Data security help - SOC2ish
Hi Tilderinos,
I head up a small startup and we're looking to get some support for our data security. Up until now we've worked with small mom and pops that didn't have any requirements, but a few of our new clients have full data security teams and our infrastructure and policies/protocols aren't up to snuff. We reached out to a few consulting firms and they quotes us between $80-100k to get things set up and run us through a full SOC2 review. As a small company we don't really have that type of budget, more like $40-50k. I stumbled upon Vanta and Drata as alternatives and had meetings with their sales folks last week. Both of their offerings from setting up our protocols to monitoring and getting us through a SOC2 were only $16k.
Are platform based companies like Vanta or Drata enough to get us off the ground while we're still getting set up? Has anyone worked with them before and have any feelings one way or the other? Should we be signing on with a security consulting company - be it at a lower rate if we can negotiate it?
This is all quite new to me and any insight folks here can provide would be incredible useful.
Interesting, both Vanta and Drata offered to select an auditor for us. Any suggestions for finding a good auditor?
All totally fair! We're genuinely trying to get our systems up to snuff. We have a really great engineering team that is more than capable of putting it together and largely we already adhere to basic security protocols - 2 step authentication, expiring authentication tokens... I think the guidance on what to beef up is what we're looking for.
Thank you for the insight!!!
We are actually excited about this process because it can unlock so many new clients for us and as you say it's something we need to do anyway! I'm just a little lost on all the specifics. Do you think a Vanta/Drata might have guidance for some of the organization steps you mentioned like background checks or HR related activities?
TrustCloud has SOC2 for free. Getting the audit done will be $$$$ regardless. A product like drata or vanta will manage the process. If you have 365, compliance.microsoft.com has tools for SOC2 compliance as well.
Eramba is open source and free. You can download compliance frameworks to load into it. If you aren’t GRC savvy, it’s probably worth watching a getting started video.
Compliancy-group.com also does SOC and will be a lot less than the others. But won’t have as many integrations.
Anecdotes probably will be more automated but perhaps more expensive.
Vanta and Drata are useful for preparation, but you still need an actual auditor to do the SOC2 audit. Have them bid against each other and then pick the cheaper one, as they are both good enough, and then pick one of their partner auditors to work with. You can ask them for recommendations and they will point you towards a cheap auditor that knows how to work with their platform.
$80-100k is way too much for a small startup, you should be able to get everything done for under $40k.
Note that you'll only be able to do a Type 1 audit right away, that's a snapshot point-in-time audit. After 6 months or a year you can do a Type 2 audit where the auditor reviews your practices over that whole time period.
So you'll sign up for Vanta/Drata, probably spend a couple months getting your infrastructure in order, then you'll do a Type 1 audit. Then you maintain everything for a year and do a Type 2 audit, and then keep doing a new one of those once a year.
Vanta and Drata offered to select an auditor for us. They said the range is $2500 to $5000 for a SOC2 Type 2 audit.
We understand the timeline and are comfortable with it. I'd really like to understand how much support a platform like Vanta will actually provide if we're not already setup for an audit. Our team has a lot of capability but we need support being pointed in the right direction. Luckily we already work with all of their requested security integrations - GCP, Google Workspace, Jira, etc...
I think the other comments covered your question, but FWIW:
We used Strike Graph for our SOC 2 Type 2 audits. They’re reasonably priced and have excellent customer service, even if their platform isn’t anything special. I’ve also used Strobes for vulnerability management and penetration testing, and it is a super cool platform.