Building Risk Culture Over and Above “ (Do) I Need SOC 2 and I Need it Now!”
As a business leader, you know that risk management is an essential part of any successful organization. Effective risk management will, of course, primarily serve as an effective barrier to nefarious actors trying to infiltrate your organization from outside or within. It also has the residual benefits of accelerating your sales pipeline, protecting your brand and reputation, and enabling process improvement as you identify and resolve issues facing the organization, its products and practices.
Building Risk Culture
We refer to this as building risk culture across the organization. Despite the tenor of this, strong risk culture is a positive not a negative. It does, however, require an ongoing commitment to engagement, training, evaluation of people, process, and technology.
Effective risk management enables people, process, and technology as you track and monitor (ARCI) Assets in scope for security, associated Risks, associated Controls, and Issue mitigation.
C1Risk is the only integrated platform that enables ARCI. Click here to learn more.
To SOC 2 or Not to SOC 2?
Demonstrating the effectiveness of your information security risk management program is something that is the cause of much discussion. Traditionally, we submit to external audits that certify or attest to our risk posture and security. That may be SOC, ISO, NIST, CAIQ... While each of these is indeed valuable, leading with them may cause challenges of their own. As we now know, SOC 2, will fulfill all the requirements of the new NYDFS, due to be published later this year. The reality is that if we lead with “certification”, we risk (pardon the pun) overlooking our primary purpose - protecting the organization over the long term.
Protecting the organization requires ARCI. For more information about ARCI click here.
Nevertheless, as the need to demonstrate effective security controls to close sales has grown – and as attacks on business become more prevalent and sophisticated – the demand for certification has accelerated, and has succumbed to the “I need it, and I need it and I need it now!”.
This has led to some, while not entirely misleading, but let’s just say exuberant marketing from compliance solution providers.
“Get SOC 2 compliant in weeks!”
We have all seen it out there. What does it really mean and how effective is it for the company?
The AICPA SOC 2 Audit provides a framework for organizations to assess and report on their security and privacy controls. The certification is designed to ensure that an organization has appropriate controls in place to protect customer data and other sensitive information. It is based on 5 criterion “Security (aka the Common Controls), Availability, Confidentiality, Process Integrity and Privacy). At a minimum, companies must implement the Common Controls to qualify for SOC 2.
Buyer Be-aware - The Actual Requirements for SOC 2
SOC 2 includes both a Type 1 and a Type 2 report. Both of which require an external audit and, therefore, a cost to the company.
Here is the first buyer be-aware. It is possible to obtain a SOC 2 Type 1 report in approximately 90 days. However, Type 2 takes a minimum of 6 months and, generally, requires 12 months of testing and documentation to achieve. Further, a Type 1 report is not required to achieve Type 2. Further, because Type 1 does not require control testing, while it is a good stepping stone and will help you build your control sets, it is not going to be sufficient to pass security review with any organization. It is, at best, a placeholder.
Buyer be-aware again. Both Type 1 and Type 2 carry an auditing cost, typically ranging from $10,000 to $50,000+ per report. As such, your auditor choice should fit the needs of the organization. You may or may not need a Big 4 to deliver your audit.
And the final buyer be-aware, achieving SOC 2 Type 1 and 2, or ISO 27001 Certification, and/or maintaining compliance with most other regulations or standards, is just part 1 or many.
ARCI - Risk Culture
Maintaining your compliance with these external requirements is a year-round, year-over-year commitment. Compliance focused solutions that promise near-immediate results, will likely prove inefficient and costly buys over the long term,because they do not support integrated risk management. If you need SOC 2 in weeks, know that you’re actually committing to implementing year-round risk management, which takes time and tools to build.
This is why we always say, “there is no compliance without risk management”. Compliance focused solutions will likely not provide a good solution for risk management over the long term.
Which brings us back to building a culture of risk management in your organization.