Rock 'em, SOC 'em — building a SOC 2 program that empowers the business

Welcome to our rockom sacum. This is all about building a sock program that actually does something for your business. Um there is a little thing that we are often gets called. There we go. Um actually before we get into that just a little intro. I am Rachel Curran. I am the CEO and co-founder of Lockivity. That is a thirdparty risk management platform. I have been in the world of operations and GRC and security in tech for the last 15 years. I've done lots and lots of sock audits. Um this is a little I'm a little too close with sock maybe. Um and so I'm just going to jump in but just say this is something kind of live and breathe.

Um oops go the other way. All right. So this is not a session that's going to be about what is a sock 2. I'm going to touch on this just really briefly. How many people know sock 2? this new. Okay, few people knew, few people know it. Um, just a couple things that you should probably know before you get started. There are five different criteria. Security confidentiality availability process integrity, and privacy. When you look at a sock 2, everybody who ever had one has to meet the security criteria. Vast majority are going to see are going to add the confidentiality and availability and most people are going to skip the others. I think Microsoft might have all. Is that true? I don't.

Okay. Anyways, um the requirement really this is a controls audit and I think some people get confused. It's not a security audit. Want to be really clear about that. It's about having controls that provide reasonable assurance that you have a good security program. So that's very different thing and this really is about building a functional process in your organization and it's about building customer trust. We're gonna so um there are two types. Type one is not technically an app test station. You do have an auditor looking what you're doing, but it's like as of literally right now today, these controls are in place and I swear it and I can show you that we did it at least once

versus a type two which is a period in time. Typically, it's a year, but it's really up to you and where we went to sleep. That type two, okay? Um, you might want to watch that one. That type two is what you want to look for both if you're trying to prove trust to your customers. They care about what you're doing over time, showing that maturity. It's also something that you want to look for from your vendors, but we're not here to talk about them. We're here to talk about you. Um, so one question, what's the strongest, sock one, sock two, or sock three? Who thinks it's sock three? Yay. Okay. I actually heard of an

auditor who told their client that they can get them a sock three that they can be better than sock two. If your auditor says that, fire them. Yeah. Um so good, we don't have to talk about this. So that is what I refer to as the sock in the box. The the auditor who's going to tell you a sock 3 is better. There is a problem out there with sock 2. It's losing a little bit of its trust factor and the whole point is trust. So, I'm not going to dive into too much of that except to say that if you have an auditor who's handing you a set of controls who says, "Do this." Even if

you have anyone who walks in and just says, "This is a set of controls for SOCK 2." Throw it out. Um, go look at other, you know, you probably have access to some SOCK twos. Look at what's standard. Use that as a guide. But the great thing about SOCK 2 is that it's really flexible. And we're going to talk about how you can capitalize on it. What we want to do with a sock 2 is build a scalable program. It should be a foundation for driving security and getting budget and getting trust. It should not be its own little thing off in a corner. Um, it is about building that customer trust and doing it well up

higher. Thank you. Um, will help you avoid toil. It'll help you avoid questionnaires from your customers and it will help you gain staff and executive support and that's huge. So, we want to get that. So, how do we what mistakes do we want to just avoid right off? Um, common mistakes are going to be not understanding what we're trying to achieve. That's the first and foremost. What is it that you want to do with your sock 2 program? Are we getting this because one customer said to maybe even push back. Do we have to do that? Have a talk with that customer. Can you prove out the security without doing a sock two? It's a commitment. You're going to

be doing this for a long time. It's going to cost you money. So you want to make sure that I actually understand what the goal is. And there are certain companies where this is your competitive differentiator. You should go big, right? So it's as small or as this big for you. I already mentioned the starting with a set of controls. Don't do that. Square peg, round hole, right? Flexibility. Um getting too specific. We'll get into later. But also don't try to do this all yourself. There's another habit that happens with security and compliance of like I'm over here and I'm going to take care of this and the organization's happening out there. You can't have

compliance, you can't have governance, you can't have security, any of that without engaging the organization. Uh I move my hands a lot, you guys might notice. Um, a last one I want to call out and this is where I think things have gone really wrong is a focusing on collecting the evidence before you start talking about automating your controls. If you want something to happen consistently in your organization, you should be building those guardrails, right? So, we hear about this like pave road and security. That's what GRC also should be and what socks should be is that I'm building something that is looking at what does this organization need to do and making it easy. So, that's a lot of

you know, how do we actually get there? Um, I'm going to jump across this, but don't be this one in the middle who thinks you've done great things and you're actually not. Um, so starting with that why, as I mentioned, this should be enabling paths to revenue. So, is this actually getting us something? Um, as an organization, it should be earning trust and it should be a foundation for scaling security. And this is where you need to understand, am I actually just checking a box? because that might be a lot less work you want to put into this versus this is the differentiator. If you have that knowledge, you'll make smarter decisions. It's different for every

organization. I can't tell you what's right for you when optimizing your sock. Um there are two things that I think are really cool about sock that don't exist with any of the other standards that are out there. One is the flexible control design. It's really high level criteria. I didn't put them in here so don't quote me on this but criterion sock is something like secure the boundaries of the system what does that mean whereas some of these other standards are going to say you know have an MFA have a firewall whatever it is this you get to decide what fits so right sizing is a really powerful side of this the other one is a

section five that a lot of people overlook so has I won't go through the sections but section five is not audited but what you can do in it is map your controls to other standards, which is a really cool way that you can communicate as a translation layer to your customers. Here's how I meet HIPPA. Doesn't mean your auditor said you met HIPPA. Let's be very clear. But what it does say is that these sets of controls have been audited. If you agree with me that this maps to HIPPA, then now you understand how I meet HIPPA. that can get you out of a lot of questionnaires and out of doing additional audits which is very very efficient for financial

reasons and for time reasons. Um so that is something that I love about sock. So when you get started um trying to build something really powerful for your own organization we want to start off with understanding that criteria. What do you need? Right? So this goes back to if I'm just checking a box, maybe just security and a lot of younger organizations start there. If you're a payment processor who has to do sock 2, you might want processing integrity. Uh if you are handling really sensitive data, you may or may not want privacy. Um there are lots of different standards for privacy. Frankly, not a lot of people do this talk too for privacy, but

uh another one is I the BIA, but really what I'm getting at is understand what matters to your organization. So, what data do we have? What do I need to keep my business up and running? Right? So, he's understanding these things. Believe it or not, a lot of people start off doing a soft two with that list and they don't know that. If you don't know what you're protecting, you're not scoping this and you want to scope this so it's right sized for your organization. gonna take a little pause. Does anyone have questions about how what kind of questions how would I discover what matters in my organization or do we all know does everyone know what data your

company processes? None of you do. That's not good. Um okay. Um all right. And then risk assessment is really high level. I'm not looking for quantification of risk across organization at this. All I want to know is these are the things that matter. What could go wrong? Because that's why we should have controls that actually solve for what goes wrong. So when you go to build now, you have that information. We know our scope. We know what we're doing. Um we're going to be building our controls and so we're that right size to address the risk, right? So again, we're aligning with the company's business needs. Uh capitalize on existing processes. I think this is

such a big one that people forget when I said you can't be over here in a corner. Um, we want to go out and say, "Hey, we have to look and see, do we trust our employees? How do I figure that out?" Go ask HR how they do it. They probably interview people. Do they document it? Maybe, maybe not. If they don't, then we need to make sure they document it. That what you want to do, there's so many reasons for this. The reason I have it in bold is that one, if people are already doing it, the habit is there. This is something that has to be repeated every single day in your organization. So if you're using

something that already exists, it's way more likely to keep happening. That's one reason. Two, you're engaging that stakeholder. So now they care. They're telling you the control, right? And not you coming in and saying, "Hey, I need you to do X." That's going to be really big. Um, and then you can also just help them with automating. So if you come in and say, "Okay, now we have to do this all the time. let me get you budget for that HRS system. I don't know why I'm picking on HR like one bit of it, but um that's going to be really big. That goes to the automate controls where possible, right? So every time a

developer has to push a change, you need them to have a peer review. If you tell them, hey, I don't know, using Jira, I need you to make sure that somebody, you know, signs off on your ticket and then I'm going to manually check that and then I'm going to be audited. I'm going to look at all of these tickets. That sucks. If you can go in and say in your branch protections that every time you try to merge, somebody has to review this. It automatically happens. We know it's configured for the auditor. I just show them configuration. Boom. Easy. Um, again, that kind of goes to that if you focus on automating the control versus

the evidence, the evidence is going to come. How easy is it to show an auditor a configuration? It's really hard to go through a giant list of tickets for the last year. Uh, next one, document and communicate. So that goes right to those other two, but everybody in the organization who's involved in any way in the sock should know what they're involved in. So I mean, I know in the keynote if you guys were there talking about security awareness training and where it fails, where it wins is when you go to the groups and you talk about their process and how what they do impacts security and what they can do, what they own and

the influence they can have. So that goes to developers shouldn't be talking about how we interview employees. HR shouldn't be talking about how we, you know, we have a control here around releasing changes. Those don't matter. Go to them and talk about what matters to them. The last one is that part map to other regulations and standards. Really think about those controls you're adopting. Are they going to help you meet those other things that you might need to meet?

This gets a little into the weeds, but I had to throw it in because I see this mistake. I don't know. I just looked at a sock, too. They're struggling really, really, really hard to manage their sock, too. They don't have somebody in GRC. They have security and they have legal who are involved. I looked at their set of controls and literally their controls say things like there are controls to protect the boundaries of the system. I don't know what auditor let this go or did this, but how the hell do you execute on that? Sorry, but like truly what do you know? We want to be detailed, but detailed enough that you're not getting yourself into a

corner. So I use this example where I would say that you know it management does monthly user reviews. Well, do you really need to do them monthly? You've just created an obligation. You have management. Do you need management to show because auditor is going to look and say, did management sign off on this review? step that back and say that it does user access reviews on whatever cadence makes sense for your business. If you're really small, you're not hiring a lot, you don't have a lot of change of personnel, you're 20 people and just trying to get through this, annual reviews might actually cut it. You're Microsoft and you try to do annual reviews of user access,

just don't. Um, so so yeah, I think that's just a really important point is to really think about right sizing those controls and understanding every piece of the control is audited. It should be very clear what's happening, when it's happening, and who's doing it. If you can't tell that from the control, you're going to be spending time circling, spending time with auditors. It It's not valuable. So, power of automation. This group doesn't need this. Anyone think automation won't win? All right. So, the key takeaways here, and again, I say this is not a guide to how to do so. The keys factor here that we're talking about is how do I actually do something that's valuable for my

business. So I want to come back to it's start with the why. We want to scope our sock two to actually fit our business. What are our goals? And ask really ask those questions. Don't be shy. Keep it really simple. So avoid creating when I say simple I don't mean avoid actually doing things that matter. What I mean is avoid creating obligations on yourself that you don't need. So an auditor will look at you and say, you know, how often or in what time period does somebody need to complete security awareness training. Don't say that we issue it and they'll have it done the next day because that will never happen. The auditor is not going to expect that.

But people tend to what I see when people are talking to auditors is want to be really good and so they come in with these like, "Yeah, we do this really fast." Don't do that. So yeah, they get they get a quarter to do that. Let your auditor challenge you, but really give yourself some space. The next one is uh engage your stakeholders. So again, we've talked about this, but just key takeaway is absolutely work with stakeholders. It's so I I can't say how important that is because having them actually own their own processes is just really really big. That's true in all things security, right? Like you're not going to be able to tell

people just from the side what to do. capitalize on those existing processes. They exist. It's amazing. So, I went into a company that were super nervous about going through a sock tour were telling me how they just have nothing at the time I was consulting and I sat down and I had this talk with them and I was expecting to hear like all of their gaps. And as I talked through, they literally were sock ready. There was a little bit of evidence. There was some writing some stuff up, but because they cared. The reason they didn't think that they're ready is they knew their gaps. They weren't perfect in security. Nobody is. If someone tells me that, they're

lying. But what we do know is that a lot of things actually are happening in organizations because people are trying to do their jobs well. And this stuff's pretty basic. Again, SOCK 2 doesn't make you secure. But if you're not encrypting data, we already have a problem. You probably are. If you're not doing change control, maybe it's not perfect and there's some cleanup, but you're probably doing something around changes. You're definitely doing something around hiring. All of that is part of sock 2. Document everything. That is a really important piece. And actually, I'm going to throw in that I didn't talk about this here, but if you're writing policies as you're getting ready for sock 2, and this is for anything you're

doing, if you're building your initial security policies, go really high level. People tend to want to turn them into processes. You read it and it's like, we do this and then we do that and then we do that. No, we encrypt data. That's your policy, right? You want to go very high because you don't want to rewrite those all the time. When you're audited against them, you don't want to have to go back through them. When your customers ask you for your policies, you want to be able to hand them to them. Keep it simple. Processes underneath that to support that policy are what you want to do. And then automate where possible. Um, so we already talked about

that. I guess we didn't. I skipped by to say you all know that automation helps. So um yeah. All right. So, a couple just quick kind of agenda and I don't know what time we're at, but we have time. We'll go through these. Awesome. Okay. What did I tell you? Twice as fast in public. All right. So, the process that you'll go through, just if you're not familiar with it, is initial walkthroughs. We'll do discovery and readiness. Your auditor is going to come in, talk to you. They will tell you if you're going to just fail your sock two, and yes, you can fail your sock two. Actually, I didn't talk about that. Just because you get a sock 2 report, it

is not a certification. I cannot tell you how many times over it's not. It is like a report card. It's telling you yes, these controls were in place. They effectively meet the criteria and they're effectively in happening in house. You can get a report that says no, they are not effectively happening. You still get your sock 2 report. So when somebody says, "Oh, they have sock 2." If nobody's opened up that report, cool. That's like saying your student got a report card. Does that mean they passed the class? who the heck knows? Um, so that is a really important part and there are unfortunately auditors out there who won't tell you they carved out half the criteria and there's a reason

that your customer keeps sending you questionnaires. So make sure you understand if you actually pass the audit. Um, and then so they will walk away. Most good auditors will sit down with you and you're really not ready. They're going to tell you. They don't want to give you a report that says you're not doing well. Um, you know, it doesn't mean some exceptions. So that's not the we had two changes that got out that weren't reviewed. This is like I don't have change management. That's when they're going to tell you we shouldn't do this. Um control reviews, interviews, documentation review, and then they're going to select certain samples. That's the kind of audit experience. I do want to talk about this in choosing

an auditor. This goes to that you want to have that trust. So look for an auditor who's actually going to hold you accountable, give you they should not be designing your control environment that's testing themselves, but they can give you feedback that hey, other companies do this. These are standard things that we see. We notice that you my favorite thing out of an auditor is that as I'm talking to you, I notice you do this thing and this thing is something that would make your stock stronger. If you're already doing it, why don't we add it? Right? because this is a communication to your customer that they should trust you. So, if you're always consistently going to do

something, maybe you have an application firewall that you didn't throw in here. Cool. It's going to be there tomorrow. Why not call that out and tell your customer you're doing something more? So, that's something I really love about a good auditor. Um, like I said, the one who walks in and says, "Here's the list. Call me when it's done and I'll sign a report." Your customer is going to realize that you are going to be answering questionnaires and questionnaires and questionnaires and questionnaires. Do better things with your time. Oops. And last thing, these just I'll hand this out or you guys can get a hold of these, but few resources that I have available. Few of us are in a GRC Meetup

group. So if you're looking for a group of people who can help you or give guidance, um there is a GRC engineering LinkedIn group that I think is really interesting that started that is not mine but uh is very cool. Um the AICPA publishes the trust criteria. Yes, they are an auditing CPA group but um and then I also have a blog just how to read a stock two report like said did they fail? We can show you how to how to read that. So, any questions? Okay. A Oh, yeah. I guess I have one. As far as the building, most of my experience is with ISO 27,000. And with that program, usually they're asking you to constantly

improve. It gets harder over time. Is Sock 2 the same way? Yes and no. Um there's not a hardline standard of what you have to do as far as what that continuous improvement is. But yeah, your auditor should be asking you about that and yes, so continuous improvement will be that you're just maturing as you grow. So it could be that you're just doing something more often. It could be that something's now automated or it could be actual new controls. But yeah, definitely continuous improvement is something just I think for all of security. So good auditors will ask you about that for sure.

So, I had some questions regarding the uh made a comment earlier that like stock two is maybe being undermined a little bit in terms of trust in the report and uh I've participated in completing a couple different sock twos including one that had no result of any findings and absolutely should have. I was just kind of curious to hear your your commentary on that and like what you know is this the auditing industry to blame for this um you know you can manipulate the scope so much like it's a you know yeah so a can of worms and really touchy subject um I will say I I'll call out that I think there are some tools out there that have come out

who are trying to help you automate your sock but what they're doing is helping you automate the evidence collection and they're introducing auditors who are not doing the job um I will not say names but that is a big problem. Uh, and then that has led to a lot of these audit firms that are looking to just it's cheaper and cheaper and cheaper. And so I I go with if it's too good to be true, it is too good to be true. So when it costs $5,000 for someone to audit everything you did for the last year, would you do that? So I think you really have to look at that. But yeah, that's what's coming up is that they're just

flat out not following it. And I'll call out the AICPA. I will say they need to step up. They're not holding people accountable. I talked to someone at the AICPA about that last week by the way. Uh yeah. So um my question is in regards to maybe putting AI into this uh process. Would it be possible to use something like a like a dedicated AI layer that is able to monitor the network and actually like I could envision um a fluid network where the AI would actually sort of re-engineer the how how a hacker would see the network and then change it like kind of reorienting a maze in real time to prevent them from actually penetrating

anything like, you know, like like a like a hologram security layer or something like that. Yeah, they could do it fast. I'm gonna say that yes, AI has a place. I know we're out of time here, but I think most companies aren't ready for that. And so 2 is kind of broader about organizational controls around security overall. So it's not just that network. That's one piece of it. But so yes, there's a place. Is it just going to be AI? Heck no is what I'm saying. Not now anyways. Over time, right? But at this stage, no. There's too many things in the organization that are impacted. Um certainly it's also technically what you just described

sounds like to me you're thinking more about the actual security of that environment versus the monitoring and the controls around the environment. And that's more what sock 2 is about. Um but yes, AI is being used for some of this, but it's some of it and over time. Yeah. Thank you all.