Getting ready for SOC2 does not have to be a death march. Work smarter, not harder. (Get an advisor)
Getting ready for SOC2 is often described as a long and painful process. Here are some things that often get left out of the mix when teams start this process.
The most common starting point for SOC is to have one your technical team members decide to handle it themselves. This is a very common approach for technical people (VP of Eng, CTO etc). On the surface, it seems like just a research project and some policies.
I have seen teams start by googling policy templates. Perform some bulk find-and-replace with your company name, they have their first version.
A good way to think about this approach is to imagine setting up a policy is something akin to writing poetry in French. (But You do not speak French!)
Once you have your first poem, you have to ask; since don't speak French, is this a poem? If you are not 100% certain, then your DIY cybersecurity policy is on par with your first French poem.
A good cybersecurity policy document is a living document. It’s a document that aligns with current frameworks (SOC2, NIST or ISO), maps to your company-specific tech setup, and is used to drive day-to-day activity.
The problem with the DIY approach is that when your homegrown version is done, it’s a best-effort document, but not something you can consider a living representation of your company’s cyber stance.
Your cyber security policy needs to be deeply and intelligently aligned with the current frameworks that cover your business and the requirements of your customers.
Keeping your company’s policy aligned is not a trivial task. This often becomes clear when a company adds new business products that require the addition of a new framework. For example, you have completed your SOC2 Type 1 Audit, and realized your new product line will have clients in California and need to comply with CPPC.
Without a scalable solution, your company needs to rework the process. Or if you a have a strong living cybersecurity policy, that applies to changes in business needs.
A big concern of DIY solutions is the level of effort. On the surface, setting up a policy can feel like just another agile task. The reality is that without a plan, the level of work actually needed can be intense.
A common reason for teams reaching out for help is when their CTO decides they have had enough. In the end getting the expertise needed to run a cybersecurity policy is not a core skill most technical leaders actually need.
After navigating this same challenge for number of companies, its become clear, when you know how to do the job, you can work smarter, but when the level of work and specific are unknown, it can very challenging to plan and execute.
If you have already started this path and felt some of this pain, then an approach can be to get an advisor. I do this type of work. I do not actually implement policies. I de-risk the process. I help your team get a perspective on the work, get alignment with your timelines, staffing levels and contract requirements.