SOC 2 compliance for startups and first-timers (part 1)

How to delay an audit without sabotaging your business

Many of the companies that reach out to Substrate are motivated by how much it can help them meet the SOC 2 criteria concerning access control and change management. Doing AWS right with Substrate will absolutely help you meet those criteria, yes, but there’s much more to SOC 2.

For startups and first-timers, it can be overwhelming to meet all the SOC 2 criteria, prove it to auditors, and finally acquire the SOC 2 report your customers have been requesting. The opportunity cost is huge, too, demanding attention from across your company over the course of many months. And it’s expensive, too, often in the neighborhood of $50,000. It is simply not worth establishing your compliance program until you are certain it unlocks at least that much revenue. At first, delay is the better tactic.

There’s a right way to delay SOC 2 compliance, though, and that’s the topic of this, the first in a four-part series that will take you through your first SOC 2 audit and beyond. This is not about making SOC 2 go away nor checking a box. It’s about making SOC 2 compliance a competitive advantage for your business through good security practices and proof. Your SOC 2 compliance program should help you land more customers, more quickly, while inspiring greater confidence that you’re a good shepherd of their data…because you are.

💡
Substrate: The Right Way to AWS
Substrate is a CLI tool that helps teams build and operate secure, compliant, isolated AWS infrastructure. From developers who have been there.

What is SOC 2?

SOC stands for Service Organization Controls. The various SOC reports are based on a family of principles for Service Organizations (read: companies) to follow and criteria to meet in operating their businesses. In the modern world, one company relies on many others to deliver for its customers.

If there’s a SOC 2, there must be a SOC 1, right? SOC 1 is concerned with how an organization ensures the integrity of its financial statements. SOC 2 is concerned with how an organization treats the rest of the data entrusted to it and covers both the system being operated and the humans who operate it. SOC and the Trust Services Criteria auditors use as the basis for your SOC 2 reports are maintained by the American Institute of Certified Public Accountants.

Why does my startup need a SOC 2 report?

Your customers are relying on you for business-critical functionality and, more often than not, you’re delivering that functionality as SaaS. The proliferation of SaaS, for all its many advantages, requires a proliferation of trust, too.

Customers with established compliance programs will come to you, call you a “subprocessor” (that’s auditor for a “vendor who handles data on behalf of their customer”), and inform you that their compliance obligations “flow down” to you. Your customers’ standards become your standards.

What’s the purpose of compliance?

Compliance programs accelerate building trust between companies in two ways. First, the compliance regimes (SOC 2, ISO 27001, etc.) provide a common language that companies can use to communicate about risk. Second, a third-party auditor, whose entire business is based on using their reputation for competence and impartiality to give credibility to the companies they audit, uses that same language to attest that the company they’re auditing controls their business in a way that meets the criteria.

More simply put: Compliance is how you get credit for good security. All the bureaucracy, the work about work, the formal and precise language, the evidence-gathering and report-writing — it’s so you can get credit, in the form of business from customers, for being good shepherds of your customers’ data.

Compliance has another function, too: It prompts organizations to consider a much wider range of risks than they probably otherwise would. Folks don’t know what they don’t know, after all. The authors of the SOC 2 criteria have seen a lot. Think of the criteria as their cryptically phrased advice to nascent security programs.

How to delay SOC 2 compliance

Establishing a compliance program is a lot of work, both in terms of opportunity cost and dollars. At the beginning, the best strategy is to delay compliance while investing in security.

When a prospective customer asks for your SOC 2 report and you tell them you don’t have one, they’ll probably respond by sending you their “information security questionnaire.” (Some extremely risk-averse prospects might withdraw their interest. That’s OK. You can still win their business later.) Fill out their questionnaire spreadsheet, and answer their follow-up questions. Keep a copy of your answers to use the next time a prospective customer sends you their questionnaire.

After a few of these, you can buy yourself some efficiency by filling out the CAIQ/CCM questionnaire. When a prospective customer sends you their questionnaire, you respond with your pre-filled CAIQ questionnaire. Then you answer a few follow-up questions instead of filling out 200 cells in a spreadsheet again. It’s an enormous time-saver and shows the prospective customer that, while you don’t have a SOC 2 report yet, you do have a maturing security program that’s worth taking seriously.

Talk openly about the current state of your security program with your prospective customers. Set honest expectations about when you’ll establish a compliance program. Remember, you’re building trust. And without a third-party auditor to help with that, your best bet is to be forthcoming.

If a marquee customer comes along that absolutely demands a SOC 2 report, then you can promise them a SOC 2 report in nine months. Why nine months? SOC 2 reports are based on a six-month audit period. It takes a few weeks after the end of the audit period for your auditors to issue their report. And for your first audit, it’ll take a couple of months to get prepared, sign up your auditor, and get all the logistics sorted out.

Types of SOC 2 reports

When I say “SOC 2 report,” what I really mean is “SOC 2 Type 2 report.” That’s the kind of report that will take about nine months to acquire.

I think SOC 2 Type 1 reports are a waste of money because your auditor only reviews what you say you do, not whether you actually do it. It is, in my opinion, no more trustworthy than your answers to an infosec questionnaire (and those are free). You should only bother with a formal SOC 2 Type 1 report if you need a report yesterday and the customer it would land is existentially important and will not still be there in nine months.

For a SOC 2 Type 2 report, your auditor ensures that your stated security practices meet the SOC 2 criteria and, by reviewing evidence gathered over a six-month or one-year period, that you actually do what you say you do. This is incredibly valuable.

A cost-effective approach to SOC 2 compliance

In my experience SOC 2 Type 2 audits can cost up to $50,000 for small- to medium-sized SaaS companies of average complexity. This is per-audit, which is a big incentive to move to an annual audit cadence as soon as you can.

Many companies choose to adopt tools like ByteChek, Drata, SecureFrame, or Vanta. These tools are valuable and can save you a lot of time, though they don’t, in my experience, save you any money. An audit facilitated by one of these tools is cheaper, yes, but all the money you save on the audit goes straight to your audit tooling vendor.

The bigger cost, though, is in opportunity. In the months leading up to the beginning of your first audit period, you’re likely to task a few employees with weeks worth of work to create policies, design controls , and practice gathering evidence. Each audit will distract one or a few employees for a few days.

When to begin SOC 2 compliance

When your security program is mature enough that an audit is actually easier than endlessly filling out infosec questionnaires, start shopping for auditors.

When a SOC 2 report would unlock more revenue than it costs, establish your compliance program.

When critical customers or revenue might be lost forever without an imminent SOC 2 report, schedule your first audit.

When you’ve hired enough employees that operational controls are actually necessary, formalize your controls and have them audited.

What to say to customers before you have a SOC 2 report

Your prospective customers know what they’re getting themselves into working with a small company, and they’ve probably already decided your product and your vision are worth some amount of risk. You can bolster their confidence in you by being self-aware, honest, and forthcoming. Especially if the folks you’re working with have worked for small companies before, they know your policies, controls, and entire security program are works in progress. Your honesty about where you are will help avoid surprises and mismatched expectations later. Any customer will, of course, appreciate you committing to a date, and that’s something pretty easy to do when your audit period has already begun.

* * *

Check out the rest of the series. Part two covers the SOC 2 criteria and how to design your controls to meet the criteria. Part three is all about your first audit. And part four discusses how to operate your compliance program after your first audit.

  1. How to delay an audit without sabotaging your business (you are here)
  2. Reading the criteria, writing controls, and preparing for your first SOC 2 audit
  3. What to know going into your first SOC 2 audit
  4. How to operate and improve your compliance program after a first SOC 2 audit 

Looking for a leg up in meeting the SOC 2 criteria covering access to production, network segmentation, or change management? Substrate is the right way to use AWS, designed with SOC 2 compliance in mind.