Some companies boast about earning their SOC 2 certification in just two months. While technically possible, that speed usually comes with stress, shortcuts, and costly tradeoffs.
In this episode, Marie Joseph, Manager of Compliance Advisory at Trava, explains why true SOC 2 compliance takes more than 60 days. She breaks down the difference between Type 1 and Type 2 reports, outlines what a realistic timeline looks like, and highlights the team effort required to build a sustainable program.
Whether you’re starting from zero or in the process of certification, this is your SOC 2 reality check.
Key takeaways:
- The difference between SOC 2 Type 1 and Type 2
- What a realistic SOC 2 timeline looks like
- How team bandwidth, funding, and tools affect SOC 2 certification
Episode Transcript
[00:00:00] Marie Joseph: The misconception is not telling in their advertising how much effort it’s going to take to get there that quickly. It sounds so beautiful getting there in two months.
[00:00:10] Jara Rowe: Gather around as we spill the real Tea On Cybersecurity, minus all the confusing jargon. I’m your host, Jara Rowe, and this podcast is where we cut through the confusion and get the truth about security and compliance. This is a podcast from Trava Security. It’s time to spill the real tea on SOC 2, and I have one of my favorite cybersecurity and compliance experts here with me to give us a SOC 2 reality check. Marie? Hey Marie.
[00:00:35] Marie Joseph: Hey Jara. Happy to be back.
[00:00:37] Jara Rowe: I’m so happy to have you back. And we’ve actually talked about SOC 2 on the episode together before.
[00:00:52] Marie Joseph: Yes, a few times I feel like right?
[00:00:54] Jara Rowe: We have. All right, so briefly introduce yourself just in case this is someone’s first episode tuning in with us.
[00:01:01] Marie Joseph: Yes, I’m Marie. I am the manager of compliance advisory here at Trava. I help our customers get through whatever compliance framework that they throw our way, whether it be security or privacy. So that’s my role.
[00:01:13] Jara Rowe: Perfect, perfect person for this. All right, Marie. So in learning more about SOC 2 and looking up different questions that people have, I came across someone stating that one of their competitors got their SOC 2 certification in two months and I was like, oh my goodness, is that true? What was going on? So my first question for you is when you hear someone say they got SOC 2 in two months, what is really going on?
[00:01:48] Marie Joseph: It definitely sounds like more of a sales pitch to me. I don’t think they’re really ever saying the reality in how not fun it was probably getting to that finish line. I think that is really something that’s not portrayed in any way. I would say that there’s probably a few things. There’s so many different stories of how they probably got there that you could consider where if they got there so quickly, just know that probably someone internally had to switch their focus on just focusing on that project for the meantime, which they might’ve had to drive. There could have been a lot of money at the end, like a contract or something that was really driving them to be ready in two months because it probably became that person’s majority of their full-time job for that internal champion. And then I would say there also could have been a solution of, they probably hired a vendor where they just gave them a whole bunch of access that you wouldn’t typically give that much access to for security reasons, where they really kind of took over their whole security features on their cloud and everything to get them there that quickly.
[00:02:51] Marie Joseph: Or there’s also the possibility that they created the program really, really quick. Kind of took all the templates they could, turned on all the tooling they possibly could and it probably wasn’t the best program they could have created because you don’t really hear people talk about the audit results from getting there in two months. You only really hear them talk about we got the cert, but everyone can kind of get the cert, but you kind of get graded on all the different controls.
[00:03:14] Jara Rowe: So it’s possible, but there are a thousand different things that may have been going on in the background to make it be true. So for a typical startup, what’s the realistic timeline for SOC 2 and in your words of a good experience, like a more fun, not so stressful as a two month thing?
[00:03:38] Marie Joseph: Realistically, I like to have about six months to a year to get you ready and best case scenario is you do it quicker than you would’ve planned. So that’s always something if you have more time, if we have more time to get you there, we will do it. But I think having that realistic approach to a timeline makes your life easier and feel less stressed and also have the chance to actually take the security portion of it seriously rather than the compliance piece of it too.
[00:04:04] Jara Rowe: So again, you were saying some people may have had templates and things like that in place. So if someone is starting at zero versus someone already having some things in place, what does that typically look like and then how does that affect the timeline?
[00:04:20] Marie Joseph: Yes, so something to keep in mind is whatever this program is you’re creating, your whole business is going to be taking it on in some way. Everyone’s going to have a role, everyone’s going to have to read the policies, take the trainings. So that’s why I think sometimes having more time is more reasonable because you’re making a change to everyone’s daily life basically when it comes to the trainings and the policy specifically, and you want to build them in a way that your people better than I would know them. So you want to build your program in a way that people are going to accept these policies and actually take these trainings, give them adequate time too to do all those things. So that’s kind of something that’s nice when you can have a more extended timeline than things that are promoted for two months where you give everyone the time to accept that new habit they’re going to have to take on because it is a habit at the end of the day, it’s going to be routine forever going forward if you want to keep that certification. So it doesn’t really necessarily matter from maybe from zero to maybe having something established. In some cases it’s the same level of effort to me in a way because we are reevaluating what you have already created versus some people starting from zero. It’s kind of nice in a way. We can just be take out all this program if acceptable, but otherwise sometimes it has to be more custom if you only have partial things here and there.
[00:05:39] Jara Rowe: So how do you know what someone already has in place? I know that this is something you pretty much deal with day in and day out.
[00:05:47] Marie Joseph: Usually when we first engage with our customers at Trava, we do a sort of gap assessment on their chosen framework. So really it’s just taking in, they have policies or not reading through those policies and seeing the things that they’re committing to. And then from those commitments actually check to see if they truly do them. So then we’re kind of acting as the auditor asking for the proof of do you do this control? Do you do access reviews for example, on a quarterly basis like your policy says, or are you really just doing them kind of here and there when someone’s onboarded or off onboarded and not really having that formal documentation. So that’s kind of how we take that approach.
[00:06:27] Jara Rowe: All right. That’s fantastic. Okay, so I know that there’s multiple types of SOC 2. So can you explain the difference between SOC 2 type one and then type two and then how that impacts timelines and hoping that someone can get certified in two months?
[00:06:45] Marie Joseph: Yes. So type one and type two, the way I always picture them is type one is just that frozen snapshot in time. So it’s just if I were to take a screenshot of us now that’s our program, this is what it looks like. And then type two is actually testing all of those things. I think in a previous episode I probably related it to watching a movie where if I pause the movie versus playing it like we’re playing the movie all the way through now and making sure it’s going to have a good ending. And that’s really the bigger difference is we’re seeing if the controls operate effectively is how usually it’s phrased. For type two I would say how are those impact timeline is for the type two you have to have at least three months to show. Most people will choose to go into 12 months if they need it quicker, they’ll pick the three month one, which isn’t really recommended, but sometimes you have to do it for contract sakes.
[00:07:35] Marie Joseph: So when people say they got ready or they got you to SOC 2 in two months really because that doesn’t seem realistic, you have to have at least three months to show the observation. When that gets advertised, I just assume they have to be talking about just getting the type one. They get you to that snapshot in two months, which that’s reasonable in a way. But that also comes to one of the things where you might see more of those flaws because I personally like to get my customers ready for both type one and type two at the same time. I just think that’s how it should be. Most people start their type two after their type one, so why wouldn’t you get fully ready for both audits at the same time and then prove that you operate effectively. And in that case you would be able to see if there’s any issues of any controls that have to happen monthly or quarterly. You can tell if there’s going to be issues ahead of time so that you have that cleaner report when it comes to the type two.
[00:08:27] Jara Rowe: Cool. So does someone have to have the type one done before the type two?
[00:08:32] Marie Joseph: You can jump straight to type two, which is something I don’t normally recommend. It’s nice to have that type one just to have your external auditor offer their opinion before you get to the type two because then you could have wasted a few months for no reason if they were like, you should have done this control a little differently. So it gives you that option for your auditor to grade you before the bigger certification.
[00:08:55] Jara Rowe: All right. That totally makes sense. And with this next question, I feel like already caught a misconception myself, but what’s the biggest misconception you hear about SOC 2 timelines?
[00:09:08] Marie Joseph: I would just say that the misconception is not telling in their advertising how much effort it’s going to take to get there that quickly. It sounds so beautiful getting there in two months, all the contracts that are going to help that you’re going to get in from getting there in two months. But it’s sometimes just not realistic, especially if the compliance hat isn’t that person’s full-time job. If it’s something that’s just kind of a pass to them and they also have a whole other role that takes up their 40 hours a week anyways, where that’s the misconception of you need that internal champion that can actually put in the work to get ready and then their life will become easier once we get them to that readiness and we give them those new habits basically.
[00:09:52] Jara Rowe: And that’s what I was picking up on as well is that you may have seen your competitor say they got their certification, but is it type one or is it type two? Because it definitely seems like it would be a little different timeline depending on the type.
[00:10:09] Marie Joseph: And I’ve always like, and how was your sanity during that two months?
[00:10:13] Jara Rowe: It doesn’t seem very fun to try to push it all in two months for sure. And especially talking to someone that literally does this for several companies, it doesn’t seem like it would be very fun.
[00:10:23] Marie Joseph: No, there’s usually a lot of emotions where that’s when I’m always using that joke of I feel like a cybersecurity therapist in a way. Like let’s try to find the realistic approach here and then just make that unique timeline.
[00:10:35] Jara Rowe: Yeah, for sure. So you are already giving a little bit of this, but what factors speed things up or slow them down when it comes to SOC 2 certification?
[00:10:47] Marie Joseph: Yes. I would say the team bandwidth is really going to be the bigger component there time’s always just the big component and money, but the time of your internal team, we definitely need those internal champions to help us get you to that end goal. Those have to be sometimes more technical or the leadership team in some ways they have to own some controls where that can help it go faster, but also make it go slower at the same time depending on people’s willingness to help. And then I would say tooling is probably another piece where if you’re willing to budget for certain tools to help make your life easier, that definitely helps the pace go faster but can also slow it down because it does take time to onboard those new tools and get them fully configured where that usually can’t happen in a two month timeframe at all. Everyone’s been through a sales call, a sales process that doesn’t usually take that short of time. You have to decide and know what you’re purchasing. It is a big purchase because it’s then going to probably become part of your program for a year and so on. Or at least you’d want it to. But other things would really just be just the overall funding and drive of the team, I would say. I think those are the two items.
[00:11:56] Jara Rowe: Yeah. Great. So another common question that I see that typical startup leaders and stuff have about SOC 2 is if it’s really needed to raise VC and funding. So where does SOC 2 fit into that realm?
[00:12:13] Marie Joseph: That’s a very broad question where the answer is, it just depends. It’s going to depend on the VC firms you’re talking to where they really prioritize that because if your idea of your company is that great, they may or may not care or they might be willing to help you budget and get you there after they already take you on type of thing. So I would say it’s really more so of a conversation and as you start talking to more VCs, you might have the conversation of, well, we would’ve really liked you to have that SOC 2 certification or be in the process or thinking about it. Where that’s a lot of the times what I help my customers with of let’s create that game plan, let’s show them the realistic timeline and then they’re usually fine with that too. Communication is key in real life.
[00:12:55] Jara Rowe: Communication is key. So okay, we just got this SOC 2 reality check. So Marie, let’s see if we could bust this myth or if I can wrap this up. It is possible to get a SOC 2 certification. We don’t know if it’s type one or type two, but in two months. But it’s probably not very fun for the team to accomplish that.
[00:13:21] Marie Joseph: Exactly. It becomes kind of a full-time job per someone. There has to be someone internally kind of being the champion and the owner where that person will not have a good time usually for those two months. And it’s kind of like that scenario of the good, the bad, the ugly. Going to see it all in that time where you could have extended it if possible. Some people it’s not possible. You have to do the two months and that’s life.
[00:13:46] Jara Rowe: Yeah. Well that was super helpful. Thank you for breaking down timelines when it comes to SOC 2. I’m so excited to continue this conversation with you in the next episode as we start talking a little bit more about readiness prep and efficient paths and that’s the Tea On Cybersecurity. If you like what you listen to, please leave a review if you need anything else from me, head on over to Trava Security, follow wherever you get your podcasts.