Cyber security is a huge concern for most businesses. One incident in a supply chain can have a cascading effect on other businesses and customers. So, what can organizations do to protect their data and their clients?
There are multiple best practice frameworks and regulatory requirements that an organization might comply with based on industry or data (think HIPAA, PCI DSS, and others).
This article covers SOC 2, or System and Organization Controls 2, which for many organizations can be more attractive in both scope and cost.
What is SOC 2?
SOC 2 is an auditing procedure that is meant to ensure the management of your data and the privacy of your clients.
SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) to define criteria for managing customer data based on five principles: security, availability, processing integrity, confidentiality, and privacy.
Unlike other certification programs, the generated SOC 2 reports are unique to each organization and are issued by external auditors.
Organizations pursue SOC 2 certification for a number of reasons, though it’s not required.
So how do you know if SOC 2 is right for you?
Work with CISOSHARE's security experts to get your organization ready for SOC certification
What to Consider for SOC 2 Certification
Understanding Customer Needs
Most organizations pursue certification at the request of their customers or partners. The approach your organization takes to attaining a certification can have an impact on the way you communicate your security posture to current or prospective customers.
There are typically three phases to certification: implementing the program, operating it for a set period of time, and having it formally audited and certified.
If your organization spends 3 months in phase one to build the foundation correctly, you’ll be able to tell customers you have a best practice-aligned program that is currently in the certification process. Choosing the path to certification will instill confidence in your clients, especially if you’re able to accomplish it quickly.
The downside to this is that a short foundation timeline often means that it’s more expensive. If you don’t build the foundation of your program well, you’re more susceptible to breaches and incidents.
Having a conversation with partners and customers about a breach after you’ve spent time building their trust in your organization can be difficult.
Implementation Time
If your organization is starting with nothing in terms of current security program maturity or it needs a significant effort to retrofit the existing program, it will take at least 3 months to build the appropriate program elements and at least 6 months to operate the program long enough to get SOC 2 certification.
To build the foundation, your organization first has to implement program elements such as the charter, policies and processes, as well as preventive and detective technical security safeguards such as 24-hour logging and monitoring.
Once the foundations for these program areas are established, your organization needs to ensure that these processes and technical capabilities are implemented and are performing and operating as they were designed for at least 6 months. This 6-month window gives an auditor enough time to measure their performance according to SOC 2’s standards.
When you’re planning for implementation timelines, there are two things that you have to keep in mind with respect to speed and quality: how much outsourcing your organization will have to do in order to implement the appropriate requirements, and the amount you’re willing to spend on implementation.
Cost
The faster you want to meet SOC 2 certification requirements, the more expensive the process will be. It’s best to use both professional and managed security services if your current program is very immature and you want to reach certification under a year.
The benefit to using a security service provider is that these professionals will improve the quality of the resulting security program. Service level agreements ensure the work and the speed of your implementation, which is powerful for getting through early audits from customers and what you can tell them with regard to future plans.
If you want to utilize internal resources to reach SOC 2 standards, you’ll be reducing consulting costs, but you’ll have to make up for it in opportunity costs. You also run the risk that they might not pass the external audit later if your team doesn’t consist of dedicated security experts.
In the worst-case scenario, you’ll burn the opportunity costs, the internal teams can’t get it done, and you’ll have to bring an external team to finish it. This will end up taking time away from your internal teams, while having the longest timeline to completion, resulting in the most expensive option of all.
Risk Tolerance
As is the case with any new projects, choosing any path toward certification will pose significant risk. Going with an aggressive timeline typically means outsourcing the foundation, which will have higher upfront costs.
Going with an internal team runs the risk of decreasing their productivity in other areas while working on a significant security effort, leading to potential burnout or an unsuccessful project.
It’s also important to remember that getting a SOC 2 certification or beginning the process does not mean your organization is necessarily more secure. The other things that your organization does regarding security will help reduce the risk of breaches while preparing for a SOC 2 certification.
The key to being successful in making these decisions and ensuring you’re taking on a level of risk appropriate to your organization is to make sure that you have enough information about available options to make informed decisions.
Conclusion
If you commit to aggressive timelines and approaches for SOC 2 certifications to partners and customers, be ready to make the appropriate investments to meet those commitments. If you go on a more internally-developed path, make sure your teams have the resources and ability to meet the scope of the project.
Going for a SOC 2 certification is doable as long as you understand the process, make well-informed decisions with your level of risk tolerance in mind, and work with integrity to build your security program correctly.