Demystifying SOC 2 Audits for Small Businesses

Kevin Qiu
December 6, 2021

Kristin LaPorte

Welcome, everyone. Thanks for joining us today. We're going to get started in just a minute. We just see some folks are still logging in.

Kristin LaPorte

Alright, let's get started. Welcome everyone to the webinar Demystifying SOC 2 for small businesses with Armanino and SafeBase. My name is Kristin and I'm with Armanino. I'm just going to walk through some logistics before we begin. If you want CPE credit, please actively respond to all the polling questions and stay on for the duration of the webinar. If you have technical difficulties responding to the polling questions, just shoot us an email at elevate learn at Armanino LLP dot com with the name and date of your session along with your poll responses. I will put this information in the chat as well for easy access. If you have questions, please submit via chat. We'll try to get to them at the end of the webinar and what we can't do we will try to answer after the webinar.

What you're going to learn today is to recognize the need for SOC 2 audits for startups and small businesses, identify the misconceptions related to SOC 2 audits, show how organizations work with auditors to showcase SOC 2 controls, and determine how to jumpstart a third party risk management program through the audit process. With that, I'm going to pass it over to our moderator today. Macy Mody who can introduce herself and the team. Macy!

Macy Mody

Thanks, Kristin. And hi, everyone. Thanks so much for joining today. We're all very excited to be with you today. I'm going to do a quick intro of the panelists here as well as myself. So I'm Macy Mody. I am the Director of Strategy and Operations for SafeBase. SafeBase is a Smart Trust Center that helps B2B companies share their security posture and automate access to sensitive information.

With us today we have one of my colleagues from SafeBase and two wonderful folks from Armanino. So starting off, Ryan Goodbary is a director for the risk Assurance and Advisory Services Group at Armanino, a top 20 public accounting firm headquartered in California. Ryan has been with Armanino for over 11 years and is a licensed certified public accountant. Ryan specializes in SOC 1, 2 and 3 compliance audits. And he works with a wide range of organizations from small startups undergoing their first SOC compliance audit to multiple billion dollar international organizations.

And we also have Kevin Qiu. Kevin is the Director of Information Security at SafeBase. At SafeBase. He oversees the internal security program and also works directly with product and engineering to have a direct role in the future of our product development. Prior to joining SafeBase he was a consultant in the financial services world and helped start the security programs at both jet.com and SeatGeek.

And last but certainly not least, we have Chris Oshaben. Chris is an audit manager for the Risk Assurance and Advisory Services Group at Armanino. In this role as a manager, Chris specializes in SSAE 18 SOC 1 and SOC 2 audits. Prior to joining Armanino, he's worked in a variety of internal audit and cybersecurity roles in both public and private sectors.

We are all really excited to be with you. And we are happy to answer any questions as we go. Hopefully, you see, we tried to bring in a variety of experts with different backgrounds here. So please feel free to use the Q&A portion of Zoom and we will make sure to leave some time at the end to answer questions. And with that, we will get started with our webinar today. Kristin, could you put the poll up? Great. So we're going to start with a quick poll. And I would love to know why are SOC 2 audits important for your organization? We'll give about a minute here for you to read through all the answers and give your response.

Kristin LaPorte

I'm gonna launch the poll results in three, two, one.

Macy Mody

Awesome, okay, great. We have a decently mixed bag here. So there are a bunch of you just looking to learn more about what a SOC 2 audit is, you're not sure if it's yet important for your organization. And then for some of you it's important because you want to have functional security controls in place to protect customer data. So that is certainly one of the core reasons to get a SOC 2. So excited to discuss that more. Thank you, Kristin.

Awesome. So with that, I would love to jump into our first discussion topic. And I'd love to start by covering why companies need SOC 2 audits. So we do know that many folks in management at small and medium sized businesses don't always have prior experience with security and compliance. So I'd love to start off by discussing why companies complete SOC 2 audits. And maybe we can also provide an overview of the time and money required. Ryan, you want to start with this one?

Ryan Goodbary

Yeah, I think Chris is gonna start off and then kick it back to me.

Chris Oshaben

Let me get started here. So Hi, I'm Chris, I want to start off by telling you a little bit about what a SOC 2 audit is. Since a lot of you're just trying to learn more about it as well. First of all, SOC 2 is in an audit framework created by the AICPA which is a public accountancy association. And it covers five major criteria, which includes security, availability of your system, confidentiality of your data, the integrity of the data that you process, and the privacy of how private your data is. So that's kind of kind of a quick overview and 100 foot view of what a SOC 2 audit is.

And so what people usually think about when they talk about SOC 2 audits, is how they secure customer data. So security is your primary criteria that every company has to include in a SOC 2 audit. The other four criteria are optional. So just to give you that kind of understanding of why customers might or clients might get a SOC 2 audit, the first and kind of the most prevalent thing that I see is, is to get more business and to enable new sales channels, and new revenue for the organization. It's very attractive to have an external third party audit of an organization's security controls that obtains customer data, and stores customer data. So that's the number one.

Number two, I would say, is to also show their existing customers. So you already work with a number of customers, but you want to show them year over year that you're protecting their data through a standardized method. So, you know, your controls may not change year over year, or they may change a little bit, but you can kind of show every single year that those controls are functioning. And, and it's against a standardized framework that doesn't really change too often. And then the third is, is kind of to respond to a customer's CTPRM or third party risk manager requests. So you know, a lot of SaaS organizations will get vendor security questionnaires asking a lot of questions about, say, your SOC 2 controls, or sorry, about your security controls, or maybe your privacy or confidentiality controls. So that's a great way to kind of answer those questions with one document, and then also to mature an organization in terms of your controls and processes.

So to basically to get a SOC 2 audit and to be compliant with SOC 2, you have to have a lot of policies and procedures. I would say a standard number of policy that you'll have to create for a SOC 2 is about 15 to 20 policies and procedures may vary actually, in terms of those as well. So that's that's also a major thing is to mature from from a process standpoint and standardize your processes. And finally, some companies actually get requests from their own board of directors to get a SOC 2. You got to make sure that that you know that the organization is protecting client data. I'll pass it off to Ryan as well to talk a little bit about time and other resources that organizations may require.

Macy Mody

And, Ryan, before you dive in, I think we did get one question from the audience from Ted. Thank you, Ted, which is probably good for a level set. And he asked what the difference is, and if you could define SOC 1, 2, and 3, so maybe you could go through that. And then what the time and money commitment is?

Ryan Goodbary

Yeah, sure, happy to do that. So SOC 1 is going to be really driven around financial reporting. So for an organization, I'd have external auditor. And any information if you're using a service organization that ultimately is going to impact your financial reporting, that would require a SOC 1. And ultimately, the reliance in the user of that report would then be the auditor of your company, sought to as more around personal data, housing data, and security of that data.

Again, we'll get a little more detail because this is around, as Chris mentioned, the five criteria, principles around that, that we're going to look at. And then SOC 3 is really, we'd call kind of a high level overview. It's, it's not as common. It's a general use report, on the SOC 1, SOC 2. Let me be very specific to restricted use for any customers you might have. And it's going to be NDAs, where you're only using it for specific purposes. The SOC 3 is really something you could circulate to any prospects, a high level view of your organization without giving any IP or very specific data to the way or information around how you run your business.

And kind of diving into know time and money and how it goes into the process of getting a SOC 2 audit or SOC 1. You know, the key things that I always tell folks, when they're looking at this is four key areas in determining your auditor. I would say, I think the first one to look at is quality. You know, every firm is a little different in the way they approach the audits. And having that discussion, understanding what's their approach, what's going to be relevant and acceptable from the audit evidence standpoint, it is going to vary from firm to firm. So I think looking at the quality of their approach is significantly important and very valuable as you go through the process.

The second one would be experience, making sure that the firm that you're looking to engage with has the skills, the knowledge, the expertise, in the business in a area of how you run your business and the type of industry you're in. Now, I can say for Armanino, we issue over 300 SOC reports a year. We're very knowledgeable and experienced in that area. And again, kind of diving into those details with any auditors that you're looking to engage with is going to be important and getting a comfort level.

Third, which usually probably you could say is one is cost. You know, it really does depend. It's not an answer a lot of folks want to hear, but going through the process and having the discussion with different auditors. You know, it really varies on the size of the organization, complexity of your systems and applications that are in scope, on the trust service criteria that's in scope. Different things like that are really dependent on, again, what's going to drive ultimately, the cost and the time and effort that is needed to complete the SOC audit.

Lastly, and one that kind of gets not maybe as much thought, and I think is really important is personal fit. Now, is it a good fit? Is it a good partnership, that you'd want to work with this firm going forward? Again, there's there's several ways of approaching these these audits. You can kind of get the boilerplate checklist, audit, you know, pass the compliance, and you'll get that to your customers and move forward. Or, you know, the other approach is more kind of value added, how can we help the organization grow as you build out your security program as you scale, especially for those smaller organizations and doing it in an efficient and effective way? I'd say for the way we approach it is definitely the latter. But it's important to go through that conversation with whoever you're looking at for potential auditor, and making sure that you're getting the full understanding of their approach in a way they scope in and look at these are these audits.

Macy Mody

Awesome, thanks, Ryan. That was super helpful. And kind of on that note, since it's so time consuming, and Kristin, if you want to go to the next slide, we are seeing lots of companies start to help automate or help with automating parts of the SOC 2 process. So just kind of curious. Over the past two years, we've really seen a lot of startups launch to help with this automation. What parts of the process do these tools cover? And what expectations should companies have prior to purchasing them? And Kevin, maybe you can start since you live in the startup security world day in and day out?

Kevin Qiu

Yeah, thanks Macy. So some of you might be familiar with tools like Secureframe, or Drata or Vanta. And what a lot of these tools do is they help with the evidence gathering. And so traditionally, before these tools existed, whenever an auditor wanted to see evidence, you either took a screenshot, or you would have some sort of video call where you would share your screen. And this is the process that takes a lot of time, even if you have everything in place, because you need to show proof that like all of your employees have MFA enabled for their email, and that all of your databases are encrypted at rest. And so these tools connect with your existing security and cloud tools. They basically gather a lot of the really common things that auditors are looking for, such as lists of your admins, your change control tickets, and things like that, and they organize it in one place. And so this saves you a lot of time that you would otherwise have spent  looking through your wiki, downloading documents, putting it in a zip file.

So just be aware that simply having one of these tools doesn't automatically make you SOC 2 ready or compliant and whatnot. They're simply a tool to help you with organization. And so if you see someone say, like, oh, like, use this tool, and you'll be compliant in a week, it's probably a little untrue. You still have to write your policies, you still have to, most importantly, make sure that the policies you have are actually enforced, right? So if your policy says you need to have MFA enabled everywhere, you have to go into your Google or your Microsoft settings and actually enforce it. So that's just setting some expectations there. But we feel that overall, anytime you can automate any sort of compliance, it only helps you and but just make sure that you're still doing the actual work and not just relying on these tools to get you there.

Macy Mody

Awesome, super helpful. And just to clarify, so Kevin did use an acronym MFA, that's multi factor authentication. And we also had a question come through about what SOC stands for? Services, organization, compliance, correct?

Kevin Qiu

System and organization controls. Yeah. It's one of those terms that everyone just says and what people actually don't know what they stand for.

Macy Mody

System organization controls, well, that I learned something new. Thanks, Ted for servicing that. Really appreciate it. And then Chris, Ryan, anything to add to what Kevin said about some of the new startups popping up on the scene?

Chris Oshaben

Absolutely, yeah. And I want to address one more thing, I saw a comment, asking if there's any kind of slides on bullet points of kind of some things we're talking about, you'll have our contact information after this webinar.We would really love to have a conversation with you. And, and give you some more information about the stuff that we're talking about today. So feel free to reach out after the fact.

But talking about automation. You know, I I'm really happy Kevin, that you brought up automation in terms of continuous compliance, and integrations. Love that part of it. I want to also talk about some other parts of automation for the SOC 2 process. So, you know, a lot of misconceptions are that your security controls have to be manual. And manual security controls take a lot of time to test. So as auditors, when we see a manual security control, we actually have to get a population of activities of that control. And we have to test every single population within a period. And that can take a lot of time, and can cost more to actually run your SOC 2 audit. So we actually suggest a lot of our clients create automated controls to their security. I'll give you an example of a few.

So I have one client, that for user access reviews, making sure that their users have proper access to their systems. They actually automate their user access reviews with a script, and they run it every single day through a PowerShell script. So it's a really effective control. All we have to do is look at the configurations of their script. Because we have some auditors that can read that script. And we can look at the results for one day. It's an automated process. So that's an incredibly helpful control in that manner.

Another one would be security control that some organizations have is a manual review of audit logs. Now if if y'all are security personnel, you might know that a Syslog, you might have 1000s to maybe millions of logs in a given month, right? And so if you're doing a manual review of all your logs. That could take an organization hours, and hours to really effectively do it. Now, if you set up software to do it, like a, like a SIEM, or some kind of logging, aggregation and monitoring tool, it can actually do it for you in an automated fashion. And you can set rules for what kind of alerts and logs you want to escalate to your IT team. And it helps, actually, with your audit itself, it can help with how your auditors look at your controls, and how much time it takes for them to test your controls as well. So it saves both sides time and money.

I would also suggest automated deployment and integration kind of code pipelines, making sure that you have security checks and scans on your code before you deploy it to a final production setting for your application. That's huge. And it can be a replacement for a peer review, or security review that a coder would have to do for another coders code.

And finally, I would look at role based access control. So for every single role, you have your organization or job title. You have a set list of access that those people are allowed to have. And they automatically get that access when they're hired. So it actually saves you time in approving individual access points. And it saves your auditor time in reviewing what what access people should have and what's been approved, because we're already we already know that all that access is pre-approved. So those are some really good automated controls, you can set up for your SOC 2 . Additionally, you know, talking more of that continuous compliance that Kevin brought up earlier. There are some great automation and continuous compliance tools that you can onboard to your system. And it'll help streamline your SOC 2 process. I would say one great example that we work with would be Tugboat Logic. It's, it's a really good tool. It actually just got bought out by OneTrust, I believe. And they have amazing integrations with with compliance tools, like JIRA, like as a ticketing system. And through those integrations, it can pull tickets directly for your auditors, and it can actually pull populations for your auditors. So you don't have to lift a finger as a client organization. So those are just some great examples, I think of automation that will help with your SOC 2 process.

Macy Mody

Awesome, that is super helpful. Thank you, and thanks for providing some examples that people might want to look into. And with that, I think we're ready to go on to the next polling question, Kristin. So polling question number two. Kristin is launching it now and would love to hear all your answers to what are the five Trust Services criteria that could be potentially referenced in a SOC 2 audit report? Note this isn't a quiz. We're not reporting grades anywhere. Just curious kind of what the level of knowledge is.

Kristin LaPorte

Looks like everyone's still busy answering. We'll just give it a couple more seconds. All right. 3. 2. 1. Results.

Macy Mody

Wow, very decently even split here. Let's test my personal knowledge. I believe the correct answer is C. Processing integrity, privacy, availability, security, and confidentiality. It's not right? Okay, I got that one. Perfect. All right. So yeah, that was the right answer. But good to see everyone kind of knew at least a few of the words there.

With that, we'll go into the next discussion point. And here we want to talk about some misconceptions and common myths around SOC 2. So I think all of you can probably talk to this one. And my question is many SMBs may have misconceptions when it comes to SOC 2 reports. What are the common myths related to SOC 2 audits, and are they common across this compliance standard, or across the entire compliance industry? I guess, and how can we address them? So I guess anyone that wants to start go ahead. Maybe Ryan, you have I haven't heard of your voice in a little while.

Ryan Goodbary

Yeah, I mean, I would say, and one of the biggest ones that I come across is, is around the time that it takes to perform an audit. They'll call us say, hey, you know, have a discussion, let's get a gauge. And then the next thing, they'll say, go get a report a couple weeks. It's just not that quick of a process, there's a lot more that goes into it. Generally all, especially the first year you're doing a SOC 2, I would say, from start to finish, you're looking at probably six to eight months. Again, you can go quicker, you can take longer. But just understanding the amount of work that's involved on your building your security program from the ground up. And so there is a lot of time and effort that goes into it. And like anything else, the value you get out of is the time you put into it. You can get by by having the bare minimum. It just depends on what the organization wants to do to build it out. Especially as you grow and you scale and having some thought behind your policies, your processes to help grow, again, to what Kevin and Chris talked about the automation side, and helping the organization grow in a way that you're still reducing your risk, and you have the proper controls in place, audit evidence. But also, again, that makes sense as your company's growing and, and doing an effective way. For me in conversations, that's probably the biggest one that I come across that just snap your fingers and get yourself to issue a report a couple weeks down the road and it's just by no means the case.

Chris Oshaben

Absolutely, I'll chime in with a few others too. SOC 2, here's a number one that I hear: SOC 2 is a certification. And a lot of organizations will throw around the term SOC 2 certified. But I actually kind of wanted to kind of dispel that myth a bit here on this webinar. SOC 2 is actually an audit. And at the end of the SOC 2 process, you do not get a certification that you can kind of put onto your website.You actually get an audit report that you can distribute to your customers once they sign an NDA, a nondisclosure agreement. So that's the first and kind of the biggest myth that I wanted to dispel.

I'll tell you a few others that I feel are kind of pertinent. Auditors are your enemies. So you know, we consider ourselves your audit partner. We do not consider your ourselves your audit adversaries. So we are here to to work with you as an organization. You know, whenever we start a SOC 2 process for an organization, we will do a readiness assessment. So we'll kind of do an inquiry based assessment of the controls that you would typically have in organization for SOC 2 against your readiness. And we will give you recommendations on ways that you can implement those controls before you get into your audit. So we're there to also be your partners in that respect. And we typically tend to set up calls with our, with our clients to just go over any questions you may have, before the audit process begins. You can even talk to us about controls you've implemented and if they're audit ready, and what we would be looking for for a given control. So we are your audit partners.

And, and I think the last one that I kind of want to talk about is SOC 2 is just setting up a couple of policies. I mean, and policies are a big part of SOC 2, don't get me wrong, but it's not just setting up your policies, but it's operationalizing their policies. So you can have a bunch of documents. But if you're not doing what you say in those documents, your auditors will actually be looking into those policies, and making sure that you're doing what you say you're doing. So operationalizing policies is a big part of your SOC 2. And I kind of want to pass it to Kevin to get his take.

Kevin Qiu

Yeah! So a couple of other things that I want you all to know, it's a common perception that, oh, we're doing a SOC 2 audit. This is going to be really annoying. It's going to slow us down. I hear that a lot from developers who are like this is gonna make me not able to be not be able to push code quickly. And one thing to note is that these controls are in place for a really good reason.

So a good example, is backups, right? A lot of companies are like, oh, yeah, we have backups, but they never test them. And then when it comes time to actually do a backup restore because of an incident, they're left scrambling and they don't know what to do, right? And so that's kind of why backups, for example, are a big part of it. Other things like peer review, for major changes. A lot of companies, what they do is for really big changes they require like a committee to review and things like that. So if any of you are familiar with DNS, DNS is a very tricky thing. And it's very easy to misconfigure. And so the reason why it's It's very common for really big things to have multiple people reviewing is because sometimes you can make a quote unquote, small change that takes five minutes, then it can take your whole website down, right? Like look at what happened with the recent Facebook outage. It was a small, that misconfiguration, but they were down for many, many hours and everyone in the world noticed. And so when your security team, I mean, a lot of you are part of security. But when you hear security people ask you to do these things, don't take it that they're trying to slow you down. But really try to think about it from their perspective. And why are they asking you to do this stuff, right? Usually what they're asking you to do, is something that will help the company in the long run, even if, in the moment it feels like it is a blocker.

Macy Mody

And then I'll remember that next time you tell me to go through the proper process to get access to something. Awesome. Thanks. All that was that was really helpful. So with that, we can move on to the next topic here. So it does appear to be quite common for SOC 2 audit reports to be filled with canned or illustrative controls. But really SMEs may have important security controls protecting their information systems and applications that are not called out in these reports. How can service organizations work with their auditors to better showcase these controls in their SOC audit reports? And, Kevin, if I know you just spoke, but maybe you want to start here?

Kevin Qiu

Yeah. So one thing to know is that a typical SOC report is meant for companies of various different industries. And so the controls are high level and very general and broad. One thing that people typically think is only tell the auditor the bare minimum of what they need to know. And so one thing to think about is, maybe this isn't always the case, right? So Google made Yubikeys very popular. So if you guys aren't familiar with Yubikeys, there are these USB devices that you stick into your computer. And instead of having to type in a two factor authentication code that gets sent to your phone, you just have to touch the Yubikey, it's basically a way to prove that you're there in person, and that you're the person who should be able to log into this account.

And this is a newer trend that a lot of companies are using for their two factor authentication strategy. And something like that can only help you, right? You should bring it up. Because a lot of times, if you have these newer technologies, an auditor may not necessarily be familiar with them. But if you talk to them about it, and you explain how this is actually better than what is typically used, or if this is something that you can use as a compensating control, right?

One good example is, like, if you guys are familiar with the payment card industry, PCI reports, a lot of times the audit requires you to change your password every 90 days. And a lot of companies don't do this anymore. Because their compensating control is they have very strong two factor authentication, which makes it so that even if someone is able to get your password, they're not gonna be able to get in without that two factor, that second factor that's very hard to get to.

And so things like this can only help you. And so obviously, if you're doing something that isn't up to par, don't tell the auditor that necessarily. But whenever you go above and beyond, just let them know, they might actually find a way for it to show up in a report. And so when a customer sees it, they might go, oh, wow, these guys use Yubikeys. That's awesome, right? And this because it reduces the likelihood of phishing by a huge percentage, as we've seen, right? And so that kind of thing you wanna think about.

Macy Mody

Super. Yeah. And Chris, maybe?

Chris Oshaben

Yeah, absolutely. I'll chime in as well, you know, I want to kind of go back to a myth here as well, it's SOC 2 is simply a list of hard requirements without flexibility. So that's just not true. Actually, you know, there are, there are requirements for selected, they call them criteria, or common criteria, as well as additional criteria. But the controls that you put into place that your auditors are actually testing can be set against the criteria, but can be maintained by your team. So I'm going to tell you, I've been on both sides of this equation.

I've also been a program manager for a SOC team program for a large insurance company. And it was actually great from our experience, we were able to market a lot of our security controls that we had in place at my organization on our SOC 2 report so we had a very robust program. As an example, a very robust privileged access management system, where we made sure that only the admins that required access to administrative access to systems got that and we had software that we used to review admin access on a very regular interval actually almost continuously to make sure that there was never unnecessary elevation of privileges to administrative access, which was amazing. And we did get to showcase that within our audit. So that was a great opportunity for us.

Another example might be role based access controls, I think I talked to this earlier in the webinar. But you can, if you have a very robust role based access system, you might have over 1000 different roles in your organization for large organizations. Or if you're a small company, you have 10. But if it's robust, and you make sure that those people only have access that they need, and that they're automatically provisioned that based on a role, that's something that you can really showcase as well, in your SOC 2 report. So, you know, there's some creativity that comes with this. And there's a marketing aspect that you can show your your customers and other stakeholders that you have great security controls. And, you know, I think to Kevin's point, if you have a security control you want to showcase, just bring it up with your auditor, they'll know where to put it on your SOC 2 framework, you can just tell them that you want to add it. So that's what I would say.

Macy Mody

Awesome. Yeah, super helpful. Definitely communicate with your auditor. You know, Chris, and Ryan here being two of them are very open and easy to chat with. So definitely recommend that. With that. Kristin, I think we're on our third of four polling questions. So I would love to hear from you all, why are SOC 2 audit reports useful in response to vendor management and third party risk management security questionnaires? And Kristin, if we could give it a 10 second warning, as a request from the audience, so no one misses the poll. Again, that would be lovely.

Macy Mody

Starting to slow down, so let's give it 10 seconds. All right, 3. 2. 1. I'm going to lock the results.

Macy Mody

Awesome. All right. So looks like most people think all of the above is the correct answer. I think I would tend to agree, does one of the experts want to chime in? If that's right?

Chris Oshaben

That's exactly right. Yeah, it's all the above. Those are all great reasons, actually.

Macy Mody

Awesome. Awesome. Very good. All right, the audience is definitely well informed. So we have a few more, three more topics to cover. And so this one, I'd love to chat through third party management and SOC 2. So my question and Ryan, maybe you can and can start with this one? How do vendor management practices tie into the SOC 2 process and what activities can SMBs incorporate in their compliance environments to improve third party risk management practices and better comply with SOC 2 audit requirements?

Ryan Goodbary

Yeah, so this is one where and again, you get customers that need a SOC 2, who don't really know what that entails. Or it's you want to kind of check the box, so you can engage or conduct business with them. I think this is where I try to look at where the value is, as part of that SOC 2 process is really around the third party management. So there's actually a section within the common criteria, which addresses your third party management process. And, you know, with that, really helps mitigate a lot of the risks. By doing a review of vendor agreements, a risk assessment over all the vendors that you engage with, reviewing SOC reports. A good example that would apply to a lot of SaaS platforms is AWS, GCP, Microsoft Azure, getting those reports, those SOC 2 reports, and reviewing those on a periodic basis. It's important because a lot of the physical logical access controls that you're relying upon, is from that cloud service provider. And so making sure that you're reviewing that SOC report that there aren't any exceptions that would impact your ability to rely on that organization, as part of your infrastructure. So there's a couple of things that you know, added value as part of the SOC 2 and I think around the third party management, the policies that you build out, it's important to have a very thorough and robust process in place to ensure that you're mitigating ultimate risk with any of the third parties that you will engage with as your organization moves forward.

Chris Oshaben

I'll chime in a little bit to actually I will say there is an entire section of the security common criteria of the SOC 2, that is entirely devoted to third party risk management. It's actually the it's called CC9. And that section actually requires you to have robust policies and procedures around how you manage your vendors, specifically your technology vendors. It does also require you to sign vendor agreements with clear terms with your vendors, and security considerations with those vendors. It also requires you to review your vendor relationships at least annually for security and other purposes. So just just a little tidbit there that when you're doing your SOC 2, you will kind of be forced to create a TPRM system.

Macy Mody

Super helpful Chris. And Kevin. My shameless plug if maybe you want to just comment on kind of how SafeBase helps with this a little bit?

Kevin Qiu

Yeah, so like Macy, and I work for a company called SafeBase. Our main customer facing product is a Security Status Page. And so if you're one of our customers, you can transparently list out information about your security program on the status page without an NDA, or anything secretive. And the idea is, if you're a vendor who uses SafeBase your customers and prospects can evaluate you proactively and see that you have things like SAML in place, that you have a firewall, intrusion detection system, and things like that.

One of the reasons why third party risk is such a problem is because of this idea of security through obscurity that's slowly becoming outdated. And so basically, the more you share about yourself as a vendor, the more likely you're going to be able to build trust. And so from a buyer's perspective, you also want to be looking at vendors who think the same way. If you have a vendor that doesn't want to share anything about their security program, or makes you jump through hoops to get information like a SOC 2 report, it might make you think about like, hey, maybe this vendor isn't someone I should be using, because they're so unwilling to be transparent about how they protect my data, right?

Macy Mody

Yeah, thanks, Kevin, you couldn't have said it better myself. And the only thing I'll add is, we would love to chat with you at a later date of how you could potentially share your security posture, and help sales move a little bit quicker by arming your sales team with security. Great, so next question is the second to last. And I think we'll try to leave the last 10 minutes here for Q&A. So that gives us eight minutes, please enter your questions. Now, I see we have a few already. But next question is what can SMBs do in the interim, if they do not want to fully invest in a formal SOC 2 audit? Kevin, I think you have pretty good background in this. So maybe you can start?

Kevin Qiu

Yes. So we work with a lot of smaller startups who aren't quite ready for a SOC 2, whether it's because they don't have everything in place, or simply becase they don't want to spend the money on the audit. And so one thing to note is that security doesn't necessarily require an audit, right? You can do everything that you would typically do for a SOC 2 and not get the audit. So you can do things like have multi factor authentication in place, have password managers, set up your policies, build your role based access control matrix, etc.

And so for smaller companies, you don't necessarily need a security engineer to start building your security program. You can just do very basic foundational things like don't give everyone admin to every single application. Right, and, and so what we see what a lot of these smaller startups is, they'll take like, the SOC 2 framework or ISO 27,000 framework, and they'll try to tackle the big portions that can provide big impacts such as the multi factor authentication, and having all of your vendors documented in one place, and things like that.

And so we recommend, do as many quote unquote free things, or low cost things, as possible before you do that audit. Because customers, they might say, okay, you're a small startup, we we understand you don't have full SOC 2 yet. But we need to see some form of security investment. And so whether it's putting that information in a white paper for them to view, or building a security page, like what we do with SafeBase, just showing that you thought about security early on goes a long way in helping with the sales process.

And in many cases, this is kind of a little trick for sales teams, in that if you're not quite ready for that SOC 2 yet but you have a really big customer that you're trying to sign. A really common strategy is to bake into the master services agreement or the MSA that we will have a SOC 2 completed by x date six months into the future, or a year into the future. This way, a) you have some time to prepare and b) you sign that really big customer. So you get that revenue. And you're not rushing into it right? Because the last thing that you want to do is rush into a SOC 2 before you're fully ready, then you get a report where the opinion of the auditor isn't great, and no one really wins in that situation. Chris Ryan, would you like to add to that?

Ryan Goodbary

Yeah, I mean, I would say, to echo that, Kevin is back to what I mentioned earlier as just being forward thinking and starting the process sooner than later. You know, not trying to cram in last minute getting your your SOC report. Again, it's it's not a process where you can just kind of flip the switch, and the next day you got report, there's a lot of steps along the way. And you want to do it in a thoughtful way that makes sense for the organization in a way that adds value, along with getting that SOC 2 compliance. I think to Kevin's point a billion that in so that's a great suggestion. And then just being proactive in some of the conversations early with folks that you might want to engage with questions you have with auditors, again, looking at their approach, understanding how they're going to go about the audit, and what does the timing look like? So you can really work backwards from you know, if it's going to be this is the day we have to have this to, you know, sought to buy? How do we build out a program in a way that doesn't stop the the day to day operations of the business. And a plan that is effective, and ultimately, again, gets you a report that not only is saw to the plan, but it's actually reflective of what you guys are doing, it's a clean report on something that you're proud to give to your customers and prospects as you move forward.

Chris Oshaben

Yeah, and let me add one more thing, actually, you one thing I would start to SOC 2 as a risk based audit tool, it's really, it's really a risk centric, I would suggest that organizations do a risk assessment and enterprise risk assessment of their and identify risks in your organization. And to mitigate those risks, build out controls that are key to your organization. Those controls can later be used in any SOC 2 report or, you know, a lot of your your potential customers may be doing security assessments of your organization, one thing that they're going to ask for if you don't have a SOC 2 is your risk assessment. So I would start off with that, let's get get a risk assessment done. And note some key controls that you need to put into place to mitigate risks you've identified. Yeah,

Kevin Qiu

You can actually hire an audit firm to do like a gap analysis and not like a full on audit. So at least you'll know, hey, like if we were to do an audit, these are the exact things that we should focus on.

Macy Mody

Awesome. Okay, so I'm going to propose that we move on to the last polling question, and then kind of quickly speed through the last topic, so that we have plenty of time for Q&A. We have five questions so far, reminder to please submit any more you may have. And the last polling question, what is an example of an important security control that an organization could include in a SOC 2 audit report? And, Kristin, if you could please give that 10 second warning, again, I think people liked that.

Kristin LaPorte

I believe it's just for questions. Anyone who wants CPE, they need to answer for them.

Macy Mody

Yep, so this is the last polling question. So make sure to answer.

Kristin LaPorte

Alright, it looks like it's slowing down to 10. Second warning. All right. 3, 2, 1, let's launch.

Macy Mody

I think the majority is correct in all of the above. Role Based Access Control, secure coding practices and employing a web application firewall are all important. Yeah, I'm right. Okay. Good, Chris. Awesome. All right. So we'll we'll quickly hit on this last topic for two minutes, which is security questions for large organizations. So we do get a lot of security questionnaires from larger organizations, and what do they typically ask that are not are usually not covered in formal audits? Anyone start?

Kevin Qiu

Okay. Yeah, yeah, I can start. So a big focus point for us having a SafeBase security status page is product security. And so with cloud security, there's this whole concept of shared responsibility and what are ways the customer can also help protect themselves and not solely rely on the vendor. So a lot of organizations in their custom questionnaires, they'll ask for things like, do you support SAML or Active Directory? Single Sign On, because it reduces the need for passwords. Do you have things like DDoS protection? For example, someone tried to DDoS us recently, but we had Cloudflare to help mitigate that. Do you have a web application firewall that filters out a lot of common web attacks. These are things that are very specific and a little more focused. But these always, always, always show up in custom questionnaires. And if you can work with your auditor to share that information about your your product security capabilities, they'll find a place to put that in the SOC 2. And when someone looks at it, they'll be like, oh, great. This checks off all the boxes for our IT organization who needs this.

Chris Oshaben

I would also contend that the SOC 2 maps extremely well, with most vendor management questionnaires, and security questionnaires that are out there in the industry, including SIG, I actually just did a mapping of SIG Lite for one of our customers, our clients, on section five of their SOC 2 report so that they can send it to clients. And already have questions answered for for that exact framework. So they may not get that that questionnaire in the future, they could just, you know, hand over their SOC 2 report. So it maps extremely well, especially if you have all five criteria.

Macy Mody

Awesome, awesome. Thank you both. Okay, so with that, we have gotten six questions, and I think we can hit them all in the next 10 minutes. While we answer them Kristin, if you want to go to the next slide. On the slide, everyone will have all our emails, we'll also send the recording of this presentation after the fact. And it will be posted on both the Armanino and SafeBase websites. But please feel free to reach out to any of us if you want to learn more about SafeBase or Armanino services or simply have questions about your security programs and SOC 2. Feel free to take down any of our emails, and we are happy to hop on a call.

With that, let's start off by answering some questions on cyber insurance. So two questions that are related. So what risks, well, I guess really, one? What risks can and cannot be offset by buying insurance rather than paying for an audit? Chris Ryan, maybe you want to start?

Chris Oshaben

Yeah, I mean, cyber insurance is really just transferring, it's really just transferring risk. So I mean, if if you get breached, right, let's say that you get a data breach, it can pay for a lot of kind of the expenses that come with a data breach. For instance, like setting setting back up your systems remediation for that breach, paying for external experts to come in and and do investigation of how the breach occurred. It can pay for a lot of that. What it can't pay for is your reputation that you lose when you have to tell your customers that you got breached. So I it's it's good to have security controls in place to mitigate security risks, rather than just transferring them. I would say having cyber insurance on top of any security controls to mitigate risks is great to have just because you already had your controls in place, you're third party audited so that you have a third party come in and attest to your controls are given the assurance around your controls. So you did everything you could plus you also have insurance to mitigate additional costs. That's the way that I would do it if I was an owner of an organization getting a SOC 2 audit or not getting a SOC 2 audit.

Kevin Qiu

Yeah, one other interesting thing to note about insurance is let's say you have a ransomware attack, and you're thinking about paying the ransom. So the insurance company won't give you ransom money upfront. If you pay it out of your company's bank account, they may reimburse that amount after the fact but it's not covered upfront. So if the ransom is for like $10 million, if you can't pay about $2 million, you might be out of luck. So just be aware.

Macy Mody

And another little plug. Kevin did an awesome webinar on ransomware, a couple weeks back and it's posted on the SafeBase website. So if you do have more questions related, please feel free to watch that or reach out to Kevin.

And next question. I'll just quickly answer what you expect the cost to be of SOC 2 and the timing you mentioned that just audit or preparation and audit. The cost I believe we stated was about 100 to 150,000 a year that includes the software and resources and then in terms of the time we had said 200 hours per year I believe can Ryan can expand.

Ryan Goodbary

So I wouldn't, I wouldn't speak to the dollar over time, because like I said in the beginning, it really varies on your scope. Plus the organization, again, the size, how much you built out already, if you're starting from scratch versus, I know we have a number of policies circulated, it's more kind of putting our ducks in a row, filling in the gaps along the way. Again, I know, people are looking for specific amounts, but it really does vary from organization to organization.

What I would encourage you guys to do is back to the point I made earlier, starting those conversations early, and really getting engaged talking to different auditors of, hey, this is where we're at, this is what we need done. This is the timing. Now can you kind of give us a gauge of scope as far as price? How much? How much time do you think it'll be on our side? Again, because it really it really could be vary from, you know, some organizations where I've spent a couple weeks and they're ready to go, or others it took six months to remediate and actually get ready for the audit. So it's a wide range. And I think honestly, my suggestion is just  start that conversation with auditors earlier than later if they can give you some more specifics.

Macy Mody

Yeah, and also, okay. I'm sorry, Chris, we just got a comment in response, if you don't share rough amounts, you can't budget. I think to that, I would really recommend setting up time with Chris and Ryan, and they can help you get that budget in place.

Chris Oshaben

Yeah, give you a wide range. But it's not really helpful, on the low into the very high end, be more specific if you if you have those conversations with firms that you're interested in working with.

Ryan Goodbary

And I think it's heavily dependent on the number of employees you have, how much data you're protecting, what kind of organization you are, what kind of industries you're in. There's so many considerations. So I think it is really specific on you as an organization, how much you're going to spend, and how much time you're going to take, and also the complexity of your controls. So we'd love to chat with you more about it.

Macy Mody

Awesome. And then we got a question about ISO and SOC 2. So what do you think of completing ISO 27001 and SOC 2 at the same time? Kevin, this might be one you can address.

Kevin Qiu

Yeah, so I've seen companies do both. And one thing to note is their ISO stands for the International Standards Organization. So 27001 is one that focused on security for cloud service providers. And there is quite a bit of overlap between SOC 2 and ISO 27001. One thing to note is they're not quite the same. And so if your resources are already slammed, just preparing for one, you may not want to add a second one on top of that, because you know, that additional work. So what I've seen work well is usually, depending on what your customers are looking for first, it's probably a good idea to get that one out of the way.

ISO 27001 is more common outside of the US, it's more international. So if your organization is very international focused, probably makes more sense to get ISO 27001 first, and then potentially consider a SOC 2 if your clients still want it. Whereas if you're solely US based, and you're not looking to expand anytime soon, maybe it makes sense to just stick to the SOC 2, because it's additional money and also time that you need to spend. And both are very good ways to get your security program up and running. Neither is necessarily better than the other. And so, you know, in summary, the answer is it's a business decision based on your bandwidth and also the need.

Chris Oshaben

You know, I might also add that SOC and ISO 27001 map extremely well to each other. And we have quite a few clients that are doing both at the same time.

Macy Mody

So awesome, awesome. I definitely don't want to go over time for anyone here. We did have two questions we didn't get to answer. So please feel free to follow up with the team if those are still outstanding questions, and we can follow up as well for those two. We'd love to hear from you after this webinar. If you have any more questions, please do let us know. It was really great being here with all of you today. Thanks so much for all the engagement and have a great start to the holiday season everyone.

Interested in getting a SOC 2 audit for the first time? Contact the great folks at Armanino for a discussion today! https://www.armaninollp.com

Begin building your Trust Center today.
Creating your own Trust Center is easy, and getting started is free.