SOC 2 School

What do startups need to know before getting certified?

Oct 13, 2020 2:00:00 PM / by Bryan "SOC" Urias

This week on SOC 2 School, we are discussing the reason that startups should look to get industry certifications. This video series is SOC 2 in focus and relevant to other industry certifications like ISO, NIST, and HITRUST.

We want to educate you from our own experience as a startup that just got SOC 2 certified at ten people. You can do it too, and we intend to show you how in this series.

 

Full Transcript

 

SPEAKERS 

Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect

 

Bryan Urias  

In this episode, we're going to cover what decisions need to be made to determine if a company is ready to get certified. Why do customers assess?  

  

Vikas Bhatia    

So, quite simply, it's really the larger organizations that need to adhere to regulatory or compliance mandates. So, if you're working with an organization like a bank or a financial services company, there are a number of regulations that control the way that the bank operates. The same applies to healthcare or defense, manufacturing, and so the assessment takes place because by working with a third party, that company that is bound by the regulations needs to be able to show to their regulators that they are adhering to those practices, even if they engage a third party.  

  

Bryan Urias  

So, who do they assess?  

  

Vikas Bhatia    

So, the organization should really be assessing anyone that extends their risk boundary beyond their own organization. So, let's talk about this in real-time. So, let's say I work for a big bank, and my big bank has an initiative that needs to speed up a particular process. Someone within the bank or start a project, and that project will say, Okay, what can we do internally? What do we have to outsource or get external suppliers to provide us to meet those business objectives? So, during that process, and then there is a lot of dependency on that third party to meet the business objective. And what is happening and what's taking place is that the risk the risks that that third party introduces is actually what is being assessed.  

  

Bryan Urias  

What does being assessed mean?  

  

Vikas Bhatia    

That's a great question. So, in our contracts with our customers, you have a startup, and you're promising to your enterprise that you will, for example, keep your data or keep their data secure, manage it in a secure manner, that you might you may have some availability type language, so our system or our solution will be up and available like 99.99% of the time. You may be saying in your contracts that you don't sell their personally identifiable information to third parties. Additionally, you might have some processes that your, that your platform, or your service provides in that black box theory. So, you may have a particular data integrity type of responsibility. What the organization is looking for is ways for you to demonstrate your obligations to them. If you're saying that you're going to keep this data secure, really, I want to know how it's going to be secure. If it's going to be available, how will it be available? So, what's being assessed really comes down to the promises that are made to those enterprises and how the startup intends to meet those objectives or meet those obligations.  

  

  

Bryan Urias  

Does being certified shorten the sales cycle?  

  

Vikas Bhatia    

I think that's a great question. So, let's, let's talk about what being certified before being certified means. Today, when a startup fills in that assessment, they really are doing it as a self-assessment. So, they're really providing their own perspective on their posture. So if someone says, Bryan, you know, how well are you eating, you're pretty much going to say, I mean, really well, but there might be some like, you know, leftover, you know, hamburgers or whatever underneath your desk. By being certified, what you're doing is you're demonstrating to an independent third party that you perform certain processes, that you have certain protocols in place, certain technologies in place. And so being certified actually enables the assessing organization to outsource a component of that assessment process. So does it shorten the sales cycle? Absolutely. It's one less thing or a number of fewer things that the assessing organization needs to then verify?  

  

Bryan Urias  

What certifications should be considered?  

  

Vikas Bhatia    

That's a really great question. So, I know the name of this, this school is the SOC 2 school. SOC 2 is a certification that's actually overseen by the AICPA, which is the American Institute of Certified Public Accountants, but there are a number of other certifying organizations or bodies like ISO, which is the International Standards Organization. There are other certifications like PCI, which is focused on credit cards, very fixated on the Payment Card Industries, then there are bodies like HITRUST. So, there are a number of different certified certifying bodies. I think it should be imperative or really important for a company to really understand what is important to their customers, and then choose the certifying body that that would meet those requirements. So, for example, if the company that you want to work with is predominantly in the US, then having something like a SOC 2 is pretty adequate. But if you're organized, if your customer's headquarters are in Europe, let's say it may be better for you to get the ISO certification because the ISO is international. If your customers are typically healthcare, then you may want to consider something like a HITRUST certification. So, it really comes down to knowing who your customer is, what it is you promise that you would do for them, and what it is they recognize or don't recognize.  

  

Bryan Urias  

Is there anything else we need to know?  

  

Vikas Bhatia    

Yeah, so being certified or achieving these certifications is not a one-time effort. It's really the start of a program that is ongoing. So, if your organization isn't ready to commit the time, the energy, the resources into achieving and then maintaining those certifications, really, they should stay away from it. There are definitely other ways that you can demonstrate your posture and be safe. 

  

Bryan Urias  

So, thanks, Vikas, that's some great information. And for those of you watching, please let us know what you think. Let us know any comments or questions that you have. You know, hit that like button, subscribe, turn on a little notification icon. And see you guys next episode! 


 

Tune in next week at the same time for the next episode of SOC 2 school, we hope you enjoyed the episode and hope to see you again as well!

Tags: mission, Strategy, SOC2

Bryan

Written by Bryan "SOC" Urias

Comments