Why Your SOC 2 is Hurting You
Your SOC 2 could take over a year to complete.
SOC 2 is to security certifications what the mitochondria is to cell biology: if you know anything about them, that’s probably the first thing that comes to mind.
Even if you know your SIG from your SOC, there’s plenty of nuance to digest. We’ll explore why SOC 2 has become so widely used, what the different types mean and whether it’s right for your team.
Services And The Rise of SOC 2
SOCs, or System and Organization Controls, are auditing frameworks introduced by the American Institute of Certified Public Accountants to help companies adhere to professional standards. In practice, SOC 2 certifications help some organizations preempt customer questions that arise in Security Reviews and Questionnaires.
There are three different SOCs, but we’ll focus on SOC 2 because it applies to service organizations and how they protect user data across their systems (SOC 1 focuses on financial reporting and SOC 3 is often a less specific version of SOC 2).
Service businesses – especially those that store user data – have become the primary driver of US GDP, rising from 50% of the economy to 85% from 1919-2019. So it makes sense that more and more organizations want to know how vendors will store and access their data as a condition of partnership. None of us want our personal data accessible online for anyone to see or use; we want to trust companies to protect it.
SOC 2 reports have five pillars: security practices, incident handling, confidentiality, quality assurance, and data privacy. These areas purposely overlap to give recipients a comprehensive view of an organization’s security posture. SOC 2 has two reporting levels for InfoSec teams to choose from.
What’s Your Type?
While Type I reporting focuses on the pillars we described above, SOC 2 Type II adds a layer of implementation data to the mix. Essentially, Type I reports on what an organization’s security controls are, but Type II explores how well they work in practice at a given point in time.
The challenge to producing a Type II report is mainly that it’s time consuming. You have to produce your Type 1 first – a months-long slog that can easily consume other priorities –and then wait over a year to measure your implementation effectiveness and report on it. It’s no wonder most companies only reach their Type 1 certification, if they conduct SOC 2 reporting at all.
The Certification Paradox
The most common mistake SecurityPal sees among companies pursuing their SOC 2 certification is the assumption that it will eliminate Security Questionnaires from their InfoSec team workloads and deal cycles. The opposite is usually true: companies will have more organization-specific questions when they interpret your SOC 2 report as having a complex security posture that warrants further investigation.
SOC 2 reports also tend to be much more effective among smaller companies than with large enterprises from which a SOC 2 is helpful but still insufficient. They’ll still ask for a custom Security Questionnaire that will force tradeoffs with other security initiatives. Security Postures are also constantly evolving, so you’ll need to frequently update your SOC 2 to keep it relevant to prospective customers.
Deciding to pursue a certification like SOC 2 inevitably leads to mixed outcomes. You could spend months creating a report that ultimately isn’t used or useful. On the other hand, SecurityPal completes Security Questionnaires with its scaled analyst team – underpinned by bleeding edge technology – in hours instead of days or weeks. That means you can put down the paperwork and get back to the projects you joined to do.
Curious what SecurityPal can do for you? Book a meeting with us today.