Are you looking for an Open Source Graph Manager? Cosmo is the most complete solution including Schema Registry, Router, Studio, Metrics, Analytics, Distributed Tracing, Breaking Change detection and more.
Thereâs this start-up moment when you think: all is cool, weâre onto something, and then there comes this customer asking conversationally: âok, all good, just one final tiny request before moving on - could you send over your latest SOC 2 report?â Your response: âErr⌠let me get back to you on thatâ. And then, in solitude, you panic. Hereâs why we think thatâs actually a good thing (SOC 2, not the panic), and how we got compliant with our rocket boosters strapped on.
No overhead, please!
In a start-up, the last thing you want is overhead. Meetings, powerpoint decks, hierarchy, forms to fill in - anything thatâs keeping you from coding and doing stuff a customer actually pays you for is the realm of evil. Donât go there, or itâll kill your company before it has a chance to spread its wings! Not a single blog post or first-time founder guide that doesnât carry this warning in big scarlet letters.
As much as everybody agrees that security is good and important, itâll also take you very close to that realm of evil because it requires following processes, which you of course have to document and establish first. The goal is to make everyone follow a path you know is safe and secure, even if it takes longer and is more cumbersome to tread than what people were used to. Naturally, this is super hard, and if youâre the poor soul (like me) who has to deliver the message (and eventually enforce the entire framework) - well, say goodbye to your internal popularity score.
Just kidding - it isnât that bad, but telling everyone (including your fellow co-founders busy coding and doing stuff) that there now is a process for this and that which must be followed and documented is a challenge. The same goes for a healthy balance between security essentials and security overkill.
Why security matters
Frankly speaking, there will be a customer simply telling you that without a badge that says your service is secure, thereâs not going to be a deal. For many larger companies and every enterprise customer, compliance really matters (theyâre audited on that themselves), and security is an important part of that. In this scenario, itâs super convenient if you can work with suppliers who are secure beyond doubt. Security frameworks like SOC 2 or ISO 27001 warrant that any company audited on these standards meets the defined set of requirements.
In addition, it also is a very good opportunity for you to learn as a team and a company, and to bolster your security as a result. If weâre honest, we all had our âoopsâ moments in security, and getting some rules implemented firmly to prevent them is a really good idea.
Funny conversations
But thatâs all easier said than done, because first, you need to write all that stuff down in a format that satisfies SOC 2. And once you start writing, you will come across quite a few processes where youâll ask: âwait - how do we actually do these things?â
Reverting back to the team to check, this can spark funny discussions when things that you thought were clear to everyone actually arenât so clear after all. There was more than one occasion when I had to rewrite things that I had checked as done in my mind.
Also, telling your fellow team members that the days of wild west are finally over will probably not go without some resistance: Which customer will actually see this? Does this really matter? Canât we keep it more lightweight? Do you realize this slows me down? (quotes edited for language)
Thatâs why itâs key to get everybody on board with security right from the start (i.e. from the moment people join the company), because this is the foundation that helps you find common ground when youâre aiming to get audit-ready. If we all want security, then we need to want it in a way the customer is able to trust. And this requires a certain level of protocol, and, yes, overhead.
SOC 2 vs. ISO 27001
We decided to go for SOC 2 instead of ISO 27001 as it simply was easier to achieve as a first step. SOC 2 allows you to control the audit scope by selecting the applicable categories of TSC (Trust Service Criteria), which is helpful if you want to keep the effort at bay for starters.
Even though we went with Security as the main TSC for the SOC 2 audit, we still built out a full ISMS (Information Security Management System), which is my recommendation. If you put in a little more time, you will end up with a sound basis for all future audits to come, and you can help your fellow team mates to get used to someone cracking the whip on following processes.
How did we actually do it?
I created a folder in Google Drive and started creating a structure of narratives, policies and procedures accessible to all staff. There was somewhat of an unfair advantage though as Iâve built an ISMS before, and Iâm fairly familiar with ISO 27001, so I could simply dig right in as I knew what was required.
On the structure, youâll need four things:
- Narratives. This provides a general overview of your company, your security set-up, your ways of working. Not really mandatory, but important as overarching guideline for all the stuff youâll be implementing through processes and procedures.
- Policies. These are the âhow toâ docs for security, which essentially contain the rules by which to satisfy the SOC 2 TSC controls.
- Processes. Some things need clear guidance, such as incident management, employee on-/offboarding or vendor vetting. For this, you should create documentation for people to follow. We also added templates for these processes in Linear, which we use to track these processes.
- The company description. Itâs like an amalgamation of all the items mentioned before, and required for the SOC 2 audit.
You also should create some kind of overview page for quick access to all docs, and find a place where to store evidence and supplementary documents. Again, itâs all about documentation. If youâre a person with organizational talent it will be a breeze, if youâre more the creative kind it could get⌠interesting.
The core step for the audit is to define the controls that satisfy the TSC. This is what auditors look at to tell if your framework actually does the job. So, if the TSC call for risk management, you need to define how youâre addressing this, and how it is measurable. After all, youâll have to provide evidence that your whole carefully built security setup actually works for SOC 2 Type II.
The fast lane
Of course, we couldâve worked with (expensive) consultants, but thanks to the knowledge we already had in-house, we decided to just leverage it. Admitted: Iâm a business guy, so I am allowed to spend time on stuff like this. :)
But then, even if you use a platform like Vanta or Drata, this doesnât mean you wonât have to do a major part of the work yourself - templates give you a head start, but they donât reflect all the things that are relevant for your business. From my point of view, these solutions make sense if your setup has reached a certain complexity and you can leverage the integration capabilities of such platforms, which is helpful for automated evidence collection. It all really comes down to opportunity costs, and how comfortable you feel about calling the shots.
Besides that, getting ready for SOC 2 isnât rocket science. It took us just three months from starting to work on the docs until receiving our audit report (and that included Christmas!). It also helped that we worked with an auditing firm in the US that was no-frills and straightforward.
Whatâs the cost of a SOC 2 audit?
A good deal will be somewhere in the range of 5 - 10k for each type, depending on the complexity of the audit. Being a platform customer usually also gets you discounts with their auditing partners.
Pro tip: if youâre vetting audit companies and they show up with more than one person on the call, you can be sure that youâll have to pay for these extra people with your fees, no matter how fancy their titles. I remember one meeting with a Sales rep, a customer success rep, and another dude whose title I donât remember, and later received a quote for a SOC 2 Type I audit of over 25k. Insane, but not exactly a surprise.
Security: check. Whatâs next?
After the audit is before the audit. Weâre already gearing up for SOC 2 Type II asap - looking forward to telling you more about our journey!
tl; dr
Security matters to users and customers. SOC 2 compliance is the best way for us to prove that weâre serious about security. Getting audited successfully isnât hard if you know a little about the way audits and controls work, and if everybody in your company is on board with it. If not, someone needs to crack the whip, and thatâll likely be you.
Top comments (0)