Building confidence with a SOC 2 Examination

One of the biggest challenges for CIOs and CISOs is gaining confidence that you’re doing enough to keep your organization safe and that you don’t have any blind spots. By definition, you’re not aware that you have blind spots unless someone points them out to you. For a company such as ours entrusted with sensitive customer data, confidence is vital to looking customers square in the eyes and saying that we’re absolutely confident in the controls and processes we have in place.

But how do you gain this level of confidence?

One of the best ways to accomplish this, I believe, is through a Service Organization Control (SOC 2) Type 2 examination. Although it wasn’t exactly the most enjoyable experience, the SOC 2 audit we recently completed provided the confidence I was looking for. Since we were able to complete the audit without qualifications, I can now confidently assure our customers that our cloud-based response automation platform truly follows industry best security and privacy practices.

A SOC 2 report examines controls involving security, availability, processing integrity, confidentiality and privacy of the information processed on behalf of customers over a period of time. It is part of a suite of standards established by the American Institute of Certified Public Accountants (AICPA) and, as I can attest, is very thorough and exhaustive.

Our journey to a successful SOC 2 audit actually began right from the very beginning when we formed RFPIO as a company in 2015 to provide a more-efficient way for organizations to manage their request for proposal (RFP) processes. From day one, security was front and center because we wanted to avoid having to extensively rework our security processes. We did find, however, that the lack of an SOC 2 audit was slowing down sales.  The absence of an audit report by an independent third party often led to our potential and existing customers having to conduct their own audit. 

Based on our ability to get through customer audits, we believed we were on the right path toward completing a SOC 2 audit. Once we made the decision to move ahead, the first step – and one I would recommend to any service organization pursuing SOC 2 Type II audit for the first time – is to have an independent security expert conduct a gap analysis. 

This turned out to be extremely helpful as it revealed some areas where our processes needed to be more formalized.  The end result of this effort was that we were confident that we had identified areas for improvement and could pass the SOC 2 audit without qualifications.

One misperception that customers sometimes have regarding cloud suppliers is that their vendor of choice automatically inherits the security controls of a cloud provider, such as AWS. While this is true for access to the physical data center and servers themselves, the overall security of customer data and privacy is a shared responsibility between the cloud hosting provider, such as AWS, and the service provider, such as RFPIO. The analogy I use is that of personal banking. The bank could build state-of-the-art secure systems to protect your money and accounts. But it wouldn’t do any good if the account owner doesn’t understand their responsibility to safeguard their account. Therefore, if you’re going to entrust data to a cloud services provider, you want to absolutely ensure they are following industry accepted best practices across the board.

One fact of cybersecurity and online privacy is that threats are constantly evolving and changing. For this reason, SOC 2 compliance is not a one-time affair. Everyone in the company needs to be consistently trained and updated to ensure they have a security mindset. And the audit process needs to repeated year-in and year out. In addition to maintaining continual SOC 2 compliance, we are also going to pursue ISO 27001 certification in 2019. Despite the effort and rigor involved with completing security audits, the sense of confidence they provide makes it all worthwhile.