Kobalt.io is a cybersecurity company that serves cloud-native businesses. One of our everyday tasks is to guide our clients through their SOC 2 compliance process. Even though we have gone through the compliance process many times with our clients, when we went through it ourselves, we still experienced unexpected challenges and learnings.
If you are unfamiliar with the SOC 2 process, we can imagine that you would have a lot of questions and concerns about it. That’s why we would like to share with you our own compliance experience as well as our lessons learned.
To start with, why Kobalt.io chose to comply with SOC 2?
As a cybersecurity company, we store a lot of sensitive information. We wanted to ensure security and privacy for our clients, and accelerate our business.
Continue to provide security and protection for clients
To serve our clients, we often need to collect and store their sensitive information in cloud environments. There are inevitable security risks associated with storing information online so we wanted to be SOC 2 compliant and do our best to ensure that our clients are protected at all times and have peace of mind while working with us.
Boost business credibility
As a growing cybersecurity company, showcasing our expertise as well as our accountability is important to us. Being compliant with a highly recognized compliance standard allows us to provide confidence and build trust with clients and prospects.
Shorten sales cycles to drive business growth
Before achieving SOC 2 compliance, our prospects often ask us to prove that our security controls and practices are in place by completing security questionnaires. The downside of filling in security questionnaires is that it takes time and the process is repetitive. Being SOC 2 compliant is a solution for us to allocate time and resources more efficiently. Whenever prospects or clients ask us to prove our security measures, we could confidently provide a SOC 2 report right away.
Our compliance journey and challenges
Typically, the duration of the SOC 2 compliance journey depends on how well the security foundation of a company was previously set up. If a company already has the right security policies and procedures in place, its team could take a shorter time to check all the boxes of the SOC 2 requirements. Typically our clients take six to 12 months. For Kobalt.io, we took five months. Here are our progressive steps:
Find a certified auditor
A SOC 2 audit must be reviewed and verified by a certified auditor. Even though we have a large network of certified auditors, we chose to hire an auditor from a third party to avoid any bias.
Conduct gap assessment against SOC 2 to identify compliance gaps
Before starting the compliance process, Kobalt.io had a strong security stance, but there were a number of governance-related items we needed to mature. To accurately identify the specific SOC 2 requirements that we hadn’t fulfilled yet, we conducted a gap assessment to measure our security program against the compliance standard. This is how we got insights for our next steps and gained clear visibility into the specific documents, reports or assessments that we needed to prepare. This step took us two to three weeks.
Go through our materials and reports, and update them or create documents based on the gap assessment findings
This step usually takes the longest to complete. It is also the most labour intensive. A company’s internal team would have to manually create and update documents to meet SOC 2 requirements. In some cases, companies would need support from a third party. For example, work with a cybersecurity firm to create an incident response plan or an external HR company to create an employee handbook.
Challenges that Kobalt.io faced:
1. Prioritization and communication with the auditor
At the early stage of working with our auditor, we realized that communication was not clear. It resulted in the project being unorganized, leading to a slower start. In fact, this is very common at the early stage of getting to know the work style of your auditor. It’s recommended to make sure that you talk it through with your auditor at the beginning of the project to ensure a smooth sailing process. When we brought up this issue to our auditor, we agreed that this was a problem that needed to be addressed as soon as possible. As a result, we started to meet bi-weekly to go through progress updates and review materials.
2. Employees’ time commitment
Based on our experience, our two key stakeholders of this project had to allocate at least eight hours of their time per week to SOC 2 preparation. They handled the technical, and HR and governance portions respectively. Besides SOC 2 preparation, our key stakeholders had to make sure that other tasks on their plates were completed as well. If you or a team member is the only individual to be in charge of the SOC 2 preparation, you should make sure that you set regular milestones and a reasonable timeline for the project. It is easy to prioritize other more fast result-driven tasks than SOC 2 compliance.