Startups: when to invest in SOC2 Compliance?

As of April 2022, LogicLoop has completed its SOC2 Type II audit. LogicLoop is an operations automation tool that allows you to query your business data to trigger alerts and automations. Since we work directly with customer data, security is of the utmost importance. SOC2 is a formal audit verifying that your organization treats data security and privacy policies with the highest standards of information compliance in the industry.

‍

If you’re a technology leader working on a software product that interfaces with sensitive customer data, you’ve likely heard of the SOC2 before and are wondering whether it’s something you should prioritize. Having gone through the process ourselves in the past few months, LogicLoop is happy to share our learnings. 

‍

How do I know if SOC2 is something worth investing in?

‍

If the following apply to you, it’s likely that a SOC2 certification will benefit your company: 

• You company offers a software product that handles sensitive customer information
• Your customers are security conscious or large technology companies
• It’s important that your company establishes a strong technology and security brand
  

Because SOC2 can add more process to your organization, it might not be worth it for you if:

• You’re an early stage startup pre-product market fit whose top priority is to iterate rapidly
• Your customers are mostly consumers or small businesses 
  

‍

When should I invest?

‍

You’ll know it’s the right time to pull the trigger when multiple potential customers ask you about your security policies and/or your SOC2 report in particular. If you have not yet been asked, you might be a little too early in the process and it may be worth prioritizing other aspects of your business first. However, you don’t want to wait too long because you don’t want to risk losing a late stage customer because you weren’t able to provide strong enough evidence of your company’s security practices. While you can certainly DIY your security policies, having an industry standard SOC2 report on hand significantly speeds up the process and will give your customers confidence that you are following best practices. 

‍

What types of requirements are part of the SOC2? 

‍

The SOC2 covers a wide array of organizational processes and infrastructure security requirements. Here are some examples:

Organizational process:

• All employees must sign a confidentiality agreement and pass a background check
• Employees must do an annual performance review 
• Your Board of Directors must meet quarterly to discuss security matters
  

Access security:

• Employees must use company owned equipment and accounts to do their work
• You must keep track of what services each employee has access to and grant access based on the principle of least privilege
  

Vendor management:

• You must keep track of all important vendors your organization depends on and whether those companies are compliant. 
  

Infrastructure & data: 

• Your cloud environment must be set up with secure networking practices 
• Your databases must be encrypted at rest and in-transit 
• Employee laptops must be encrypted and configured with firewall protection 
  

Engineering processes: 

• Changes to your code and infrastructure must go through peer preview 
• You must establish an incident response procedure 
  

‍

How much time & resources would the process take?

‍

The answer to this question will vary drastically from organization to organization. Keep in mind that it’s going to be far less painful if you start following best practices earlier in your company’s life rather than later. For early stage startups just establishing their processes for the first time, you can be prepared for SOC2 in a matter of weeks. For larger companies, training employees on new procedures and migrating legacy infrastructure over could be far more time consuming. For example, if your company has been using unencrypted databases for years, depending on how your cloud infrastructure is set up, migrating those databases to encrypted instances can be a painful process. For this reason, LogicLoop invested in SOC2 early on in the company’s life. 

‍

I’m interested - what are the next steps? 

‍

Luckily, the SOC2 process is a very well trodden path and there are many services out there that can hold your hand through the process. These services will charge anywhere from $5k-$15k/year, but they provide a myriad of ways to support you:

• They will provide a large checklist showing you which items have been completed and which still need to be worked on
• They have software that will integrate with your systems (e.g. AWS, Github, Google Drive) to automatically detect checks and violations
• They can provide instructions and troubleshooting support for items you need to work on
• They will provide security policy templates you can modify to fit your organization, so you don't have to write all your policies from scratch
• In general, they can answer any questions you have throughout the process and set you up for success

‍
You may also DIY the process yourself to save the money, but unless you are already an expert on SOC2, we generally recommend engaging with a third-party service for support. Given how many requirements there are, expect to be drowning in spreadsheets, documents, and tons of Googling for answers on the internet if you attempt to do it yourself. LogicLoop engaged with SecureFrame for our SOC2 process and it was worth every penny. Other vendors that provide similar services that you can look into include Vanta and Drata.

‍

Finally, expect to pay another $5-$15k for the actual auditors to run the audit. Services like SecureFrame and Vanta can introduce you to auditors that are familiar with working with them, which can help you further speed up the process. Companies typically get a SOC2 Type I Certification first, which specifies that the organization has met the requirements for the audit at a certain point in time, and a SOC2 Type II Certification 4-9 months thereafter to certify that the organization has remained compliant over a period of multiple months. At the end of all this, you get a shiny digital badge and PDF report worth $30,000+. Happy auditing!

‍

We hope this is helpful and if you’re looking to set up alerts and automations to scale your company’s operations, check out LogicLoop!