SOC 2 Without the Stress: What Startups Should Do to Prepare

[00:00:00] Marie Joseph: if you’re in any sort of tech space services space, if you’re collecting people’s data, these certifications are going to be very important to your customers and prospects, where if it hasn’t been a conversation yet, it will eventually be a conversation.

[00:00:35] Jara Rowe: Welcome back to The Tea on Cybersecurity. The previous episode, we talked a bit more about whether or not it was possible to get a SOC two certification in two months.

[00:00:47] Jara Rowe: Now we are going to dive a little more into preparation and efficiency to make sure that everyone understands that SOC two is more than just a checklist. Hey, Marie, welcome back.

[00:00:58] Marie Joseph: Hello. Happy to be back.

[00:01:00] Jara Rowe: I’m so excited to continue this conversation with you.

[00:01:03] Marie Joseph: Me too.

[00:01:04] Jara Rowe: So what should a startup do first if they’re preparing for soc two?

[00:01:10] Marie Joseph: Biggest thing you could do first is to get a gap assessment completed on your program. So whether there is an existing program at all, or you have some things in place, it would really be looking at your policies and controls. And then from there, creating that timeline of how do we close those gaps that we found.

[00:01:30] Jara Rowe: Perfect. 

[00:01:31] Jara Rowe: So I’m sure there is a SOC two checklist. There has to be something that everyone follows, but how is this really useful for someone to use and what does this actual checklist look like?

[00:01:45] Marie Joseph: Very good question. I would say the checklist itself is probably just the overall SOC two standard, the published standard anyways, that you usually have to pay for to even see, and those are really, I would say, more high level items of. The objectives of what you’re trying to complete. So that’s where I would say the checklist term comes into play.

[00:02:05] Marie Joseph: But then that checklist is actually more customizable and can be more specific on how you decide to answer that objective. So then from there you would be able to kind of create, how do you meet that objective, and then that becomes your checklist in a way. And that’s not gonna be the same for every company.

[00:02:23] Marie Joseph: So everyone has the same objective that they need to meet, but the the details in that will differ from company to company.

[00:02:31] Marie Joseph: Exactly. So it’s kind of your own, your own custom grocery list in a 

[00:02:34] Jara Rowe: Yeah, I love it. Okay, so I know GRC tools is something huge in compliance. 

[00:02:41] Jara Rowe: So what role do GRC tools play in SOC two prep? 

[00:02:46] Jara Rowe: Mm-hmm. 

[00:02:46] Marie Joseph: so they will really help with that continuous management of your program. They can also help with that initial gap assessment as well. But I would say it comes more to that continuous piece. So once you get through your first certification, it’s helping you track the things that you need to complete within the rest of.

[00:03:03] Marie Joseph: the Next year to make your life easier. Now that you have that established program, I would also say it allows you to upload certain pieces of evidence earlier rather than later. So you’re actually audit prepping throughout the whole year instead of what most people do when it’s just a few months or maybe a month before that external audit actually starts.

[00:03:21] Marie Joseph:  So it allows you to not feel as stressed, hopefully as you get closer to the audit, because you would be technically managing it throughout the whole year instead of right at the finish line.

[00:03:32] Jara Rowe: Okay. Yeah, that totally makes sense. So I’ve come across a lot of companies just purchasing the GRC. Tool to go at like their SOC two certification alone, but say, I don’t have any experience in this tool and I purchased it. What other kinds of support should I look for to help me get through the process?

[00:03:52] Marie Joseph: Yes, there’s definitely different types of consultants and advisors out there that can help you that are familiar with compliance and how to get you to the finish line of those frameworks. There’s also. Different partners, like trauma security is one of them, for example. So that’s where I work and say, same with you, JIRA.

[00:04:09] Marie Joseph: But uh, there’s definitely, I would say people like to. Take us on to help them manage that just because they don’t have the knowledge or the understanding of what compliance really is. Or sometimes even security, if I’m being honest, because most of the people coming to us are either kind of more operational people or they are more of like developers where the security stuff is like more so a nice thought, but not something they like to take seriously at the moment.

[00:04:35] Jara Rowe: Yeah, for sure. 

[00:04:36] Jara Rowe: So when it comes to like an internal team, who should be involved in this entire like compliance process?

[00:04:45] Marie Joseph: That is normally, I would say it’s helpful, especially if it’s a SaaS company, to have some sort of technical lead if you’re using a cloud environment at all. That’s gonna be in scope. We definitely want some sort of technical lead involved at some point. And then I would say also someone more so on like leadership as well.

[00:05:02] Marie Joseph: The leaders are going to be the ones kind of encouraging. The whole company, that all has to be involved, that this is a serious program. You have to do it in order for our business to keep going. So we’re trying to get to the hundred percent of all employees, signing on policies, taking the trainings, doing all that fun stuff.

[00:05:20] Marie Joseph: And I would say it ends up being kind of a entire team effort. But the people I work with the most are usually more of a technical lead and some of the leaders.

[00:05:28] Jara Rowe: For sure. I do know that it takes the whole team. There have been several times where you’ve had to tell us to make sure we get in the tool to sign off on the policies.

[00:05:38] Marie Joseph: Exactly. Gotta make sure we hit those deadlines.

[00:05:40] Jara Rowe: Absolutely. Okay. So again, I know that you experience this compliance journey literally every day with our customers. 

[00:05:50] Jara Rowe: So what’s your top tip for making the SOC 2 process efficient?

[00:05:55] Marie Joseph: I would say really having that one or maybe multiple internal champions like, I know I keep, I keep saying that, but it’s, it really helps. make the habit in everyone that compliance and security is really important for the business overall. Because if no one’s really rooting for it, no one’s going to be like, oh, I need to take my training, or I need to make sure my device is actually all, have a password lock on it, or something like that.

[00:06:19] Marie Joseph: So if you don’t have anyone internally like rooting for us, especially the work trauma’s doing, or the people, they probably won’t do it basically. So you kind of just need someone inside being like, this is a serious matter, you guys have to do it. If not, there’s going to be some like bad things along the line in your role, where they might, get like written up or something.

[00:06:39] Marie Joseph: For example, for not staying in compliance themselves. So you kind of need that person to push that. It’s a serious matter because security and compliance are, they’re big for your business.

[00:06:50] Jara Rowe: Oh, for sure. So I have an additional question for you. 

[00:06:53] Jara Rowe: In the previous episode we talked a bit about SOC two, type one and type two. So when it comes to preparing for those, are there different checklists or objectives that companies have to meet?

[00:07:08] Marie Joseph: Yes. So when it comes to the type one, I know I mentioned, it’s just that snapshot in time where you’re not really showing that the controls work, you’re kind of showing that they’re on, for example, like you have backups turned on. That’s really all they’re gonna really look for. But when it comes to that type two piece of things, you’re gonna be showing.

[00:07:26] Marie Joseph: The backups run monthly and like having to show proof that it happened in September, October, November, just all the months basically. So I think that’s where the checklist becomes different is then the checklist becomes longer.

[00:07:39] Jara Rowe: Hmm. Yeah. ’cause you have to show more detail for type two.

[00:07:44] Marie Joseph: Okay.

[00:07:44] Jara Rowe: All right, fantastic. 

[00:07:47] Jara Rowe: So what is the most common mistake you’ve seen startups make when preparing for soc two?

[00:07:55] Marie Joseph: think I’ve talked about it briefly before, but it’s really that realistic timeline and budget. I would say there’s two things, but people, they want it to be done yesterday, which not reasonable. Or for example, the two months, uh, which sometimes that’s not even possible with their own budget that they’re willing to offer up for this engagement.

[00:08:14] Marie Joseph: So that’s why I also mentioned the budget piece of things, because. The audit costs money and then that becomes an annual fee that people don’t realize then becomes an annual fee once you do get there. And then there’s sometimes you have to fill some of those gaps with like different tools or maybe even a person.

[00:08:29] Marie Joseph: So it’s like you have to budget for those things, which like you can’t really make that decision in a couple of months.

[00:08:35] Jara Rowe: Yeah, I have one more thing. While it would be really hard to get SOC two certified in two months for sure.

[00:08:42] Marie Joseph: Very hard. Yeah. I mean it’s a budget conversation takes usually a whole year internally when you think about it for the people that do handle that side of things, where was your SOC two even budgeted for at all?

[00:08:52] Marie Joseph: 

[00:08:52] Jara Rowe: yeah, that’s probably a lot a question that, you know, a lot of startups don’t even think about.

[00:08:58] Marie Joseph: Yes. usually, it’s not on their list to begin with, and then it just comes to them being like, Hey, we have, to have it in two months. And it’s like, okay, can you pull out the budget to have X, Y, and z done? then that’s usually when they’re like, let’s just make the plan, extend it a little bit for like next year’s budget and then get it done.

[00:09:16] Jara Rowe: Wow. 

[00:09:17] Jara Rowe: Okay, so SOC 2 reality check with preparation. What I am gathering is that it is super important to start early, as early as possible. and in that make sure that you have time, space, budget for a SOC two certification, and then, you can hire a consultant like Ava to help with this process.

[00:09:45] Jara Rowe: What else am I missing, Marie?

[00:09:48] Marie Joseph: I would just say, you already talked about getting started as soon as you can. Especially if you’re in any sort of tech space services space, if you’re collecting people’s data, these certifications are going to be very important to your customers and prospects, where if it hasn’t been a conversation yet, it will eventually be a conversation.

[00:10:07] Marie Joseph:  So, like you were saying, the earlier you start, the better. even if you’re just starting off with policies it’s more realistic and better for you to not be in a rush. So getting started sooner rather than later is just the better option. 

[00:10:19] Jara Rowe: Yeah. All right. Fantastic. Well, I feel like I’ve learned more about SOC two and getting SOC two certified than I knew previously, so I am so thankful for you spending time with me and all of the listeners teaching us about SOC two. Thanks Marie.

[00:10:36] Marie Joseph: You are welcome. Talk to you.

[00:10:38] Jara Rowe: Bye.