Key Points
When navigating the complex world of cyber security compliance, SOC 2 stands out as an essential benchmark for modern businesses handling sensitive customer data. But what does SOC 2 require, and how can vulnerability management help you on your SOC 2 journey?
These were just two of the important questions about SOC 2 that were covered in our recent webinar, presented by Patrick Cranston, our CTO, and Pratik Bhat, Senior Product Manager at Drata - the leading automated compliance platform. Missed it? Read on to get the highlights of what was covered to get you up to speed.
What is SOC 2?
Trust is essential when it comes to managing customer data. Give your customers any cause for concern that your security isn’t up to scratch and you could lose their business. Fortunately, this is where SOC 2 comes in.
SOC 2 is a security framework created by AICPA (the American Institute of CPAs) to help businesses improve and demonstrate how they safeguard customer data based on five key areas: security, availability, processing integrity, confidentiality, and privacy. Visit the AICPA website to learn about these in more detail or read our in-depth guide.
But SOC 2 is more than just a technical audit. As Pratik explained, “It's a comprehensive requirement that ensures your information security policies and procedures are documented and followed.” It’s about going beyond the basics and meeting a complex set of controls that need to be reviewed, addressed, and monitored. And it's something you need to continuously monitor, invest in and prioritize for your business.
There are two types of SOC 2 report. Type 1 evaluates your controls at a single point in time, ensuring they're sufficient and correctly designed. Type 2 takes it a step further, checking the ongoing effectiveness of those controls over a period of three to twelve months.
As you might expect, Type 2 audits and reports are more detailed, and, therefore, more expensive, which is why staying compliant is crucial – and where automated compliance tools like Drata help save time, resource and expense.
7 reasons why SOC 2 is important
There’s no legal or regulatory requirement to comply with SOC 2, so you’d be forgiven for asking if the investment is worth it. But there are seven good reasons why you should consider SOC 2:
- It forces you to enhance and optimize your security processes and posture
- Customers expect you to protect their data – some won’t do business with you if you’re not SOC 2 compliant
- Compared to the cost of a data breach, compliance is pretty cheap. As Patrick pointed out, “in 2021, a single data breach costs businesses on average over $4 million”
- It gives you an advantage over competitors who aren’t compliant
- It builds trust with customers and stakeholders – “Some customers might even accept your SOC 2 report rather than asking you to fill out customer compliance questionnaires,” Patrick explained.
- SOC 2 overlaps with other compliance frameworks such as HIPAA and ISO 27001 so it can speed up further or future compliance efforts
- It gives you essential insights into your organization's risk profile and security status
Pretty compelling, right?
How Intruder gained SOC 2
As our CTO Patrick was tasked with ensuring Intruder was SOC 2 compliant, he explains that actually you don’t have to meet all five trust principles. Instead, you can focus on the ones that are relevant or appropriate for your business.
“For us at Intruder, but also for many of the big players in the industry, such as Google or Cloudflare, the focus is security, availability and confidentiality, and we made sure that we worked towards completing all the controls under those three trust principles.”
He continued, “There's no singular formula for SOC 2 compliance. Each report is tailored to the specific needs of your organization, and there are various tools and platforms that can help you automate, streamline and speed up the auditing process.”
These can be particularly helpful if you don’t have a dedicated information security or compliance officer in your team to manage the process. In fact, depending on whether you opt for a Type 1 or Type 2 report, there may be a number of people in your team involved. “It really has to be a co-ordinated effort between various policy owners. Depending on the type of the report, you'll have a different individual in the business who writes it. It could be the CEO, Head of People for organizational policies, or the CTO for technical policies. But it does require one person to keep on top of everything and make sure all that goes together,” he concluded.
How to simplify your journey to SOC 2
The biggest effort lies in collating all that evidence to show auditors that you are complying with the various controls. An example of this could be showing that you perform background checks on all new employees, or are monitoring for vulnerabilities. This requires a huge amount of admin, so the key to making the compliance process manageable is automation.
That's why we used Drata for our own SOC 2 report, and continue to use it on a continuous basis to make sure we stay compliant. With Drata you can use their integrations to automatically pull data from cloud providers, reducing the amount of manual evidence you have to collect. Once these cloud connectors are in place, you can simply forget about them because the integrations pull the information automatically. And if you ever lose access to a cloud account, they'll let you know.
Drata can also help handle your manual evidence. Simply upload it to the tool and set an expiry date, and Drata will remind you to update that evidence when the time comes. Staying on top of your evidence becomes a continuous, manageable job and everything is organized and easily accessible within the app. Then when the next audit period comes along, the auditor can simply log in to your Drata account and find everything they need. If you need help choosing an auditor, Drata’s auditor directory is an invaluable resource to help you find support to match your needs.
How Intruder can help your SOC 2 compliance
Three SOC 2 trust principles – confidentiality, privacy and security – require monitoring for weaknesses. Continuous vulnerability scanning with a tool like Intruder provides deep insights into both internal and external vulnerabilities, continuously searching for gaps and cracks in your systems and user behaviour that could lead to an attack. While penetration testing provides a deep dive, point-in-time assessment, automated vulnerability scanning monitors your systems continuously. But both are as essential to a robust security program as the basics like firewalls and VPNs.
Intruder is easy to buy, simple to use, and fully automated. Just sign up, pay by credit card, and you can tick the SOC 2 vulnerability management box in under 10 minutes.
Want to know more about SOC 2?
- Watch a recording of the complete webinar on-demand
- Read Intruder’s essential guide to SOC 2 compliance
- Try Intruder for free for 14-days and start your compliance journey today