procedure level map to a particular control, the control can actually be from could be just one of the trust criteria from from the structure regime, or it could be from any other compliance regime. But the intent is to say, this policy maps to, to these criteria and these controls. So, so that, that mapping and the descriptions is just sort of, it’s just sort of built in in terms of linking linking external assets.
You could do that through a narrative which is like a free form document that might just be an inventory of everything that you refer to to achieve one of to achieve a series of controls. So that would be one way to do it. Another way to do it is to get in the Slack channel and request an enhancement to the product.
Because Yeah, the open source community around that is always looking for enhancement. Ideas for enhancement. So please, please jump in.
If there are templates for doing internal risk assessment for the cyber risk assessment policy, do you leverage the same templates used with vendors?
I actually saw someone post on slide the other day about a great risk assessment template that is, I believe, open source as well, which was, I truly enjoyed it a lot. It’s a lot less complicated than the type of risk assessment that I do. And, I mean, they’re out there you can you can be as thorough as you want, or it doesn’t have to be too complicated. But you do need to understand the race that the company is running, essentially. Yeah. And there’s some out there.
And finally, are there different SOC 2 compliance standards or methodologies between Canada and the United States?
No, not so far as I know.
My understanding is that Canada, a lot of those companies do fall under the SSAE 18 standard and they want to do a SOC 2 audit. It’s the same standards and methodologies. If you are an international company, let’s say you’re in Europe, they have their own set of accounting standards. They have a standard that’s very similar to this sock standard. It’s a little different just called something different, but essentially it’s the same. But Canada and us do. Most companies fall into the SSAE18 standard.
Okay, I realized we’ve gone a little bit over time, but I do want to get to the questions that were asked in chat. Will the recording and slides be shared? Absolutely. And I will email them out after we wrap up. And And again, if you have any additional questions Do not be shy. Everyone’s contact information is visible and just
Feel free to give us a shout.
And we’re looking for feedback. So I, this is hopefully the first in a few that we do. And we would love to hear any advice on how we can get better and if there’s anything else that we could do to make them more more helpful. And so, give us a shout and I really appreciate you taking the time today.
Thanks, Schuyler. Thanks, Martin. Thanks, Troy. Yeah, thanks, everybody. Have a good night.
Transcribed by https://otter.ai