PG - GEN-Z Critique on SOC 2

hi everyone I'm Carissa and this is a jenz critique on sock 2 so to start off with I interviewed 50 software engineers and Tech Executives to get the lowdown on governance risk and compliance GRC specifically on sock 2 the compliance framework that everyone loves to hate but can't ignore and so here's how the interview went down I asked three questions the first being what is sock to in your own words and are there any brave souls that would like to share their take on what sock 2 is yes it's an ID report in up station that is presenting the company's um ID infrastructure around security um some somewhat right but you are the only person who answered this

question amongst the 20 30 people here yes it's a way to prove that you're a large enough company that you can afford to give money to cire I think it's so funny that you mentioned that um but anyways this is some response I got but before I like go any further I'm going to Spill the tea on the survey and spilling the tea is just like giving you gossip and j z slaying um here are some people who answered someone said a nightmare of compliance that feels more sorcery than than anything else NGL I have no idea other than it's something that smaller companies often can't afford a big pain in the butt or maybe a distraction from

making redacted secure and I honestly have no idea although I came across it while setting up some DB related monitors so there's an overall theme I think most people think it's like busy work and they don't have a clue with what socks you really is and now I have another question for you guys how many of you guys actually read your comp I's policies with the show of hands okay so for the people who didn't raise your hands like you guys can lowkey get fired but um it's okay I'm not a big mouth but I'm going to give you guys more tea and regarding this oh no no okay so there was chart but 33.3% of the people I surveyed just sign

off without a Second Glance another 30 3.3% they just SCM through it um and another 10% they don't even read it at all and then 10% they actually read through the policies which is a really low number and the other 133% I think they were just like vibing with the survey honestly so what is the key takeaway here software Engineers are allergic to Sock 2 and most people are not oblivious to Sock 2 unless they're higher up and their career ladders like cesos but since not a lot of people know what sock 2 is is this a good or a bad thing and this is what we'll dive into in this talk so hi everyone today I'll be

dropping a jenzy critique on sock 2 and who is Jen z um me and probably your most recent batch of hires at the company you're at and before I go any further I just want to quickly introduce myself um I'm Carissa I have actually became interested in cyber security since high school when I competed in different ctfs and security competitions I then went on to Berkeley and started immediately at srep as a security TPM and during my time there I actually got a lot of hands-on experience with stock 2 and gdpr compliance and then just like a fun fact I'm a content creator for fun because to you this okay so this is our agenda we'll dive into what sock 2 is

what the implementation entails um I'll break down the entire process for all of you guys and then we'll hit some of the benefits and my critiques on sock 2 and the closing statement so for also quick disclaimer are there any Auditors here user oh I don't want to offend anyone I'll just want to keep it very fun and informative I'll be using jenz sling throughout with translations on the bottom so yeah let's get started so I can create an attack so stock to is SAR boring I don't know if you guys know but SAR is the new so for jenzi but you need to have it with the Australian accent um so it might seem boring at a

first glance but it's essentially a framework for auditing and Reporting on controls related to the five trust service criteria which is security availability processing Integrity confidentiality and privacy these criteria form a framework for organizations to demonstrate their commitment to maintaining a secure environment and the aicpa crafted it crafted sock 2 in the early 2000s as a response to the need for standardized data protection thank you you uh so I I um I love this talk and I love how uh you talked about AWS gcp um oh sorry oh sorry sorry I thought someone was asking a question my bad um anyways these criteria form the backbone of sock 2 and so it's the gold standard for compliance trying to

certify there are security efforts in America and if you're doing Cloud flare I consider that a cloud environment and that's something I actively worry about access um one I would ask what are the tools that you would point me to to start doing this kind of analysis in those kinds of environments and uh two how would you kind of um hypothetically even if there isn't a tool please oh okay sorry sorry about that no no no no no no worries um that was stress test to but anyways if you're doing B2B sales or selling to large Enterprises in America your customers are going to be asking you about your stocku certifications so now let's talk about

controls so controls are basically your com company's defense Playbook they're like policies procedures and practices to set up set up to mitigate risks and protect your company's interests so you can think of them as the backbone of any robust security and compliance program they'll they'll set the guidelines of what's okay and what's not okay so some examples like policies like access management vendor management risk mitigation work they all form together to protect everything from digital data to your personal physical space and there will be regular reviews to ensure that these rules stay current and effective um other examples of sock 2 controls can also include like two Factor authentication to protect sensitive data encryption protocols for

data at rest and in transit and detailed incident response plans so now there are different types of sock 2 reports there's a sock 2 type one and a sock 2 type two and the major difference is just the monitoring period type one is like a snapshot while type two is when you're being monitored over a period of time and I have a cheat hack that I really am very excited to share with you guys but I'll share that later towards the end but at the end of the day sock 2 type 2 is more well regarded it's more comprehensive and it shows the reliability of your systems and controls so I will be I will be mostly referring

to Sock 2 type 2 from here on out also many opt for type one due to a faster turnaround but type one only confirms the right controls and written policies without testing if the controls actually work because they don't really ask for evidence and another thing to know is that you actually don't need to get a type one before you get a type two you can also just get a type two audit right away so sorry I'm going to just quickly connect um I don't know why my hot spot is not working and I really need to show you guys this picture sorry great techology

problems the technology I know I mean long been at the opinion computers were a horrible

IDE okay if this picture if I can't connect to my Hotpot just imagine that there's a picture for me yeah oh yes s yes I I'm still connecting to this wi-fi really quickly

sorry I I have been but it hasn't been connecting okay I think I'm [Music] barely I have 14 minutes left okay I think I

should yeah that's why I don't know why my hot yeah I think there should be like a present button soon but it's to just no it's it's not loading okay okay I just don't know why it's not presenting never used it's okay it's okay it's okay

no that's

fine why I hot spot's not popping up

okay it's okay I'll just sorry no no no no it's okay it's okay that's oh

shoot do you think I could by any chance is this you

sorry guys just one

minute okay okay okay okay and then then where's the present okay perfect thank you thank you thank you welcome okay

just GNA stay right here thank you thank you okay so this is what the sock 2 timeline should look like within the first to 3 months is like a pre- audit preparation so this is where you prepare a list of controls and and ensure that you're doing everything that you claim to be doing um this is where the most work actually occurs so you definitely should not underestimate it so if you say that you list like a 100 controls you have to make sure that you're applying them consistently across your company and you maintain confidence in the implementation next 3 to 12 months is the compliance observation period um this period can have a lot of elaps time

so you want to make sure that you have the right evidence and this is like the cheat hack that I really want to show you guys um you can do sock to pretty fast and it's not cheating so many people expect that a 12 month stock 2 observation period is important and that is the case but actually at Samra when we first started with our stock to compliance Journey we actually had a 3-month observation period first so we saved a lot of time when the Auditors came in and this approach makes customers happy because you can deliver results in 4 months instead of 14 which you're getting more customers right but the thing is you don't want to apply

that method too often or else you're paying for a stock to audit every single time and that racks up a lot of money and so what you can in what you can essentially do is start with a shorter observation period like 3 months or however long you want which will tighten the feedback loop and if any issues arise during those 3 months and if controls aren't working appropriately you can catch them sooner and then after that first round of sock 2 you can maybe lengthen the feedback loop to like 12 months as your observation period so that's the little cheat back um and then the first to 3 weeks is the official audit and this is just like a lot of

back and forth with your auditor and just making sure that you deliver the right evidence and then the 2 to 6 weeks is just like the weight game um your auditor will be creating a report and compiling all the information that you provided them and during this time you can just tell customers like oh the report is coming soon so

yeah so there is quite a process with stock 2 you need to prepare and make sure that you are aware with the trust service criterias and you define your audit scope you also have to make sure that you spot the weak points in your controls and tighten them up and create detailed records of your policies procedures and controls and like you want to make sure that you also establish clear goals within like your company's security compliance OB objectives to make sure that you can identify key points throughout your organization so the stock 2 timeline varies depending on the complexity of the organization and your existing Security Programs as well too and larger organizations or those with a complex

infrastructure will require more time with more compliance and more of a longer observation period but it's also really essential to engage in stakeholders from different departments to ensure a comprehensive understanding of security practices so overall you can have a smoother audit process there's a lot of organizations and departments in your companies that are all affiliated with getting your stock to compliance like for example the engineering info team um you would have to work with controls regarding like Access Control change management code review SRE it's like incident response monitoring and logging and creating like a disaster tabletop um and business continue it business continuity plans HR you need to make sure you get background checks security aware awareness trainings and

making sure you have like the proper termination procedures sales data Protection security vulnerability ma management even marketing like no one ever really talks marketing but they're getting a lot of personal information so you want to make sure that you're communicating throughout with in the different departments in your organization so now I'm like very excited to show you guys this word maybe you guys know it RZ um it's the new word for Charisma and you can definitely rise up your customers with your sock 2 report honestly but essentially it's just it's like sling for style charming someone and so forth but I sort of wanted to talk about like the benefits of sock 2 and even if

your customers aren't already asking for the sock 2 passing stock 2 audit objectively proves that you're taking steps to prevent a data breach um it can also be a GameChanger in customer relationships especially in a world where data Brees often make headlines having sock to certification assures customers that their data is safe in your hands because you're taking protective measures also this trust can translate into more increased business opportunities because it's like good credibility right as clients are more likely to partner up or with companies that prioritize security um another benefit to keep in mind is that companies will also regularly reject potential vendors for a lack of stock do certification um even though it's not mandated a lot of

companies actually look for stock 2 certifications it's not like Europe and gdpr but a lot of companies will look look at it another thing to keep in mind is that it sock 2 also enforces security Basics and it keeps and it makes [Applause]

sureesh compliance and also improving your overall security posture and I I think this overall approach will also make sure that you're staying ahead from any evolving threats in the future and building customer um trust so now for some critiques um when did CPAs become certified lover cyber Security Experts um so certified lover boy is from Drake if y'all are maybe not aware Drake is the rapper who was just like in the headlines recently um but CPAs didn't really major in computer science or security so auditor quality is really important um and some are strict While others may not be another thing is that Auditors can be suceptible to cyber Dazzle and cyber Dazzle is like a term that I learned

from my manager but it's like when someone who isn't as technical might see something in might see something technical in front of them like regarding like evidence that you provide them and it could maybe hypothetically lead the auditor to not conduct an audit properly that's just like a hypothetical situation for you all Auditors here like I know you guys are probably doing things great um but the quality of the audit very much depends significantly on the auditor's expertise and just making sure that you select an auditor with a strong background in cyber security can enhance the audit process throughout and it just makes sure that you have a thorough and accurate assess M of your

controls which is important for your company another thing is that stock to is bougie um or it could be expensive so the cost of preparation implementation and auditing can be significant especially for small businesses or startups and the audit itself can range anywhere from 10,000 to 50,000 dollar and that's literally just the audit itself we're not even counting the investment in pen testing and other security measures necessary to meet compliance so while that cost might seem slightly steep especially for startups or smaller companies um sock 2 compliance can definitely provide a substantial return on investment especially if you're demonstrating a commitment to security um you can gain access to larger markets and customers who require stringent data protection

standards another thing to keep in mind is that so to is like a broad umbrella it covers General Security principles but it doesn't really deep doesn't really dive deep into like ABC right so just because you're stock to compliant doesn't mean you're bulletproof companies can still get hacked even though you're stock to compliant so it's also crucial to recognize there are some limitations to stock to and there are proactive steps to address them um and this could also just include conducting regular code reviews implementing secure code practices or using tools like static and dynamic application tools so overall tldr sock to compliance isn't a oneandone deal it's always about continuous Improvement stock 2 compliance is an ongoing process that

requires organizations to regularly update their security controls and practices and this iterative approach will help companies adapt to new threats and technological advancements and ensuring that they remain secure over time um stock 2 isn't really like just about checking a box it's about building trust and also ensuring your customer's data is safe and the journey to compliance might seem challenging but the benefits far outweigh the costs and by prioritizing your security and compliance um your organization or company can build a strong foundation for future growth forever so yeah um also just like a quick shout out to the coolest manager Jonathan he's not here for exposing me to stock 2 and gdpr and then Tom My

bsides Mentor Leaf Tanya Andy Margaret and Misha I think none of this would have been possible without this talk and so thank you so much for listening and feel free to connect with me on LinkedIn [Applause]