About a year ago, we raised our seed round of investment. By that time, we already had a promising sales funnel and our potential customers saw great value in the product. And yet, as we continued filling our pipeline with potential clients, it didn’t take long for us to realize security was going to be a major obstacle in our lead-to-deal cycle. Regardless of their size, companies tended to meet our solution with a rise of an ‘is that secure enough?’ brow. We figured becoming SOC 2 certified would be the best way to overcome this challenge.
Getting SOC 2 Type 2 certification usually takes around nine to 12 months. We managed to get certified in less than six months. Below, I'd like to share the 3 steps we’ve taken that helped make our journey quicker. I’m the company’s CTO and the acting CISO, and I have years of experience in cybersecurity. However, when we started this process I had no experience with security auditing. Since we got certified, many of our startup friends have asked us about the process and so I decided to share what worked for us.
Why SOC 2
We had a lot of questions when we first began considering SOC 2. We wanted to understand how difficult the process would be, and how much work it would take compared to the benefits we could get out of it.
We met with several startups to see how their SOC certification process had gone. We learned that SOC 2 can bring great value. It prepares you professionally for the challenges that lie ahead; your security posture meets the industry standards; you have the paperwork to prove it; and it’s all verified by a trusted third party.
SOC (System and Organization Controls) is an American standard that belongs to AICPA (the American CPA association). US public companies and companies that target the US market rely on SOC to help ensure that the services they use meet security and availability requirements.
While SOC 1 focuses on financial IT systems and is probably of lesser concern to you, SOC 2 is more relevant and is split into two types:
- Type 1: policies are defined and documented, and the audit is conducted at a single point in time.
- Type 2: policies are defined and documented and are then verified by a third party over a period of time.
SOC 2 Type 2 is the gold standard for indicating your company prioritizes security, privacy, confidentiality, availability and processing integrity.
If you’re a new company, it’s good practice to meet several other companies in your ecosystem who have received the certification and learn from their experience. This is why I hope this post, outlining our journey, will help you understand whether or not SOC 2 is the right compliance choice for you, and how you should approach it.
Ground zero: It’s all about control
After deciding we want to get SOC 2 certified, we met with Ernst & Young, our CPA, to prepare for the journey ahead. As we sat down with them, we learned more about SOC 2 and how to confront the challenge of proving our company’s management has full control over all aspects of service delivery.
As an entrepreneur, one of the major challenges of scaling a company is keeping the ship sailing in the right direction while maintaining visibility into its inner workings as it grows. SOC 2 is one of the first tests I had on how well I managed to do just that. To pass this test, you must define a set of policies and procedures to create various controls, technologically and organizationally implement them, and then prove to your auditors you are indeed meeting them.
For every compliance requirement you have, the main question you should consider is: “how do I prove this action was properly sanctioned and recorded for future reference?” Instead of changing your existing process, examine the possibility of integrating the approval and auditing into the process. If you are a venture-backed startup like us, you will most likely have the report done by one the of Big 4 auditing firms.
Step 1: Achieve compliance with CI/CD
The majority of SOC 2 requirements in the security and confidentiality pillars fall heavily on the change-management process. Therefore, the first step of our compliance journey led us back to the heart and soul of the development process at Rookout: our CI/CD pipeline.
The attributes we have come to love about CI/CD are the very same qualities auditors look for to prove the company has control and visibility into the code that makes it to its production environment. These attributes are:
- Auditability - Know exactly what code went into which environment and when.
- Testing - Test to verify the application works as expected, every step of the way. Unit tests, integration tests, staging tests, etc.
- Pull request reviews - Make sure the code that goes into the system was reviewed, really belongs there and is of high quality.
Step 2: Keep things in check with monitoring
Our next step was to ensure visibility into all of our environments and processes: production and pre-production; CI/CD; onboarding and offboarding of employees; CRM and customer communications.
Monitoring these environments and processes is essential for ensuring that the company is operating as intended, and for fixing things when something goes wrong. The first crucial point we had to keep in mind was that we should always be aware when things go wrong. The second point was we must measure any SLAs we promise our customers.
This required setting up a set of tools such as availability monitoring, CRM reports and HR reports, as well as a set of processes like regular management meetings to review and discuss those reports. To get SOC 2 certified, you too will have to ensure the management has a clear and verified view of your company’s inner workings.
Step 3: Ensure smooth sailing with automation
The final step before going into the SOC 2 probation period was meeting the principle of least privilege (PoLP), so as to limit what can happen outside of our control. At this point, we mapped all processes requiring administrator privileges within Rookout. We then had to make a choice: either automate a process to allow it to be executed without admin privileges in a sanctioned and auditable way, or restrict it to a small set of admins.
At the end of this process, we had a very small group of system admins rarely exercising their admin privileges, and most of our day-to-day operations were carried out by anyone in the company in a fully sanctioned and auditable way. If you were to follow our journey up to this step, you too would probably find admin privileges aren’t necessary for the vast majority of your employees.
SOC 2: a slightly ironic takeaway
Since receiving our SOC 2, we’ve noticed that successfully undergoing security reviews with our customers (including Fortune 500 companies) is now considerably easier. We’ve also noticed that many startups we are in contact with are shocked by how early in our journey, and how easily, we acquired our SOC 2 certification.
It is somewhat ironic that instead of being a hurdle, being a young, 20-employee company actually helped us expedite the process! People often love to procrastinate on tasks such as this one, which they perceive as a nuisance. We’re no different. However, completing the certification process when you’re smaller and faster makes it a lot easier.
Make no mistake: becoming SOC 2 certified is a time-consuming process, and it’s probably the opposite of anyone’s definition of “fun”. However, it actually helped us craft things ‘as they should be’ at a very early stage, and I’m confident we’ll be reaping the fruits of this effort in the short, medium and long-term.
Liran Haimovitch is the CTO of Rookout