Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How to Simplify Your SOC2 Journey
Quick Take
On this episode, unlock the secrets to making SOC 2 compliance a strategic advantage with host Todd Coshow and expert Adam Goslin. Learn how to streamline your process, leverage existing frameworks, and implement continuous compliance strategies.
This episode is perfect for security leaders and tech founders looking to simplify SOC 2 and enhance client trust.
Tune in to transform compliance from a burden into a superpower.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the petunias to your compliance garden. Mr. Adam Goslin, how the heck are you, sir?
I am doing fantastic today, Todd. How about you?
Cannot complain, sir. I truly cannot just a quick reminder if you miss us and you want to chat give us a shout You’ve heard a funny compliance story. We want to know all about it. Shoot us an email at [email protected] today.
We’re gonna be talking about the journey Adam. That’s right This sock to journey and most importantly how to simplify your sock to journey So as we jump in maybe you can let the folks know The sock to feel so gosh darn hard
Well, the major difference is just, you know, structurally in general, you know, compliance is an arena that can get messy. It’s got a lot of manual engagement in it. It’s overwhelming at times.
You know, the talk too adds complexity because it’s not a checklist style of, you know, of a compliance standard. There’s not some checklist that we go down, you know, check these boxes and hopefully, you know, hopefully get there. You know, at the end of the day, you know, folks are looking to make the process a little bit easier and, you know, we’re here to help.
Sure, I appreciate that. Now for the novices out there, myself included, what is SOC 2, actually?
It’s kind of a directional framework where there are criteria that, you know, criteria that need to be met. And so, you know, the kind of the job, if you will, the assessor’s job is to kind of look at that directional framework, you know, of these criteria or objectives that need to be met.
And then they need to evaluate the kind of controls that the organization has put in place and the testing steps for those controls to validate, you know, has the organization fundamentally met the, you know, met the objective of the criteria of that particular section, you know, that, you know, the focus that is that aspect of the control set. So it’s more of a directional framework and not nearly as prescriptive.
That’s interesting. Speaking of prescriptive search, for the listeners of this show, they’re more familiar with, say, PCI.
As you’re looking at SOC 2 versus PCI, there’s got to be a mindset shift, right? What’s the difference, really?
Well, in the PCI world, and I mean, honestly, for a long time, the very first standard that I had to go up against was PCI. And in many ways, it’s easier. If I want to go handle access control, then I do these 35 things, and if I can be compliant. So PCI is far more prescriptive, and it’s been that way for a long time.
Where other standards, you know, like we’re talking about SOC 2 today, but HIPAA falls into a similar boat, you know, where it’s more meet this objective. How do you go about meeting that objective? Well, you got to prove out that, you know, the things that you’re doing for your organization are, you know, are in alignment with the criteria. So it’s a different style of an approach to how to go about meeting the requirements of the standard.
Well, why does SOC 2 get so complicated?
Well, I mean, because it, when they’ve got, you know, where you need you to meet this criteria, right? Well, I mean, that’d be like me, you know, whatever. You’re, you’re, you’re, you’re in California. I’m in Michigan, right?
Um, you know, I want you to, you know, I want you to, I want you to lay out the route that one would take to get from California to Michigan. Well, I mean, shit, I mean, I go, I go up the west coast, cut across by Canada. Uh, you know, like I go through Canada, I could, you know, cut the, the closest diagonal, I could decide to go on a coast East coast road trip, all of them are going to get me there, right? Um, you know, there’s, there’s, there’s a million ways that you can, that you can go about doing these and, uh, you know, what, what I’ve seen on the, on the SOC 2 engagements, because there’s literally us, there’s a, you know, kind of a, a notion of a minimum standard of, you know, I almost wanted to say a minimum standard of care, but there’s a minimum, a minimum level that you’ve got to go in and hit, you know, depending on the nature of the organization, how they’re approaching it, what their circumstances are, what tools, tooling they’ve got, et cetera. I mean, there could be a million, uh, you know, combinations of controls, if you will, um, that could, you know, that could meet this criteria. Um, you know, there’s, uh, you know, so that makes it complicated, um, just because there’s so many choices, uh, you know, and whatnot, you know, a piece of this, you know, there’s, there’s a heavy reliance on, you know, the, the assessment of risk and, uh, and the business circumstances as you’re going through those, you know, like I was mentioning a minute ago, you’ve got, um, the other, the other complicating factor is, I mean, I’ll tell you, well, you better, you better be on the same page with your assessor, um, because, uh, you know, where I could put together this particular series of controls with this particular, uh, list of, um, you know, list of testing steps and, and, and go ahead and present the same list to 10 different assessors. And if it, if the choice that the organization made in terms of the efficacy of those controls and testing steps, if it was, you know, kind of trying to hit the bare minimum type of a notion, I mean, I could bring those same things to 10 different assessors and get, you know, get five of them saying, yeah, it’s good enough. And five of them saying, no, you got to go do some work. So the assessor interpretation, you know, really kind of plays, plays back into it. There, there isn’t, uh, there, there isn’t just like one, one correct answer. Um, it, there’s a, there’s a whole myriad of answers depending on circumstances that could or couldn’t, you know, could or couldn’t work out.
That’s going to make things challenging for folks in the compliance space that are used to, you know, more hardline directives of what compliant looks like.
Yeah. It’s a tough shift, right?
When you’ve got the folks there. Now, there’s organizations that they cut their teeth and grew up in the SOC space and they’re all about it. But I’ll tell you what, it is a different experience when you’ve got an organization that has historically gone up against PCI, ISO, NIST, ESF, whatever, and now needs to step over into the SOC arena. Yeah. It can be taking that first swim in the early summer where you don’t know if you get, am I going to be landing in freezing water or is this going to be all right?
That’s a really accurate perspective to bring to the table on this. And I think probably a large part of how chilling that experience is has to do with your choice in assessor.
So how critical is choosing the right assessor?
man, it’s almost like you’re the one that’s sitting over here drinking beer. For the little snooze that they’ll, aren’t in the know before we started this. I’m like, man, I pour myself a gas beer.
Oh, and I’m out here at 1 45 in the afternoon. Enjoy yourself, sir.
I’m tolling out my day at this point in the game. Now, the Assessor is a big decision. I mean, you know, there’s things that I would recommend to organizations, you know, if your sense is that it can be easier than it currently is for you, you’re probably right. You know, if you don’t currently have an Assessor or you’re, you know, kind of going to, you know, I’ll put it to you this way, we’ve, you know, we’ve worked with dozens and dozens of different Assessors. So, you know, if there’s somebody out there that there’s nothing in it for us, but I just like helping people. So if there’s, you know, if there’s somebody out there that’s looking to, you know, looking to move from one to another, whatever, bow me and to reach out, give a shout, be happy to, you know, I don’t know, I almost treat the Assessor match made. It’s almost like trying to set your friend up on a date or something, you know. You know, we’re, you’re, you’re looking to, you’re looking to make sure it’s a good fit. But the, you know, the reality is, is that, you know, that choice in Assessor is huge. You don’t want to rush into it. You definitely do not want to take, oh, this is the cheapest, so let’s go there. You know, there’s a lot more to it. You know, you want, you want the experience of the Assessor. You know, the Assessors tend to, you know, fit into different, different spectrums, if you will. So, you know, you’ve got ones that are more flexible that will, you know, reasonably look at the, you know, look at the controls that you’ve got in place and whether or not that matches the criteria, think outside the box, etc. Then you’ve got the Assessors on the other end of the spectrum, which are, you know, you’re going to do it my way and you need to do it this way. And, you know, I don’t want to, you know, I’m not looking for you to do it in other, in other directions, etc. You know, there’s also cultural fits between the Assessor organization or the Assessor themselves at the organization and the, you know, and the organization undergoing compliance. So, you know, there’s a, there’s a lot of pieces and elements that kind of fit into that, you know, into that Assessor arena. But it’s really an important one.
Having the, having the right Assessor really makes a big difference when you’re, when you’re, when you’re going about building, building it or maintaining your, your security and compliance program. It’s just, it’s—
a big deal. Well, before we move on from the assessor that I wanted to ask, like I know that a lot of assessors in the SOC 2 space, their approach of SOC 2 is like their signature or their fingerprint. It’s the secret sauce.
How does a prospective client of those firms make sure that they like the sauce that they’re being served?
Certainly asking a lot of questions. I mean, if I’m looking at assessors, there’s one thing that I’ve always recommended to folks to do is to, okay. You don’t go to the assessor to say, hey, give me a reference to three clients so I can go have a conversation with them. Well, are they really going to natively serve up the engagements that went sideways or where things went wrong? Of course not. They’re going to put themselves in the best light and pick the best clients that are going to clap them on the back the hardest and all that fun stuff.
So I would rather put the word out there to folks that I know, et cetera, and look for experiences that people that I know have had with that assessment firm. But in some way, shape, or form, find somebody that leveraged them or leverages them on your own and then ask a bunch of questions. And certainly finding out a lot more about what is their process, what are their steps, do they have some prescribed approach to it, or can I do my own thing, et cetera. Really understanding a lot more about how they do what they do is that goes a long way to kind of taking a valid stab. At the end of the day, there’s talking about going in and doing it, and then there’s actually doing it. So in many cases, the actual experience hopefully is similar to what was laid out initially, but that has a great capability to be variant as well. I think in many ways, the folks out there that do compliance engagements, it’s kind of like their approach to compliance, right? We managed to get through it the last time with the assessor we had, so we’re just going to stick there. They think somehow it’s made easier type of a deal. In some cases, yep, that’s true. I agree. When you find a good assessor, you’ve got everything worked out, everything’s cooking on gas, and you’ve got everything dialed in. Hell yeah, stick with them. If your internal response at the back end of the engagement is somebody asks you, hey, how’d it go? And in your brain, you’re like, oh, hell no. It’s all right. It’s what you’re thinking, despite whatever comes out of your mouth. Those should be signs that there’s probably a better way. And honestly, it’s not that painful to switch out the assessor at the end of the day. So don’t be afraid to take that step.
food shout. Um, you know, I’m a big playing your work, work, you’re playing guy, I tell my kids that all the time.
And as we’re talking about sock to why is building the game plan first such a critical step?
Well, I mean, there’s, um, you know, there’s a, there’s a, a couple of different, there’s a couple of different elements that come in, come into play. You know, certainly when it comes to, uh, when it comes to, um, when it comes to kind of planning it out, uh, one of the, one of the pieces that is, is really important is just kind of understanding the current, the current landscape.
So I mean, I would encourage to listeners to look at what do you already have before you’re contemplating going, you know, going down this SOC route. So are you already going up against PCI, HIP, ISO, et cetera? Um, you know, in, in those cases, um, being capable of there’s, there’s two elements here. Being capable of using your existing frameworks to reuse those controls wherever you can. Um, you know, that that’s a piece of it. Uh, you know, in addition, you know, kind of taking a look at those, you know, your current tools, your current tooling, your current vendors, you know, et cetera, just, it kind of takes stock of what you’ve got, um, that you can go ahead and leverage. Like in, in, in our case where we’ve got organizations where, where we’ve got folks going up against PCI as an example, doing like a full rock or something, uh, the notion of going over to SOC, really you can provide 80 to 90% coverage of, of, of mapping, uh, just off of your, the existing work that you’ve already got done provided. And here’s where the, you know, kind of the next step comes into play provided that as you’re going through, and you’re kind of building out your SOC controls, right? The first, the first step is build out my SOC controls that are going to meet the criteria. Um, that’s kind of step one. So as you go through and you’re, you’re, you’re identifying the controls that you want to use, well, it makes absolute sense to map, to create the controls for SOC based on the criteria, based on the controls you already have in place against any other existing frameworks. If you, if you don’t have any other existing frameworks, then you don’t need to worry about the synergy between those two. You can just go ahead and start building controls that make sense for your organization. You know, one of the things that, that I would strongly recommend to an organization is as you go through and, um, you know, generate the, the controls that you want to use to meet the criteria, I would literally hit the pause button at that point in the game. I’d go back to the, you know, go back to your assessor, uh, and say, Hey, here’s the controls we’re planning on using for this, these criteria. Um, can you please run through these, validate those, make sure it looks like we’ve got the appropriate controls in place, et cetera, because you don’t want to go through the extent of building out all the testing steps for those controls. If, um, you know, if the, the assessor is going to say, well, that’s great, but we want you to, you know, adjust, modify more toss and, you know, uh, you know, 30, you know, a third of, a third of the controls that you’ve got.
So now you’re just doing rework. So, you know, I, I would take that style of approach, get the controls identified, validate them with the assessor, get the blessing on the, at the control level, and then, uh, draw the testing steps, do a second round of validation. Hey, for using these testing steps to, to, to work on these controls, we’re provisioning this type of evidence, et cetera, so we’re going to be good, you know, and, you know, obviously they can’t sign off, you know, sign off, uh, you know, with their, you know, choke their fingertips, sign in blood, but, um, you know, as long as the spirit of the testing step is met with appropriate evidence, et cetera, then sure, it looks like it’s going to work. Um, so, you know, getting through doing all of this kind of upfront planning, that’s really what’s going to, you know, what’s going to create, uh, you know, kind of a big success driver.
Um, certainly for organizations that are working, working with TCT, we’d be glad to, you know, give guidance directional, you know, directional guidance and assistance on, you know, usage of the, of the compliance tooling to be able to make your world easier, but generally speaking, especially with the directional certs, you’re a whole hell of a lot better off to use, uh, more prescriptive cert, uh, and, and mirror that down to the, you know, to the sock controls as you’re going through that process.
And how can kind of controls plus a testing focus become like the core engine of your approach?
Well, because the controls are mapping into the criteria, the testing steps, or proving out the effectiveness of the controls and questions, you’ve got the capability to really, at the end of the day, there will be a certain series of controls and testing steps, and those can be interchanged to meet various of the criteria. So, whatever, the annual performance of an organizational risk assessment, that’s probably something that I could drop that control under probably 12, 15 different criteria against the SOC engagement as an example.
So the controls and the testing steps is a create-once-use-many style approach as you’re going through it. So oftentimes, what organizations will find as they’re going through and trying to generate the list of those controls and testing steps against the criteria is they’ll take a run down the list, and then they’ll go back and they’ll sanity check, well, do I have any optimizations I can do, do I have some redundancy built in anywhere, can I tighten these up a little bit, et cetera. It’s a lot easier to make the tweaks, alterations, and adjustments to the series of controls and testing steps I’m using for the criteria when you’re in that planning phase than it is when you’re in the middle of the engagement, you go, ah, crap, I forgot, fill in the blank. It’s often a fair amount of upheaval if the boat’s already kind of left the harbor, if you will. So a lot of it comes down to mapping as you’re going through, kind of going through that process.
Hmm. Well, how can companies build for repeatability, right? Like not just year one. You hear the term continuous compliance all the time.
Yeah. Well, the, you know, what organizations, you know, want to, you know, want to do is they want to, they want to gain some form of structure of the, of their engagement, you know, making sure that they’re, you know, keeping organized and gathering up and structuring their evidence, you know, who owns what, how am I going to flow kind of workflow, you know, these items from, you know, initial control owners through some form of an internal QA process. Do you have a, do you have a consultant in the mix that’s assisting or helping, flowing that over to your, you know, to your assessor, you know, et cetera. So, making sure that you’re, you’re leveraging, you know, leveraging technology to structure your annual engagement, that will go a long way because you don’t want to be in a situation where, you know, it’s a, all of a sudden it’s, it’s compliance season again. And the, you know, the, the, the alarm clock’s gone off for groundhog day and we’re waking up to a brand new day again.
You know, you don’t want to be in that, in that situation, you know, the, the, the, the first year that you’re going in, you know, is whatever, whether it’s going in or it, what I’ve also found is there’s companies that have been out there and doing SOC 2 as an example for years, years and years and years. You got to remember SOC 2 has been out there for a long time. So, you know, so for those organizations that are just in the, they feel like they’re in that rinse and repeat to them, I can’t even begin to tell you how much I would recommend. Go, guess what? Go take a fresh look at your controls, you know, etc. Don’t just hit the repeat button. There’s probably a ton of inefficiency built into, you know, built into that engagement. There’s a huge opportunity to, to make it better, improve the lives of the folks on your team, you know, reducing redundancy, optimizing the efforts from, you know, other engagements that you’ve got going on, etc. So there’s probably a ton of room for improvement. But, you know, the first time that you’re going about restructuring or building it, you know, then, you know, that’s your year for, you know, kind of spend your time, get, you know, take your best shot at, you know, at going in and getting things, you know, high and tight, if you will, on the first run through. From there, when you get into year two plus, that’s where you’re looking at optimizing the capabilities of the, you know, the tooling of the workflow, etc. There’s a myriad of things, minor tweaks, adjustments, you’re going to have lessons learned as you actually are going through and doing the, you know, doing the work against the testing steps that map to the control set. So there’s a, there’s a lot of, there’s a lot of things that are going to get learned through year one, year two, and beyond is where you, where you kind of take advantage of optimizing those things.
That certainly makes sense. Now, again, kind of going back to the novice folks, for those that are, that are just kind of getting started, right?
What is this SOC 2 roadmap like for folks? Like from type one to type two, like what does ongoing compliance look like in between those two certifications? You get it.
So initially, and for the uninitiated, if you will, a SOC 2 Type 1 is effectively an exercise validating that the defined controls exist at the organization. It’s almost like a prove that you’ve got evidence that these things are operating now type of a deal. So, yeah, that’s a type 1 is basically going through validating the controls in their present state and that they are real controls that will meet the criteria and they’re at bare minimum functional.
From there, an organization would then move into a SOC 2 Type 2, where it’s validating and vetting that these controls are working over a period of time. You know, for, depending on the organization, depending on how quickly they need to move into like a type 2, et cetera, most of the assessors would prefer to see the controls operational over a more extended period, nine months to a year, you know, typically a year, type of thing for a common SOC 2 Type 2. That said, if you really, you know, have pressure to be able to get to the SOC 2 Type 2, so the assessors will, you know, I’ll put it this way, some assessors, you know, will do it over a shorter period of time. The concern there is the shorter the period of time, the less you have a good feeling that the organization is handling these controls appropriately over time, you know, type of a thing. So that’s part of the reason there’s reticence to, you know, to, you know, whatever, hey, let’s check out and see if these things work for two weeks, you know, type of thing, not so much. Usually the shortest amount of time that I’ve seen on engagements, approximately three months or so, you know, on those engagements for the initial Type 2. From there, they then would move into an annual, you know, an annual cadence. So typically would be a one-year coverage period, you know, for the effectiveness of those controls. Now that said, once I get to the point where I’m in a SOC 2 Type 2 and I’m seeing these controls being effective over a period of time, that’s really where TCT’s operational mode comes into play, where you can, you know, you can go in, you can spread out the, you know, it’s going to spread out tasks across the course of the year. So in other words, at the end of the compliance cycle, you don’t, you know, when you move to operational mode, what you’re not doing is you’re not saying, hey, let me go gather up evidence that proves we were doing our daily, weekly, monthly, quarterly tasks. Let’s not gather those up at the end of the year, you know, at the end of the compliance cycle. Instead, let’s gather those up on a quarterly cadence. That way, it does a couple of different things. One, it shows the assessor that the organization’s actually taking this stuff seriously and actually doing what they need to do. It also gives the organization proper an opportunity to early, to have early identification of potential issues, problems, et cetera, and to make correct course corrections on those far earlier in their compliance cycle.
So instead of finding out I’ve got a problem at the end of Q4 when I can’t do anything about it, instead, I’m now looking at quarterly cadence submissions in Q1 and, you know, okay, well, you know, whatever, let’s say you had 30 of them that you wanted, that you needed to go in and do. Out of these 30, 28 are working great, but these two, we really need, we really need to get our, you know, get our act together or whatever. We need to improve the evidence. Well, whatever the case may be, now you can see that earlier, and that makes a huge difference.
The other thing is once you move into that operational mode, so now I’m taking these periodic tasks, you know, and spreading them out across the course of the year, but you also have an additional opportunity. Most of the times in their first and second year of kind of operational mode within the platform usually takes a couple of years to kind of get everything dialed in and whatnot. But once you go through that for a couple of years, you know, then the other opportunity that exists is to take the annual submission items and to spread those out across the course of the annual engagement. So, you know, as an example, we’re going to do, I’m just making these things up. We’re going to do all of our policy reviews in compliance quarter one. We’re going to do all of our annual security awareness training and other training activities in compliance cube two, et cetera. So the one thing that I would mention here, especially with an organization’s planning on trying to spread out those annual elements across the course of the year, make sure that you go through these items, you know, kind of at these points within the compliance cycle. There are certain elements that the assessor is going to want to make sure were refreshed, that got updated, that got attention real close to the assessment time. So you don’t want to have those slated for Q1, only to have the assessor come back in Q4 and go, well, this evidence is too old that I need you to update it. So it’s a fine dance with the assessor to kind of move into that annual spread model for the SOC 2 elements and evidence. But as long as you’re on the same page with the assessor, I’ve seen it work out really, really well. You know, SOC 2, like many of the, like many of the different standards and certifications that are out there, it’s not a, you know, Hey, we’re just going to go check it on, you know, this date and make sure that we’re compliant on this date and then everybody walks away and goes to sleep again, you know, SOC 2 similarly is a, is a notion of a, of a continuous compliance, you know, style approach, it’s an active protection for the organization. It’s not a, you know, kind of a checklist that you’re going to go in and hit.
Parting shots and thoughts for the folks this week.
Well, part of FERSOC 2, what folks don’t understand is that while it’s flexible, that’s exactly what makes it difficult. While it’s flexible, that’s why you end up having such degrees of variance from organization to organization in the control sets that are acceptable from one assessor to another.
So, the planning and structuring that you can do with it, the use of compliance management technology is going to be a huge piece of just being able to hold everything together and facilitate these functions that we’ve been talking about, like moving into an operational compliance mode and the collection evidence all the way through the year and having a system that will do the workflows of the compliance evidence movement, et cetera. The one thing I didn’t mention earlier is for the organizations that are going through compliance, the one strong piece of recommendation that I would have for them is just remember that a lot of people will kind of bow and reverence to the assessor type of a thing. At the end of the day, they’re here to help you. They’re a vendor type of a deal. So, if you have a system of record for your evidence, et cetera, don’t be afraid to let your vendor know this is where our repository of evidence sits. We want you to use this, et cetera, that type of a thing. For the organizations going through compliance, make sure that you optimize your own program and marry up with a vendor that will leverage your system of record because it’s not just all about them making their world easy. It’s about everybody making their world easy. It’s got to be kind of a two-way street, but at the end of the day, you’re the client, they’re the vendor, do what you need to do. Going through and planning and structuring everything, reviewing your controls against controls against the criteria, the redundancy in those controls, the alignment of those controls to your existing other standards you may have, and look for areas of optimization in those and in the testing steps that support them. Those are all elements that really will come into play for the overall optimization. And just remember what I was saying earlier. Once you’ve gone in and gotten the criteria, sorry, not the criteria, but once you’ve got the controls and the testing steps all dialed in, get that built, run that for a year. The beginning of the next compliance session, start making tweaks and adjustments and improvements from what you learned, start moving toward doing some form of periodic evidence collection, doing that for a couple of years, and then working on spreading your evidence. That’ll be a good recipe that’ll really, at the end of the day, even by the time you get through that first year of just putting fresh eyeballs on it, it’s going to make a world of difference for your team, for your organization, and using the right tooling is going to be a key component to that success. you
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
