Many business decision-makers have incomplete or inaccurate views of why SOC 2 compliance matters to their companies. (If you’re reading this, you probably aren’t one of those decision-makers, but you might know some.) Here are five of the more popular misperceptions, accompanied by clarifications from the experts listed below, each of whom is featured in Trustero’s “Everything Compliance” interview series.
- David Carter, Senior Manager of Cyber Risk Assurance at Delta Dental, a group of 39 independent companies that provide coverage to some 68 million people
- Liam Collins, Co-Lead of the Trust Practice at Armanino LLP, one of the nation’s 25 largest independent accounting and business consulting firms
- Bert Friedman, Head of Compliance at business banking startup Nearside (formerly known as Hatch)
- Richard Stiennon, Chief Research Analyst of IT-Harvest and creator of the annual Security Yearbook and the new Analyst Dashboard, each of which tracks more than 3,000 cybersecurity vendors
Misperception #1: We don’t need SOC 2 compliance (or are only pursuing it because we have been requested or ordered to do so)
Friedman: “in this business environment, security is paramount. I think it’s essential to be able to demonstrate you do things and prove you have done things [to improve security] to the world at large and your business partners, especially for a startup [or SMB] environment.”
Misperception #2: SOC 2 compliance is almost impossible for my SMB (or can be achieved within a few days or weeks).
Friedman: “Neither of those is true. SOC 2 compliance takes effort, but not superhuman effort. But compliance doesn’t just take two weeks or even two months.”
Misperception #3: SOC 2 compliance is easier and/or faster for an SMB like ours.
Stiennon: to achieve sustained compliance with SOC 2 and all other relevant regulations and laws, “the SMB must do everything that Bank of America does. They don’t have a half-billion-dollar budget or 2,000 people to do it with. But they must find ways to become and remain compliant to secure their operations. This often involves using third parties – either having consultants or outsourcing to an MSP [managed service provider].”
Carter: “We’re seeing more computational assets – more of everything. The [compliance] target is both larger and moving faster. So how the heck do you hit it anymore? One option is to take some things and outsource them to a vendor, who is then on the hook for those things. The other option really comes down to automation. We need to automate our decision making.”
Stiennon: Getting to sustained compliance “isn’t something you can just do in six weeks. You will have the training, a deployment phase, an audit phase, and then a certification phase. And then you’re not done because you could be re-audited anytime. And you can easily fall out of compliance if you’re not continuously watching the controls you put in place and making sure they stay up to date. Fortunately, there’s hope coming for SMBs. As they move to the cloud, there are going to be automated systems and tools that make it very easy to monitor and defend your cloud stuff and remain compliant. So, it should get a lot easier.”
Misperception #4: I can/should deal with cybersecurity entirely separately from SOC 2 compliance (or SOC 2 compliance will take care of all our cybersecurity needs).
Collins: “Compliance is not security. We think of SOC 2 as an excellent framework to leverage when building a security program, but we urge our clients to mature beyond SOC 2 to more proactive security management. We see a shift to more continuous security monitoring at more mature organizations.”
Carter: “The fundamental truth is this. it’s always more expensive to fix something after you’ve built it. The sooner you identify what you need to do the better off you’ll be in terms of both time and expense. Cybersecurity really should be baked in in the beginning.”
Stiennon: “Every SMB should have at least one person on the team who understands security. And it’s never too early to start thinking about it. Cybercriminals are the best security awareness training tool there is. There are companies that have had to shut down after a ransomware attack because they could never win back their customers or get all their data back.”
Misperception #5: We only need an auditor to check all the boxes necessary to prove our compliance with SOC 2, so whoever’s cheapest/biggest/nearest/first in an online search is fine.
Friedman: “The cheapest auditors are not necessarily the best. Neither are the biggest. It’s more important to find an auditor or team able to lead and willing to help you understand.” Those seeking successful, sustained compliance “need auditors who will work closely with them and take the time necessary to succeed. If your SOC 2 auditor doesn’t take that time, you may never get through the audit process, or it will be very painful. The auditor is not just a rubber stamp.”
Collins: “It’s important to educate stakeholders across the company to ensure that this [SOC 2 compliance] is not just seen as an IT issue. This is something that affects an entire organization. At the beginning of the conversation with a potential client, we ask questions like, ‘What are you looking to get from this relationship? Are you simply looking to check the compliance box? Are you looking to build a program that makes your company better, makes your customers’ data more secure, and makes you more successful in the long term?’ That’s important because we want an open and transparent long-term relationship where we are adding value to our clients and their customers.”