Our earlier articles dove into what a SOC 2 is and how to prepare yourself and your team for the audit. Here, we’d like to share a few final points of advice that will go a long way towards making your efforts successful. As you start working on your plan and getting your team prepared to undergo the process, a few key choices have an outsized impact on your experience.
Make sure that you pick the right partners to help you navigate this process. SOC 2 audits must be performed by a CPA, so it’s good to find a firm with security experience. We chose to hire Sensiba, and the auditor who worked with us had experience in tech and security. Working closely with them gave us a resource who understood the needs of compliance and helped us avoid exceptions by picking right-sized solutions for our scenario. The better you understand your system and are able to communicate about it, the stronger of an ally they can be.
Additionally, we chose Vanta to support our SOC 2 efforts. They create an app/framework that integrates with much of your tooling, systems, and accepts policies in order to completely build the SOC 2 report. Not only does this simplify your and your auditor’s ability to review your remaining tasks and their completion, but it also gives you a real time window into how your systems are performing and what specific vulnerabilities exist within your infrastructure, code, and even organizational processes. Internally, we have found a lot of value in Vanta outside of the SOC 2 audit process. Integrating with them has streamlined our ability to evaluate and correct any security issues that arise while we develop and grow.
In addition to adding new weapons to your security repertoire, it helps to really focus and define what frameworks, languages, and tools your team is and should be using. It helps to find your team’s personal ‘goldilocks zone’: not too complicated to make security and testing a pain, not too simple so that you miss out on great features. Understanding your team, and making a plan that leans on their strengths, will help guide that balancing act. Infrastructure is often handled as code these days, and considering your platform/resource along with your software decisions can also simplify secure management of these systems.
Once you’ve found your happy path towards a securable architecture and code, make sure you have the right people empowered in the right places. We mentioned hiring someone for the DevSecOps role in our last article, but you want to make sure every team that handles these resources has someone involved who you can trust will help the team adhere to a security-first mindset as they grow. Choosing to put security up front in the planning process will help your teams fold the existing security strategies into any new projects which will make the maintenance and evaluation of these resources much smoother. The alternative of figuring out how a new service needs to be modified to fit security goals after it has been creative can be much more disruptive in the development process and will end up requiring more effort in the long run.
At the root of all of these pieces of advice lies a key principle – be prepared to shift left and involve your functional leads from the get-go. The earlier you think about how and where security needs to be incorporated into your products and teams, the more likely you are to proactively identify and mitigate problems long before they become a risk to your organization. Incorporating other members from other teams and external advisors into the earliest planning phases will help you draw a more direct line towards the end goal. Even if you don’t need to become SOC 2 certified today, this approach can offer both the security benefit and path forward to a future SOC 2 certification.