This Week on JustProtects SOC 2 School , we discuss what resources are a must know before you begin the certification process. These are resources we found to be the most useful along your certification journey. We recommend these resources because most start ups simply learn as they go but in order to prevent you from making simplistic mistakes and having the smoothest journey possible, we strongly recommend you join us this week to hear what we have to say.
Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect
In this episode, we're going to talk about now that the startup has decided to get certified, you will need to know what resources you will need on a one-time and ongoing basis. So how do I get management to buy in?
So, it's really important, it's really, really, really important, I can't stress how important it is for management to get bought into this certification process. And that doesn't just mean the founders, that doesn't just mean technical management, that means right up to the board or any advisors that the startup may have. You need to be able to share with them why it is you want to get certified, so on your next management meeting, you know, your next board update or advisor update, you need to tell them:
- Who the customer is that you're trying to talk to
- What it is they care about
- That you're going to embark on this journey
- Really highlight the reason why you've decided to get certified
So how do you get management buy-in? You need to clearly list out who your customers are, or even your target customers, what industries they're in, which regulations they care about, and how you intend to meet their requirements from a certification perspective. The other thing that you need to share with your management is that you found a way to do this quickly and efficiently without draining a lot of time and resources from your existing priorities. Doing it any other way, I can't guarantee you'll be able to say that statement. By using the SOC 2 School and the information that we provide you, you'll be able to really accelerate this and do this yourself.
So what resources are needed to start this?
That's a really great question. So typically, what you need to have is a management team. So, if you're in a startup, where you've got a CEO, a CTO, potentially even a COO, is really pulling that team together and determining who is running point with, with the SOC 2 or the certification initiative. So, you need a point person to act as a project manager, and then you need at least one person that can act as your liaison into that side of the business. But what I mean by that is someone that can oversee technology, someone that can talk to the technology, someone that can talk to management, and if you've got outside counsel, then someone that can talk to legal. The other component of this is that you really need to have the right team members that enable you to demonstrate the specific items that you're looking to get certified in. So, for example, if you are trying to get a SOC 2 and you want to get the Security trust principle, and you don't have anyone on the team that understands cybersecurity, understands what it takes to demonstrate security, you should really be looking at a virtual CISO or an outside advisory organization, even if it's a couple of hours, a week to really give you that sounding board. Same again for availability or process integrity. I would say leverage your advisory group, leverage us we, you know, if anyone needs further help, feel free to comment in the box below, we'd be happy to share some of those resources. You're looking to round out your team with people who understand the area you're looking to get certified in. The other components are, particularly when it comes to the SOC 2, are people like pen testers. So being able to demonstrate an independent pen test is critical. No one's going to get a SOC 2 without having an independent pen test. So, really leverage your network to find good pen testers that understand your technology or SaaS, if that's your world. And then after you've got some security expertise and advisory, and a pen tester, your next big bulk of resource is going to be working with an auditor.
So Vikas, who actually does the work?
Really great question. I would recommend, if you are trying to do it on a budget, then trying to divvy up or share the updating of documents or templates within the team internally. We were very lucky; we got management buy-in to hire an information security analyst; that's you, Bryan. Who took on a lot of the document updating, etc. A lot of what we want to share on this channel are hints and tips so that you don't have to have a whole army of people. You'd probably be able to do this with your internal team, or maybe an intern that you can get your hands on. And no, you can't hire Bryan!
So, what capabilities do I need for this process?
So it's it comes down to having the right team in place, but also having some semblance of a plan understanding what the biggest chunk of either your time or your resources will need or need to be committed to having this done. Most of this can be worked out very quickly by following a checklist that we're going to make available for you guys. So, click here for this checklist. But really having access to resources, having access to people, is really all the capabilities you need to get started. The SOC 2 Type 1 for anyone who's getting SOC 2 certified, and just needs to demonstrate that controls as in the things you do have been designed effectively. And what that really means is, you know, this is your opportunity to say that you've got a process, and you're going to work through that process. So, you don't need a lot from a capability perspective, but you definitely need to have something. It's really more about pulling the team together and getting everyone's buy-in.
So, this is great information. Thank you for that, Vikas, and so if you guys have any questions or any comments, we'd love to hear it. So please leave it down in the comments section. Hit that like button, make sure to subscribe, and turn on those notifications!