Do you need SOC 2 compliance?
About a year ago, I was lucky enough to post an article at SCMag about Rookout’s journey to achieve SOC 2 compliance. Since then, I sat down with many engineering managers who had follow-up questions on the article. They wanted more details on the relationship with the auditors, the steps we took to control various risks, and how it affected our R&D processes. But the one question that has always come up in each and every one of those meetings was- “how do I know if I should get SOC 2 compliance?”
The first thing to evaluate when seeking to comply with security standards is knowing which standards are applicable for you. Here’s a shortlist of some of the common security standards today:
- SOC 2: The security standard by AICPA (the American CPA association), covering security and availability for US public companies and their affiliates.
- ISO 27001: The International Standards Organization specification for IT systems risk and security management.
- PCI DSS: The Payment Card Industry Data Security Standard, designed to protect credit card information and enforced by the banking and credit industries.
- GDPR: Data privacy regulation enacted by the European Union in recent years.
- HIPAA: Regulation by the US Congress to protect PHI (Personal Health Information).
The easiest way to figure out which of these standards is applicable to your product is via competitive analysis. Go to the websites of your competitors and other vendors in your industry and take a look at their compliance pages. Whatever shows up there is a good candidate for adoption at your company. Once you have that preliminary list of suspects, here’s a list of reasons to go ahead and get that compliance.
The most unequivocal reason you should get compliance is fairly straightforward – if they show up in commercial deal documents. For instance, if your line of business includes answering RFI and RFPs, it should be fairly easy to tell which compliance standards are required by your clients and whether or not they are mandatory. Alternatively, your clients might expect certain security sections or appendices in the service agreement.
Either way, if you are encountering a lawyer or a procurement manager requesting you to meet a certain compliance, chances are there is not much leeway there, and meeting that criteria is critical to landing the sale.
If your clients are security conscious — and in 2019, they are likely to be so — the sales process will include a security review. This will likely include both a security questionnaire and a meeting with a security professional. This process is often much more flexible than the stricter commercial discussions described above. In most cases, there are technical and compliance requirements for the evaluation, and much is left up to the reviewer’s discretion.
While it’s often hard to determine the impact of compliance on the review process itself, it can definitely help instill trust in your offering. The more time the reviewer spends discussing compliance with you, the more likely he cares about it. Keep in mind that compliance showing up in the questionnaire itself is a fairly weak indicator as some of them are standard and/or composed by third parties.
Friction and Gaps
If you are struggling with the security phases of your sales processes, security compliance can give you a leg up in making it through. Going through the compliance process with an auditor will provide you with the knowledge and information to tackle those frightening security questionnaires and review meetings with relative ease.
Having the certification will provide additional social proof of your knowledge and security posture. And it never hurts for the security reviewer to be able to say- a third party has signed off on this.
Going through the compliance process is no small undertaking, and can have a significant impact on your engineering and business velocity down the line. If the aforementioned signs ring true, if you are encountering compliance requirements such as SOC 2 in commercial and security discussions, you should probably go ahead and plan the time and resources to go through with it.
On the other hand, you can probably skip it if you are not currently encountering those signs and you’re only reading about compliance in online blog posts and articles, hearing of it during talks and workshops at events, or over coffee/drinks with your friends.