Eric Müller, our VP of Engineering/CISO, has been in engineering and security for over 20 years. He is experienced with web and internet technologies across a variety of industries, including banking, social media, B2B, retail, fashion, and online gaming. For the past ten years, he has been the Presence VP of Engineering/CISO, leading teams, supporting automated processes to deliver digital products, and guiding our SOC audit experiences. Eric is also an amateur photographer who dabbles in baking and loves discussing security.
Every company’s security needs look different. We think there is value in sharing our SOC security journey from a digital product consultancy perspective. For more about the basics, read our Primer on SOC Audits and Reports in Consulting.
Common misconceptions about engaging SOC 2 audits
by Eric Müller
There are multiple flavors of SOC audits and reporting. After starting with a Gap Analysis and SOC 1, we’ve engaged SOC 2 for the most comprehensive systems and controls analysis to ensure our production environments and resulting digital products are extremely secure. Over the past few years, I’ve encountered some misconceptions about the SOC audit process that I want to dispel.
You don’t have to implement every control
It’s not a rule that you have to implement every security control. I’ve gone through multiple SOC audit processes and learned that if a control doesn’t make sense for our company, we don’t have to implement it. For example, we don’t have a physical data center, so we do not have to have policies or controls related to a data center. Similarly, we are free to establish policies (e.g., password complexity) that do make sense for our business. The key is that as long as you are meeting minimum standards, you can adjust the policies and controls to appropriate levels for your business. The auditor’s job is to evaluate whether you meet the standards you have established for your own company.
The auditor isn’t your enemy
Our auditor hasn’t been afraid to tell us what we did well and where we have room to improve over the next year. There is a misconception that an audit is adversarial or one-way, but that hasn’t been my experience. Yes, during the audit process, they are holding our feet to the fire, but afterward, it’s a conversation where we can ask questions, explore how to improve and find opportunities to push ourselves forward.
Just having a SOC 2 report doesn’t indicate A+ security
People often think that if a company has a SOC 2 report, it automatically means they have fantastic security, but that’s not enough for me. SOC 2 reports simply reflect how well a company implemented the policies and controls that they selected for themselves. They may have passed their SOC 2 audit because their controls meet their policies, but one of their policies could be that they don’t require multi-factor authentication or complex passwords. If you decide this limited password security control could put your data at risk, you would definitely want to know upfront. With this information, you might decide to look for a more secure partner, or you might decide to stick with them but implement additional security controls on your end to mitigate the risk of working with them. The only way to be sure a company’s policies and controls are secure enough for your needs is to request to view their report. I recommend doing this for any company you’re working with or handing your data to. They’ll probably ask you to sign an NDA because the report shares significant details about their security practices.
The strategic approach to SOC 2 audit preparation at Presence
Our SOC 2 report journey began over four years ago, and since then, we’ve become substantially more efficient with our audit process. At first, we didn’t have a big budget to outsource support, so we had to learn about the process ourselves. We started with a Gap Analysis audit to identify our opportunity areas and establish recommendations. After making these improvements, our chosen security controls and processes were assessed during our first SOC 1 audit, which evaluated one instance of our controls and processes. We engaged our first SOC 2 audit nine months later to assess how effectively our security controls and processes were implemented across our entire company.
Preparing with Gap Analysis and SOC 1
Want to skip Gap Analysis and SOC 1? Sure, you can skip these and jump right into SOC 2; many auditors are willing to dive right in with you. However, more reputable auditors will encourage you to slow down if you’ve never done an audit because it’s valuable to engage each step. Diving right into your first SOC 2 audit without the other steps could lead to a poor result that you might not want to share with prospective partners or clients. I believe the nominal additional expense of engaging all the steps is worth it because they help you achieve more effective security and become better prepared for a successful SOC 2 audit and report result.
What is a Gap Analysis, and how does it relate to SOC reports? As mentioned earlier, a Gap Analysis is an interview with your auditor to evaluate your controls and processes so you can identify opportunities for improvement. It is a highly strategic starting point where your auditor tells you where you are good, where you are okay, and what you need to fix or improve. The SOC 1 report is a snapshot of what your auditor found when assessing your chosen controls and policies against one sample (e.g., one system, person, or project). If you’re effectively acing your security controls and processes across one instance, you’ll be well-prepared to implement these controls and processes company-wide to ace your SOC 2 audit.
Identifying SOC 2 audit scope
Identifying the right scope for our SOC 2 audit was challenging because we don’t offer a single product; we develop digital products for various clients. To select what to audit from many project types, partners, and industries, we sat with our auditors to review the client production environments we manage. From those, we selected environments where we have complete responsibility so that our auditor could audit our security controls for those environments. Of course, we always check with our clients first; however, they love it as they’re getting a security audit for free. Once we got formal approval, our auditors reviewed both our handling of the client environment and our overall internal company security controls and processes.
Executing the SOC 2 audit: working with your auditor
Whereas your auditor is a partner during your Gap Analysis, your SOC audit is quite different– and more unforgiving. Instead of telling you what you need to fix or improve, your auditor will show up and ask for evidence; if you don’t have it, you have a problem.
Here are some essential things to know about your auditor:
You should find an auditor who knows your business and interview a few to find the right one. Get referrals from industry people you trust and use the internet to source additional options. Find one who has worked with companies similar to yours and who has references you can talk to. We looked at several auditors and followed up with in-depth conversations with five of them before finding the right fit. The process of selecting an auditor took us over a month.
Try to get the same team from your auditor each year. We have done our Gap Analysis, SOC 1, and our three SOC 2s with the same team. Having the same team makes the overall process much more efficient, as they are already familiar with the process and tools we use to manage our audit process.
Expert tips and best practices for managing SOC 2 compliance
After completing three SOC 2 audit cycles, I recommend collecting as much evidence as possible throughout the year instead of gathering evidence at the last minute. This makes it much easier to produce the evidence your auditor requests during your formal audit period. Engaging in periodic self-directed mini-audits throughout the year will help you find and mitigate issues and give you peace of mind when your audit period comes around. You don’t want to discover that your database isn’t backed up while your auditor is on the job!
Should you get automation software?
You don’t need to spend $10K - $30K annually on compliance software to have a successful audit experience. Some people I know at relatively large organizations manage it all without any compliance software, using spreadsheets, wikis, and regular self-audits. However, for many companies, automation software can make the audit process much easier by regularly collecting evidence and alerting you to issues. If you’re a small company, maybe twenty people or fewer, you could get by with a manual process, but you will still need some systematic way of keeping track of your controls and evidence so you’re in good shape for your audit. It’s all about building the habit of gathering evidence. That doesn’t mean you can do it alone! Leveraging your entire team is a part of setting yourself up for success. You’ll need a domain expert from each area of your company (business, technology, HR, etc.) to help you collect the right information.
The business benefits of showing your dedication to security
As a digital product consultancy, our SOC 2 report has opened up opportunities for us to work with very security-minded clients. The fact that we have engaged in a rigorous audit process shows that we take security and compliance seriously. While our report doesn’t mean our security policies will perfectly match every client’s needs, it does provide assurance and open up the conversation. We’re always happy to show our report after they sign an NDA and make adjustments to meet security requirements for that specific client engagement.
Integrating SOC 2 compliance into business culture
Over the past five years, we’ve continuously advanced our security policies. By automating what we can, security has become a baked-in routine, a habit across teams, which reduces our vulnerability. Building a security-minded culture and creating a habit of evidence collection has streamlined our SOC 2 audit process and enhanced our overall security. Although our enhanced security measures add friction to employee workflows, they are an accepted part of the job because employees are trained on them early and continuously.
Concluding thoughts on SOC 2 audits and reports
Engaging in the SOC 2 audit process has been well worth the time and cost for us. Getting regular SOC 2 reports has resulted in a culture and routine of security-mindedness and evidence collection that makes our company and the data we manage safer. We recommend engaging the SOC 2 audit process because it can both prevent disaster and lead to new business opportunities. As cybersecurity threats continue to advance, finding secure business partners will only become more critical and more rare. We’re proud to be our clients' secure, reliable, high-quality digital product development partner.
Leading your company’s SOC 2 audit? Follow Eric’s recommendations for a smoother experience and better results:
Set yourself up for success by establishing proper foundations and systems early on.
Accept that your first audit is going to be a learning experience.
If you’re new, don’t start alone; get good advice from trusted colleagues or find a mentor.
Do monthly internal audits after you have established foundational controls and processes.
Automate what you can to make evidence collection routine and so you get alerted to issues quickly.
If you can afford it, invest in compliance software to do some of the lifting for you.
Engage the Gap Analysis and SOC 1 before your first SOC 2 to improve your results.
SOC 2 is expensive and time-consuming, but it is worth it and can lead to new client work with companies with complex, high-security needs.
Bonus Tip: Ask for the SOC 2 reports from all of your big vendors (AWS, Slack, Okta, etc.). This was mind-blowing for Eric. These multi-million or billion-dollar companies all have exceptions, and it takes a load off your mind to realize that even the biggest companies are not perfect and are constantly improving.
And if you need a rigorous, security-minded development partner, you know who to call.