* It costs $40k in year one and $30k/year in subsequent years if you do the now typical stack of Vanta, pen test, vulnerability monitoring and audit fees. This makes ROI pretty straight forward to figure out.
* There's really no benefit to getting Type 1, you just need to get the Type 1 posture and then wait out the monitoring period in order to get type 2. If the customers actually care, they are smart enough to know that it's a lot harder to fudge it for 6 months than it is for one four hour Zoom call.
* You can definitely get to about 60% of SOC2 just doing obvious best practice (code reviews, SSO, HTTPS only, database alerting). The next 20% is worthwhile but not intuitive, the final 20% is neither.
Agreed with the top comment about infosec teams being reasonable. At this point I think it would be pretty hard to do deals with public companies without having Type 2, and our domain isn't even that security focused.
Definitely paying too much @ $40K/$30K. Audit firms will cut their costs - don't take their first offer, it's a negotiation. Renegotiated down every year...they will want to reduce churn. Also, there are open source versions of Vanta and similar but those aren't really necessary - helpful - but not necessary. Same for pentests - I have had this conversation many times with SOC2 auditors to show me where it says you must have a pentest - many SOC2s later, never had to have one. That said customer contracts may require it, and some even specify the firms or onerous requirements for the chosen firms. We often argue Red Teaming exercises are better and win with that. I'll post a list of cost saving ideas up if anyone is interested. As for ROI - SOC2 is really only a sales enablement tool, nothing more. So it's really how many enterprise deals you will lose without SOC2 vs. how many you will win, and at what revenue. You can also negotiate transparently with your customer - most will say they want SOC2 but then if you add in extra cost to cover it, they back off. Until you have a 100K+ recurring (3 year ideally) deal ready to walk away, push back hard and be transparent with them on the added costs for paperwork. Offer to have a call with their security team and walk through your real security processes instead. Most customers are reasonable once you get past the outsourced procurement team. Helps to have a business sponsor who can cut through the red tape.
ok will do - I will also post an actual (sanitized) Type 2 IRL so we can dispel the mystery and the need for experts. It's all straightforward stuff. But give me 24 hours since my family is giving me cross looks at spending more time online than with them on a holiday weekend ;)
>At this point I think it would be pretty hard to do deals with public companies without having Type 2, and our domain isn't even that security focused.
Even if you avoid SOC2, the security questionnaires (mostly avoidable if you have SOC2) from large companies can be so onerous if you're doing any sensitive work for them that SOC2 would be cheaper and less effort than the time spent on the questionnaires and infrastructure changes to meet them.
I've worked with multiple organizations through their entire SOC2 process and interviewed security teams from a bunch of other SOC2'd companies and the impression I'm left with is that you can get 100% of SOC2 just doing obvious best practices. Part of the reason I wrote this is to encourage engineering teams to push back on SOC2 processes that demand them to do new weird things.
I have kind of a meh opinion about Vanta, for what it's worth.
Very much agree with you about SOC 2 == obvious best practices if done reasonably!
That’s one of the “secrets” of SOC 2: if you speak some compliance, you can make most of the SOC 2 work for you, implementing best practices, getting the rest of the org to prioritize them, etc. (This is what we like about SOC 2 at Vanta: it can turn meaningful, difficult-to-measure security work into high-pri sales collateral.)
If you don’t speak compliance and have a SOC 2 consultant who doesn’t speak engineering, you’re more likely to end up with absurd arguments and bookkeeping (“but you have to use a WAF there’s just no other way!” etc.)
Good advice. I've filled in dozens of those questionnaires from big corps on behalf of clients, and they can be gruelling, but in general the infosec team on the other end are usually cooperative / collaborative - eg. they'll often take a "we'll work on this" or "we don't need this because X" over "won't fix".
The most important thing is committed spend - eg. it's common for Big Corp Inc's infosec team to put you through compliance, potentially asking you to spend $0000's on time and services, without comparing that to the value of the contract you could have with them. You could spend a lot based on zero commitment it you take your eye off this.
Many big corps do have a tiered process (depending on perceived risk). A trick is to get yourself classified in the lowest possible tier.
Teaching your salespersons to help their contacts/champions with convincing their internal security to lower classification will be great ROI for you :)
I have a small SaaS. I have a couple large customers (large in size, not in sales) and a bunch of smaller ones. A potential customer has asked for SOC reports and my gut instinct is to simply say no deal. The ROI is not even close to making sense. This looks like a huge PITA besides being expensive and requiring yearly investment.
We have many clients asking for certification. We just say that we don’t have one, but our major vendors (eg aws) have a shit ton of them, and it seems to work fine.
Usually it’s not the certification that will make or break a deal, at least in our case.
From the buy side prospective, as someone that sits on a vendor review board, if there are two vendor options for a service, and one has SOC2 and the other doesn't, we'll lean heavily toward the SOC2 vendor. If you're the vendor, this can help your ASP.
I've personally gone through certifying a company as SOC2 and it makes you realize how much you want your vendors to have SOC2 controls.
We are also a really small company and get hit with these requests on a fairly regular basis. Our approach is to negotiate the actual security objectives and provide targeted assurances. Some customers are very strict with their requirements, but others are willing to negotiate.
We have signed on a publicly-traded entity without having a SOC2 on hand. It's not impossible to make a deal happen if the customer really wants your product, and you can somehow prove to interested parties that you wont sink their ship in the process. We achieved this with technical deep-dive sessions which involved our customer's IT and security people. Being able to communicate with agility and think outside the box is a good way to get around red tape.
For us, the biggest thing our customers seem to be worried about is the continuity of our business relative to support of the product. Offering source code escrow through some 3rd party is a good way to help alleviate some of these types of concerns.
It is a huge pain in the ass and I would not do it at your scale. Beyond the money, which is substantial --- even if you're smart about it, you're still going to sink tens of thousands into the stupid report --- it's going to eat months of your brain just to get the process going.
The article does a great job of cutting through all the noise.
Highlighting here because it is relevant: certification is about sales.
I’d only do it once you either:
1) you spend much more time filling out questionnaires than the time/investment needed to get certified (note, they’ll still ask you to fill out questionnaires though)
2) you want to go after companies that actually care about this (banking, government). Even then, these will have shortcuts through procurement that will lower requirements (ie: innovation projects, small ticket items)
"Innovation projects" is how we got past the gatekeeper at our very first client (banking industry). We pitched it as an experimental technology that we wanted to partner with them to build out. No guarantees type of deal made it a lot easier to sell to the board, because we weren't proposing to put any line-of-business on top of it (at first).
Once you have 1 client in your target industry using your product, it is infinitely easier to get a 2nd client (assuming you can use the 1st as a positive reference).
SOC2 seems like an interview-time item if I were to try to put an analogy around it. Once you have a certain reputation and key players trust you, its a lot easier to navigate around regardless of your specific credentials.
They will first ask for the report/certifications, but if you don't have one, they'll likely proceed with asking more detailed questions about your security.
Putting the things mentioned in the article in place will help a lot in answering to those questionnaires.
Same here, was initially asked to provide SOC2 report or ISO 27001 certificate, in addition to filling out cloud compliance matrix. Just tell them your aim is to get certified, and also show them that you take security very seriously- and it does not seem to be a requirement any more.
One of the things I've encountered as a startup doing the danish equivalent of a SOC2 is issues with VendorSec. (We don't have much revenue yet, but our customer segment really cares about this sort of documentation) is that many cloud providers (..TypeForm) requires you to spend thousands of dollars with them annually before they're willing to give you any security details or audit reports at all.
This means that we have a hard time making revenue because we don't have the certifications, which we can't get because we can't spend enough money to get access to them.
That's strange - they won't send you a document from their auditors certifying that they've undergone some sort of SOC2-type audit? I don't really get why you'd withhold that, it's what you paid for.
My general thought on silly security certification requirements is that I wonder if they're necessarily silly or just covering rare (but catastrophic) events. For example, my whole company had a great laugh when a client required us to have a Pandemic Policy in 2019. In 2020 we stopped laughing about it.
Literally the only reason to do SOC2 is if an important customer prospect that you are definitely going is demanding it; in fact, it might be better to say the only reason to do it is that you have to because you've got a contingent PO.
We had a pandemic plan as part of our general DR/BC (disaster recovery / business continuity) plan for more than a decade. The joke was that we exercised it several times a year -- in winter, when the big snow storms hit and everyone worked from home.
In February 2020 I pointed out that we had not had a single mass work-from-home emergency, so shouldn't we hold the exercise? I convinced enough execs that we held a two-day test, on the basis that nearly anything can be postponed one day in order not to do it from home, but perhaps not two. We solved a bunch of issues... and then we left the office in mid-March and haven't been back en-masse since.
Any views on Vanta vs Tugboat Logic vs Laika? I’m trying to choose among them am leaning towards Tugboat Logic. It’s policies seem more thoroughly drafted and they let you test drive the platform, which none of the others allow. Vanta has more integrations but doesn’t currently do Jamf from what I can tell.
Be careful about SOC2 tooling that (1) asks you to do new stuff, or (2) that wants to become part of the fabric of how you manage hosts day-to-day.
Re (1): SOC2 is about adherence to a stated portfolio of controls. Different companies use different controls to reach the same control objectives. Almost all of the control objectives can be met with straightforward best-practices engineering, like having a carefully managed and logged SSO (a reason Okta is so popular), or --- I'm not exaggerating here even a little bit --- being able to describe the basic features of Github to an accountant. I've seen tooling that asks people to install all sorts of random security tooling on desktops and (worse) on servers; having been in SOC2 interviews with major-firm auditors, I can say with confidence none of them know what the fuck any of that shit means.
Re (2): SOC2 is not your security program. SOC2 has no good advice for your security program. Any competently run security program can, with enough grueling documentation, achieve SOC2. The very last thing in the universe you want is "SOC2" literally installing itself on your machines.
I think there's a lot of value in things that help you build and fill out checklists that will allow you to quickly and easily satisfy SOC2 IRL questionnaires; also just to keep yourself organized. But remember that the engineering should come from your engineering team, not from the absolute randos who build prefab SOC2 checklists.
The policy docs are just filler. Auditors never look at them in any detail. They look for last revised date and last review date. Have bought $150 bundle online and submitted as-is without even replacing a single parameter and audit went fine.
but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.
Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.
It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.
Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.
I think this depends on your internal resources. TugBoat and Laika are more project management tools, a great question to ask is if you integrate with my Infrastructure, how many controls within the SOC2 framework are you actually automating. Vanta has been around awhile but I’ve heard mixed feedback from auditors as well as companies that use the tool. I’d recommend looking into Drata, they have the most automation and great auditor relationships. Happy to provide an intro to one of their audit partners that I used to work with to learn more from their perspective.
We did a Type 1 audit with Tugboat last year. I came away quite impressed - the default templates are a great starting point, and the evidence tasks are basically a giant todo list to assign and grind through. It turned a complex project with lots of unknowns into a much more straightforward project.
What does "SOC2 Certified" mean? You don't get a certificate. The external auditor will issue the report and opine if you have effective controls in place for either a point in time (type 1) or for a duration of time (type 2). They don't certify you for anything.
The audited firm is responsible for providing the "control" evidence, so if you say you rotated all your creds last year, and didn't use "solarwinds123", then the auditors will believe you. The auditors don't personally check the creds on all your systems, so while SOC2 gets your org thinking about all the right processes, the onus is still on your DevOps/SecOps/BizOps teams to do security right.
Overall, I'd rather being working with a certified vendor than not, but SOC2 ain't PCI.
> Compliance is a byproduct of security engineering. Good security engineering has little to do with compliance. And SOC2 is not particularly good. So keep the concepts separate.
It appears to be impossible to make people grasp this concept. So much wasted time talking at cross purposes about real security while other people in the room are talking about compliance and vice versa.
We found Vanta very helpful for identifying and managing all of the to-do's (gap analysis). Our initial discussion with an auditor was very paperwork-focused, and Vanta helped us see the gap analysis as technical/process focused (with the paperwork following, describing what we were now actually doing). It would have been much more challenging to achieve SOC-2 compliance without Vanta.
From a cost perspective, Vanta + a Vanta-partnered auditor was less expensive that just an auditor (presumably because the information was organized so the auditor had to do less work to complete the audit).
The Vanta platform ends up being a place to put documents so the auditor can find them (which is more useful than you might think if you haven't done a SOC-2 audit). They offer several Vanta-developed continuous monitoring tools (e.g., endpoint configuration monitoring, AWS vulnerability monitoring), which are not as well developed as independent tools (e.g., Kandji, AWS Inspector) but are convenient for auditors documenting continuous compliance.
As I understand it, they are working towards being more of an integration center for independent tools, so Kandji/AWS Inspector information can flow into the Vanta system.
Having been spammed by them out of the blue, a couple of times already this year, my feeling is that like most businesses, I already know what changes I'd have to make to improve.
Paying someone to give me a list of problems isn't at all useful until we have nothing else to do. Appreciate there may be others out there without the same understanding of Infosec, but frankly that's a greater risk to companies without those resources.
This is a great point, getting a checklist of your problems to fix and a way to project manage certain pieces of the process isn’t solving the real problem. Also many of these tools don’t give you great insight into where you stand going into your audit or in between your annual audits.
A newer tool that I’ve heard great feedback on is Drata. They’re more focused on automation and continuous evidence collection.
The reason we went with a company similar to Vanta (StrikeGraph) wasn't infosec. It was that SOC2 is enormous and spans beyond infosec, its controls and requirements are arcane, and having experts that have done this before set you up for success in your $50k, year-long investment to get to a Type 2 audit is hugely valuable.
$50K is too high, unless you had a lot of actual process gaps to fill initially and are counting staff time in that. Also expertise isn't really that important - honestly the auditors are often (not always) minimally trained and often don't have much experience in cloud. Having someone on staff that truly understands what your unique system and processes and can articulate and document how it is (or is not) operating securely is a better use of money. Spend the $50K on actual security (training, code reviews, red team exercises, learning about TTPs and allocating time in the dev and QA cycles for these considerations).
As others have said above, the compliance part will be a by-product and will essentially fall in place modulo some extra documentation effort (which can be heavily borrowed from templates).
Vanta and StrikeGraph etc no doubt will make it more convenient to follow best practices and scaffold your continuous monitoring, but I see it as a nice to have, not a must have.
This is pretty much where I was coming from too, although better articulated. I do see value in the structure of responses, but if we have already done everything we need to then we should be able to respond to the audit formulaicly.
Though seeing the other comments that Vanta + audit being cheaper than audit alone is an interesting quality and may change the initial defensive rejection I have for receiving cold contact mail on non-public addresses (which means they also buy harvested data).
SOC 2 stands for System and Organization Controls (SOC) 2 and is a comprehensive reporting framework put forth by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors (i.e., CPA’s) perform an assessment and subsequent testing of controls relating to the processes in scope
In reality, it's a get-out-of-free-card for the companies who are supposed to do a due diligence on your company's security.
You have a service. They want to make sure it's secure before working with you. They ask you to get this compliance done.
But the compliance, as mentioned in this article, doesn't really make sure your service is secure. It just makes sure you follow some security practices.
The "actual" reason big enterprises require SoC2 is not security. If something goes wrong, certain people within that enterprise are gonna be responsible for making the decision to work with you in the first place.
Having SoC2 in place makes sure those people can say "we did our homework".
In people's experience, does trying to charge the customer requesting this specifically for this ever work? Our startup has tried a few times for similar things (e.g., HECVAT), and it's always failed...
* It costs $40k in year one and $30k/year in subsequent years if you do the now typical stack of Vanta, pen test, vulnerability monitoring and audit fees. This makes ROI pretty straight forward to figure out.
* There's really no benefit to getting Type 1, you just need to get the Type 1 posture and then wait out the monitoring period in order to get type 2. If the customers actually care, they are smart enough to know that it's a lot harder to fudge it for 6 months than it is for one four hour Zoom call.
* You can definitely get to about 60% of SOC2 just doing obvious best practice (code reviews, SSO, HTTPS only, database alerting). The next 20% is worthwhile but not intuitive, the final 20% is neither.
Agreed with the top comment about infosec teams being reasonable. At this point I think it would be pretty hard to do deals with public companies without having Type 2, and our domain isn't even that security focused.