1. Home
  2. Discover
  3. Technology
  4. Product Habits

Product Habits - Why everyone should use SOC 2 software

When I first realized that we were building a security company with our pivot to Nira, it hit me like a ton of bricks.

We had to have a strong security mindset instilled within our entire organization in order to sell our software to companies of all sizes.

At first, I kept this to myself and looked into what we’d have to do to create this mindset. I spoke with friends who were selling SaaS products to companies and also talked to a few buyers at companies.

I quickly learned that IT departments were starting to use SOC 2 certifications as a requirement for software vendors that they use.

With Nira, we weren’t only selling software to companies, we were selling directly to IT teams who were very security conscious. They were our core buyers and we had to make sure that they trusted our internal security practices.

It was even more important for us to get SOC 2 compliant.

At the time, neither my co-founder Marie or I had any experience with going through a SOC 2 audit. All we had heard was how painful it was to get certified. 

In spite of all that, we wanted to get our SOC 2 certification completed as quickly as possible. 

I still remember Marie complaining after she tried doing research about how to get our SOC 2. She was just trying to find a simple list of things we’d have to do, and she couldn’t find anything helpful.

In talking to other founders, I had heard about software that we could use to help us get our SOC 2. Marie and I discussed it and decided to explore using compliance software. 

And I’m really glad that we did. 

But our decision wasn’t without road bumps. Marie is a bit of a skeptic and loves to attack problems by asking questions. Naturally, she had a lot of questions about spending so much money on software as a startup.
  • Do we really need this?
  • It’s expensive, are we sure we can’t just do this on our own?
  • Do the SOC 2 software vendors know what they are doing?
  • Are they SOC 2 Type 2 certified themselves?
  • What specific benefits do we get using software?
  • What’s the timeline of our SOC 2 with and without software?
  • What are the costs vs. benefits?
She grilled the salesperson until she was satisfied (he was probably dizzy) and we got our heads around the benefits of using the tool.

The sales call gave us conviction on how we could follow a really clear process with the help of the software. The process was infinitely more clear for us than just mucking our way through it on our own without knowing anything.

We’d get set up in the software by entering in/attaching information about our business and processes.

Then, the software would start running automated checks for us to make sure we’re compliant. Things like whether or not employees have 2FA on for certain applications, and if our change control process was running in GitHub.

We’d even get help finding an auditor. Then we’d add more information to the tool for the auditor to review and complete tasks like having our team do their annual security training.

And then we’d be able to get our SOC 2 certification a few months later.

Having the clarity of exactly what steps we’d need to take was such a relief. And it made our decision to buy a tool that much easier.

In total, using software for our SOC 2 Type 2 certification took us 5 months to complete the first time around. It would have taken us closer to 12+ months if we had done things ourselves.

We did have one advantage, though. We had someone on the team in DevOps who had gone through an ISO audit in a prior role. He ended up devoting about 25% of his time to compliance. That person now runs the entire SOC 2 and ISO process (amongst other things) for the company and makes sure we’re compliant.

Here’s what he had to say when Marie asked him about using a compliance tool for our SOC 2 and ISO:

“There’s so much that you need to be storing mentally without the software. SOC 2 has so many moving parts, and so many balls that have to be up in the air at the same time. Software can help offload the work and free up mental space. You can let the tool do the worrying for you.”

These are the benefits of using a compliance tool versus doing it ourselves.

Time savings

Using a tool helps cut out 75% of the work required to get your annual SOC 2 certification. 

If our team decided to stop using a compliance tool, we’d have to hire someone who was completely devoted to our SOC 2 and ISO in order to get our certifications done each year.

Instead, all of our information and monitoring happens in one place.

Automation of tasks

Instead of doing things manually, with endless checklists, spreadsheets and processes, compliance tools help automate loads of tasks.

For example, the software monitors whether team members have 2FA turned on, if they have antivirus software on their computers, if they’ve accepted policies each year, completed onboarding, and done their annual security training. It also makes sure we have firewalls turned on, encryption turned on on our resources, and helps with offboarding too.

If we didn’t use software for this, we’d need to have someone on the team invent a way to automate these tasks, or do a multitude of checks every month or week.

Off the shelf processes

Instead of creating a process from scratch, we had everything ready for us. 

The software told us exactly what information to upload and enter for the auditors to review. This was a great shortcut. We didn’t have to wait for our auditor to ask for things, and we didn’t need to worry about how we’d provide the information to them or where it would go.

And thanks to the tool, we had policy templates to start with and modify, like Code of Conduct, Asset Management, and Responsible Disclosure. Had we created those from scratch, it would have taken us weeks of additional work, and we could have missed processes that we should have implemented to make ourselves more secure.

Repeatability

Thanks to the software, our second SOC 2 audit and future audits will be so much easier. 

We’ve already got everything set up and ready to go. The automations are all connected, the monitoring is happening, policies are completed, and the auditors know where to look for our information. It should be a breeze to get the auditors the evidence they need from now on.

It’s less stress and fewer daily tasks to manage.

One of the most time-consuming parts of our SOC 2 is something software doesn’t help us with, though. It’s figuring out where it all fits in the existing business. 

Being able to map the way a business works when it’s dynamically changing like a startup is really difficult. But at least we have software to help make our compliance efforts easier and more seamless.

In future emails, I’ll dive into more details about how we transitioned to a security conscious company.

If you’ve got any questions or thoughts, please reply and let me know!

Take care,

Hiten

P.S. To get up to speed on SOC 2 compliance, we made a quick beginner’s guide, it’s right here.











Copyright © 2021 Up Advisors, LLC., All rights reserved.
You received this email because you signed up to get emails from Product Habits.

Our mailing address is:
Up Advisors, LLC.
13337 South St. #269
Cerritos, California 90623

Add us to your address book


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Older messages

My favorite Twitter threads about startups

Monday, June 28, 2021

I put together my own thread of the best tweets about startups I've seen over the past few years. Hiten's Pick The Pyramid of Co-Founder Success There is no lack of advice out there about how

I had this nagging feeling

Tuesday, June 22, 2021

After building software for 16 years, I've learned to listen to my gut when it comes to selling SaaS products.Early on during our pivot to Nira... After building software for 16 years, I've

What COVID changed about hiring

Monday, June 21, 2021

So much changed during COVID—including how tech companies hire. Here's a peek into what changed at Facebook. Hiten's Pick A Project of One's Own I enjoyed Paul Graham's latest essay

Marie’s AMA was 🔥

Thursday, June 17, 2021

The most upvoted question was from Walter Chen, a founder of Sacra... The most upvoted question was from Walter Chen, a founder of Sacra: “one problem i encounter is getting really excited about an

How people discover new products

Monday, June 14, 2021

Beyond obvious ways to grow, like social media ads and SEO, here's what you should be doing to build product awareness. Hiten's Pick Lessons Learned Working With Zuckerberg for 13 Years Dan

You Might Also Like

Best Practices for Composition Patterns in Jetpack Compose

Thursday, December 26, 2024

View in browser 🔖 Articles Best Practices for Composition Patterns in Jetpack Compose Jetpack Compose is a newly introduced declarative UI framework compared to other declarative UIs, and there hasn

wpmail.me issue#699

Thursday, December 26, 2024

wpMail.me wpmail.me issue#699 - The weekly WordPress newsletter. No spam, no nonsense. - December 26, 2024 Is this email not displaying correctly? View it in your browser. News & Articles 12 Best

Post from Syncfusion Blogs on 12/26/2024

Thursday, December 26, 2024

New blogs from Syncfusion Create a Flutter 3D Column Chart to Showcase the Top 6 Renewable Energy-Consuming Countries By Praveen Balu Let's visualize the top 6 renewable energy-consuming countries

Ruijie Networks' Cloud Platform Flaws Could Expose 50,000 Devices to Remote Attacks

Thursday, December 26, 2024

THN Daily Updates Newsletter cover Improve IT Efficiency with a Standardized OS: Nine considerations for building a standardized operating environment Optimize your IT with a standardized operating

Edge 460: Anthropic's New Protocol to Link AI Assistants to Data Sources

Thursday, December 26, 2024

Model Context Protocols is one of the recent AI contributions of the AI lab. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

December 26th 2024

Thursday, December 26, 2024

Curated news all about PHP. Here's the latest edition Is this email not displaying correctly? View it in your browser. PHP Weekly 26th December 2024 Hi everyone, It's boxing day in some parts

Re: This took me 10 minutes and protects my privacy

Thursday, December 26, 2024

Christmas may be over, but you still have one more chance to take advantage of Incogni's amazing holiday promotion! Protect your personal data from hackers and scammers today with Incogni's 58%

Daily Coding Problem: Problem #1648 [Medium]

Wednesday, December 25, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Quora. Given an absolute pathname that may have . or .. as part of it, return the

🎮 The Best Games to Go With Your New Console — Streaming Services Could Learn From YouTube

Wednesday, December 25, 2024

Also: Don't Throw Christmas Gift Boxes on the Curb, and More! How-To Geek Logo December 25, 2024 Did You Know Years before The Nightmare Before Christmas, Tim Burton was sprinkling references to

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY