Data security help - SOC2ish
Hi Tilderinos,
I head up a small startup and we're looking to get some support for our data security. Up until now we've worked with small mom and pops that didn't have any requirements, but a few of our new clients have full data security teams and our infrastructure and policies/protocols aren't up to snuff. We reached out to a few consulting firms and they quotes us between $80-100k to get things set up and run us through a full SOC2 review. As a small company we don't really have that type of budget, more like $40-50k. I stumbled upon Vanta and Drata as alternatives and had meetings with their sales folks last week. Both of their offerings from setting up our protocols to monitoring and getting us through a SOC2 were only $16k.
Are platform based companies like Vanta or Drata enough to get us off the ground while we're still getting set up? Has anyone worked with them before and have any feelings one way or the other? Should we be signing on with a security consulting company - be it at a lower rate if we can negotiate it?
This is all quite new to me and any insight folks here can provide would be incredible useful.
Finding the right (namely reasonable) auditor is the most important part IMO. Because they are the ones you are dealing with for the audit and the ones that actually issue the report. Some of them even offer gap assessment services that makes it easy to transition to the Type 1 audit.
All these consultancy services and vanta/drata tools do is just drops you in a cookie cutter dashboard or spreadsheet. They may have fancy bells and whistles with alerts, but odds are, poorly designed controls fail regardless of how alerts you get.
I can go more into this, but just a heads up, SOC 2 isn’t just the cost of tools or the audit. If the company doesn’t have a decent IT infra, no history of doing a pentest, or lack of HRIS, it’s gonna be rough trying to tackle SOC 2 without investments in those areas.
Interesting, both Vanta and Drata offered to select an auditor for us. Any suggestions for finding a good auditor?
All totally fair! We're genuinely trying to get our systems up to snuff. We have a really great engineering team that is more than capable of putting it together and largely we already adhere to basic security protocols - 2 step authentication, expiring authentication tokens... I think the guidance on what to beef up is what we're looking for.
I’ve been lucky in that I’ve worked with auditors that have been reasonable, especially when I had to take a company from zero to SOC 2 within a year. But I’ve heard horror stories of auditors that might have previously worked with Fortune 500 and somewhat expected the same resources and maturity for a small SaaS company looking to get their first SOC 2 under their belt. Try not to find an adversarial auditor!
I know you haven’t started yet, but I want to highlight that SOC 2 isn’t just systems, it also organization (that’s the O!) as well. To give an example, a common SOC 2 control is conducting background checks for all new employees. The easy thing is to set up Checkr, the hard thing is to make sure no one falls through the gap. Say that two summer interns start, and the background check process wasn’t followed because HR thought it wasn’t necessary. Come audit time, those two interns are gonna show up as observations because you can’t provide a background check record for them.
One easy way to get guidance on what to do is simply look at other companies (especially if they are a similar size) SOC 2 reports. Bigger companies likely have more controls, but do anticipate around 60-80 controls (can vary depending on what criteria are you are going for) first time around. You’ll begin to notice there is a lot of overlapping controls with very similar wordings.
I can go on and on about this. I just want to highlight that beyond the marketing (SOC 2 in 5 easy steps!), the actual process can be a real grind especially if you aren’t prepared ahead of time.
One more thing, I’m a firm believer that SOC 2 (and ISO) is genuinely a good way for a company to get serious about security, and not a compliance burden. So, treat it as an opportunity for improvement!
Thank you for the insight!!!
We are actually excited about this process because it can unlock so many new clients for us and as you say it's something we need to do anyway! I'm just a little lost on all the specifics. Do you think a Vanta/Drata might have guidance for some of the organization steps you mentioned like background checks or HR related activities?
Sure, they probably might recommend a system or a policy for a control. But at the end of the day, it comes down to you (the company) who has to implement it. This is also where having a good rapport with the auditors really help. At the end of the day, they are the ones that will review and accept your evidence.
TrustCloud has SOC2 for free. Getting the audit done will be $$$$ regardless. A product like drata or vanta will manage the process. If you have 365, compliance.microsoft.com has tools for SOC2 compliance as well.
Eramba is open source and free. You can download compliance frameworks to load into it. If you aren’t GRC savvy, it’s probably worth watching a getting started video.
Compliancy-group.com also does SOC and will be a lot less than the others. But won’t have as many integrations.
Anecdotes probably will be more automated but perhaps more expensive.
Vanta and Drata are useful for preparation, but you still need an actual auditor to do the SOC2 audit. Have them bid against each other and then pick the cheaper one, as they are both good enough, and then pick one of their partner auditors to work with. You can ask them for recommendations and they will point you towards a cheap auditor that knows how to work with their platform.
$80-100k is way too much for a small startup, you should be able to get everything done for under $40k.
Note that you'll only be able to do a Type 1 audit right away, that's a snapshot point-in-time audit. After 6 months or a year you can do a Type 2 audit where the auditor reviews your practices over that whole time period.
So you'll sign up for Vanta/Drata, probably spend a couple months getting your infrastructure in order, then you'll do a Type 1 audit. Then you maintain everything for a year and do a Type 2 audit, and then keep doing a new one of those once a year.
Vanta and Drata offered to select an auditor for us. They said the range is $2500 to $5000 for a SOC2 Type 2 audit.
We understand the timeline and are comfortable with it. I'd really like to understand how much support a platform like Vanta will actually provide if we're not already setup for an audit. Our team has a lot of capability but we need support being pointed in the right direction. Luckily we already work with all of their requested security integrations - GCP, Google Workspace, Jira, etc...
I think the other comments covered your question, but FWIW:
We used Strike Graph for our SOC 2 Type 2 audits. They’re reasonably priced and have excellent customer service, even if their platform isn’t anything special. I’ve also used Strobes for vulnerability management and penetration testing, and it is a super cool platform.