SOC 2 School

What do startups need to do once certified?

Oct 22, 2020 2:00:00 PM / by Bryan "SOC" Urias

This week on JustProtects SOC 2 School, we discuss what to do once companies are certified! Certifications are not only integral to growing your business but also knowing how to use these certifications to their fullest extent is just as important. Most businesses tend to either not get certified or simply secure certifications because of requirements, rather than using the certification to it's fullest potential. So this week we go over how to get the most out of your certification.   

Take It For A Spin

Full Transcript

 

SPEAKERS 

Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect

Bryan Urias 

In this episode, we're going to talk about now that the startup has decided to get certified. What do you need to know? What are the resources that you need? And will you need a one on one time and ongoing basis? Does that make sense?  

  

Vikas Bhatia    

In this episode, we're going to talk about now that the startup has decided to get certified, you will need to know what resources you will need on a one-time and ongoing basis. So how do I get management to buy in?  

  

Vikas Bhatia    

So, it's really important, it's really, really, really important, I can't stress how important it is for management to get bought into this certification process. And that doesn't just mean the founders, that doesn't just mean technical management, that means right up to the board or any advisors that the startup may have. You need to be able to share with them why it is you want to get certified, so on your next management meeting, you know, your next board update, advisor update, you need to tell them like who the customer is that you're trying to talk to, what it is they care about, and that you're going to embark on this journey, really highlighting the reason why you've decided to get certified. So how do you get management buy-in? You need to clearly list out who your customers are, or even your target customers, what industries they're in, which regulations they care about, and how you intend to meet their requirements from a certification perspective. The other thing that you need to be able to share with your management is that you found a way to do this quickly and efficiently without draining a lot of time and resources from your existing priorities. Doing it any other way, I can't guarantee you'll be able to say that statement. But by using the SOC 2 School and the information that we provide you, you'll be able to really accelerate this and do this, do this yourself.  

  

Bryan Urias 

So what resources are needed to start this?  

 

Vikas Bhatia    

That's a really great question. So typically, what you need to have is a management team. So, if you're in a startup, where you've got a CEO, a CTO, potentially even a CEO, is really pulling that team together and determining who is running point with, with the SOC 2 or the certification initiative. So, you need a point person to act as a project manager, and then you need at least one person that can act as your liaison into that side of the business. But what I mean by that is someone that can oversee technology, someone that can talk to the technology, someone that can talk to, to management, if you've got outside counsel than someone that can talk to legal. The other component of this is that you really need to have the right team members that enable you to demonstrate the specific items that you're looking to get certified in. So, for example, if you are trying to get a SOC 2 and you want to get the Security Trust principle, and you don't have anyone on the team that understands cybersecurity, understands what it takes to demonstrate security, you should really be looking at a virtual CISO or an outside advisory organization, even if it's a couple of hours, a week to really give you that sounding board. Same again for availability or process integrity. I would say leverage your advisory group, leverage us we, you know, if anyone needs further help, feel free to comment in the box below, we'd be happy to share some of those resources. But really, you're looking to round out your team with people that understand the area that you're looking to get certified in. The other components are, particularly when it comes to the SOC 2, are people like pen testers, for example. So being able to demonstrate an independent pen test is critical. No one's going to get a SOC 2 without having an independent pen test. So, really leverage your network to find good pen testers that understand your technology or SaaS, if that's your world. And then after you've got some security expertise and advisory, and a pen tester, your next big bulk of resource is going to be working with an auditor.  

  

Bryan Urias 

So Vikas, who actually does the work?  

  

Vikas Bhatia    

Really great question. I would recommend, if you are trying to do it on a budget, then trying to divvy up or share the updating of documents or templates within the team internally. We were very lucky; we got management by him to actually hire an information security analyst, that's you. Who took on a lot of the document updating, etc. But a lot of what we want to be able to share on this channel are hints and tips so that you don't have to have a whole army of people. You'd probably be able to do this with your internal team, or maybe an intern that you can get your hands on. And no, you can't hire Bryan!  

  

Bryan Urias 

So, what capabilities do I need for this process?  

  

Vikas Bhatia    

So it's it comes down to having the right team in place, but also having some semblance of a plan understanding what the biggest chunk of either your time or your resources will need or need to be committed to having this done. Most of this can be worked out very quickly by following a checklist that we're going to make available for you guys. So, click here for this checklist. But really having access to resources, having access to people, is really all the capabilities you need to get started. The SOC 2 Type 1 for anyone that's getting SOC 2 certified, and just needs to demonstrate that controls as in the things that you do have been designed effectively. And what that really means is, you know, this is your opportunity to say that you've got a process, and you're going to work through that process. So, from a capability perspective, you don't need a lot, but you definitely need to have something. It's really more about pulling the team together and getting everyone's buy-in. 

  

Bryan Urias 

So, this is great information. Thank you for that, Vikas, and so if you guys have any questions or any comments, we'd love to hear it. So please leave it down in the comments section. Hit that like button, make sure to subscribe, and turn on those notifications! 

Take It For A Spin

Tags: mission, cybersecurity, Strategy, assessments, SOC2, Risk Assessor, Startups

Bryan

Written by Bryan "SOC" Urias

Comments