In this episode of SaaSTrana, Venky and Raghu, Co-Founder of Sprinto, discusses why SaaS companies should pay close attention to security measures to become SOC 2 compliant.
I’m an engineer first and a founder. Sprinto automates security compliances like SOC 2, ISO 27001, PCI DSS, and GDBR. We have support for over 15 standards.
It usually takes months of manual effort to get compliance. This is possible in a few weeks, and the effort is one-tenth what it used to be.
This enables many small companies to go after big-ticket deals, which was not possible before. We enable or level the playing field as far as certain larger deals are concerned.
It is growing quite fast now. If I look at the U.S., SOC 2 is growing quite fast. If I were to think about Europe and India as markets, ISO would be growing fast.
SOC 2 is a security standard written and maintained by AICPA. It’s an American body, and CPAs write this.
SOC 2 is a 3rd party audit framework. When you want to get SOC 2 compliant, you need a third-party auditor to come in and review your environment to issue a SOC 2 report.
CPAs go through a lot of training on how to do audits. The auditing procedure is rigorous, which lends credibility to SOC2.
SOC 2 is a holistic framework covering your people, processes, and how you change your organization, infrastructure, and technical aspects.
So, it’s an all-encompassing framework that looks at security from all angles.
SOC 2 is not a certificate; it’s a report issued by a certified AICPA audit partner.
There is a SOC 1. It is used more in financial audits. SOC 2 is used in a technical security audit scenario. Both are holistic in that they look at the controls across the company, but SOC 2 is more information security related.
SOC 2 gives a very long report where each security measure you have in your company is listed.
And it clearly states how the auditor tested that particular security measure and what the auditor’s observations were.
For a person on your customer side who’s reading this report, it’s a lot of detail that they have in terms of what you are doing to ensure that you’re keeping their data safe and secure.
And it’s also audited by a third party, which gives them a lot of confidence.
There is a type one and a type two. Usually, type 1 is easier to get because it just looks at whether your security measures are in place. It’s like examining a photograph.
Type 2 is, by definition, something you are reviewing about the presence of your security measures over a period.
It ensures that your security practices are continuously running. It collects evidence of the fact that these are running.
There is a SOC 3, which is like a shareable version. You can put it out publicly. It has less information than SOC 2. But in general, it can be used to display publicly.
SOC 2 has such a level of detail that you would not want to share unless you’re sharing it with somebody under an NDA.
If you get SOC 2, you automatically get SOC 3. It is just a shareable document of SOC 2. However, when issuing a SOC 3 report, auditors charge you separately.
SOC 2 is your table stake in closing mid-market enterprise sales. Without a SOC 2 report, it’s becoming extremely difficult to sell in the U.S. market.
If you think about it from your customer standpoint, it’s easy to understand why. As a SaaS company, my customer’s data is on my servers, and they are naturally worried about the security processes I have to ensure that I’m protecting their data.
SOC 2 becomes an excellent way for them to understand the security practices in your company. Third-party validation of these security practices highlights that they are not just there today but continue to run regularly.
You need to get a SOC 2 certification for your company as well. But it is common for young companies to host themselves in SOC 2 certified infra provider like an AWS or an Azure or GCP and get by without a SOC 2 report for a while.
And, for your first few beta customers or you know your pilot projects, you could get through without a SOC 2 report.
But that depends a lot on your luck regarding how much your sponsor in your enterprise customer is willing to support you online and the criticality of the data they are sharing with you.
As the criticality of the data they share increases, even for a pilot project, it becomes harder without SOC 2 report.
To get it done to the point of having a report that you can share with your customers, it’s about 5 to 6 weeks with compliance automation.
But generally, this process used to take 4 to 6 months without a product like Sprinto.
It is always better to start with these processes early in your life cycle because when more and more employees join the company, it becomes harder and harder to adopt new practices.
You need to do basic things when you’re setting up your infrastructure like
Somebody from the senior leadership needs to pay attention to this during the setup.
Some of the common pitfalls I tend to see are:
However, you consequently lose a lot of deals, and that hurt will eventually make you realize that this is something you must do.
It covers everything that can impact the security of data. For example:
If you look at smaller companies targeting the U.S. as a market, I recommend SOC 2 as the primary framework to go after. It lays the foundation for you to get more things done.
For example, if you’re capturing more private individual information from California, CCP applies to you. But a significant portion of your requirements is covered by SOC 2.
If you’re going into the European market, then you might need ISO 27001, at which point SOC 2 again is like a good base layer for you to build ISO on top of it.
As a company tends to get larger, and they go into specific Industries like, let’s say
Compliances are becoming table stakes for companies to sell these days, so I think that 3rd party trust is becoming an increasingly important ingredient to start to do business in the SaaS ecosystem.
To know more, listen to the podcast here.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on May 3, 2023 12:46
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More